Kategorie

Citrix has finally started rolling out security patches for a critical vulnerability in ADC and Gateway software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. I wish I could say, "better late than never," but since hackers don't waste time or miss any opportunity to exploit

The Feds have warned on six vulnerabilities in GE medical equipment that could affect patient monitor alarms and more.

The malicious email campaign included a never-before-seen malware downloader called Carrotball, and may be linked to the Konni Group APT.

The malware uses thousands of partner websites to spread malvertising code.

The critical flaw exists in Cisco's administrative management tool, used with network security solutions like firewalls.

Pokud patříte mezi klienty Raiffeisenbank, dejte si pozor na další phishingovou kampaň, která cílí na její české klienty a může se objevit i ve vašem e-mailu. Zpráva ve věrohodné češtině vás pobízí, abyste si přečtli důležité sdělení na adrese online.rb.cz/Login, skutečná adresa odkazu ale už ...

Are you a ProtonVPN user? Have you heard that ProtonVPN applications are now 100% open source?

An election security group has said the Justice Department’s renewed calls for access to encrypted data could impact more than privacy, stating: “Any effort to diminish the effectiveness of encryption will inherently diminish the security and, potentially, the integrity, of our elections. Hostile actors will likely direct similar efforts at campaign officials, political organizations, and politically engaged individuals in future elections." What are your thoughts?

Introduction Classic moves, no matter what the subject matter is, are timeless. Be it the hook shot in basketball, the uppercut in boxing or the pirouette in ballet, these are moves that you remember for the subject matter.  Believe it or not, hacker attack techniques are no different. Aside from the outright theft of information, […]

The post MITRE ATT&CK: Disk content wipe appeared first on Infosec Resources.

MITRE ATT&CK: Disk content wipe was first posted on January 23, 2020 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Introduction The zombie movie film genre has long been a favorite among horror film fanatics, as shown by the ever-growing number of films that portray an undead apocalypse. Each of these zombie franchises features a different way of causing zombification.  As life sometimes imitates art, this concept extends to the world of malware. An emerging […]

The post Malware spotlight: Nodersok appeared first on Infosec Resources.

Malware spotlight: Nodersok was first posted on January 23, 2020 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Is there some good news hidden in the story of the CVE-2020-0601 crypto vulnerability?

New research outlines vulnerabilities in Safari’s Intelligent Tracking Protection that can reveal user browsing behavior to third parties.

Digital forensic evidence points to the phone's massive, months-long data egress having likely been triggered by Pegasus mobile spyware.

Sources told Reuters that Apple may have been convinced by arguments made during the legal fight over cracking the San Bernardino iPhone.

Stopping software updates for legacy kit is nothing new, but it's the way the company has done it that has Sonos customers' hackles up.

** Kolonizovat Mars bude velmi těžké ** Podle astrobiologa je jedním z největších problémů nebezpečné záření ze Slunce a vzdáleného vesmíru ** Elon Musk chce do roku 2050 dopravit na Mars milion lidí

What’s the difference between a real job and a fake one found on the internet? The fake ones are suspiciously easy to get interviews for.

For close to two years now, the Shlayer Trojan has been the most common threat on the macOS platform: in 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS. The first specimens of this family fell into our hands back in February 2018, and we have since collected almost 32,000 different malicious samples of the Trojan and identified 143 C&C server domains.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

TOP 10 threats for macOS by share of users attacked, as detected by Kaspersky security solutions for macOS, January– November 2019 (download)

The operation algorithm has changed little since Shlayer was first discovered, nor has its activity decreased much: the number of detections remains at the same level as in the first months after the malware was uncovered.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Shlayer malware detections by Kaspersky security solutions for macOS, February 2018 – October 2019 (download)

Technical details

Despite its prevalence, from a technical viewpoint Shlayer is a rather ordinary piece of malware. Of all its modifications, only the recent Trojan-Downloader.OSX.Shlayer.e stands apart. Unlike its Bash-based cousins, this variant of the malware is written in Python, and its operation algorithm is also somewhat different. Let’s demonstrate this using a DMG file with MD5 4d86ae25913374cfcb80a8d798b9016e.

First stage of infection

After mounting this DMG image, the user is prompted to run an “installation” file. However, the seemingly standard installer turns out to be a Python script, which is already atypical of macOS installation software.

Shlayer user guide

The directory with executable files inside the application package contains two Python scripts: gjpWvvuUD847DzQPyBI (main) and goQWAJdbnuv6 (auxiliary). The latter implements data encryption functions by means of a byte shift on the key key:

• The encryptText/decryptText pair of functions encrypt and decrypt strings;
• encryptList encrypts the contents of the list passed in the arguments; decryptList performs the inverse operation;
• The getKey() function generates an encryption key based on the time in the operating system.

Main script of the Trojan

Auxiliary script of the Trojan

Next, the main script generates a unique user and system ID, and also collects information about the version of macOS in use. Based on this data, the GET query parameters are generated to download the ZIP file:

The ZIP archive downloaded to the /tmp/%(sessionID) directory is unpacked to the /tmp/tmp directory using the unzip function:

The ZIP archive was found to contain an application package with the executable file 84cd5bba3870:

After unpacking the archive, the main python script uses the chmod tool to assign the file 84cd5bba3870 permission to run in the system:

For added effect, the sample copies the icon of the original mounted DMG image to the directory with the newly downloaded application package using the moveIcon and findVolumePath functions:

After that, the Trojan runs the downloaded and unpacked application package using the built-in open tool, and deletes the downloaded archive and its unpacked contents:

Second stage of infection

Shlayer itself performs only the initial stage of the attack — it penetrates the system, loads the main payload, and runs it. The negative consequences for the user can be seen by investigating the AdWare.OSX.Cimpli family, which was being actively downloaded by the Trojan at the time of writing.

At first glance, the Cimpli installer looks harmless enough, simply offering to install a partner application (for example, Any Search):

But in actual fact, Cimpli performs several actions unseen by the user. First, it installs a malicious extension in Safari, hiding the OS security notification behind a malware fake window. By clicking on the buttons in the notification, the user in effect agrees to install the extension.

Left: what the user sees; right: what’s really going on

One of these extensions is called ManagementMark, which we detect as not-a-virus:HEUR:AdWare.Script.SearchExt.gen. It monitors user searches and redirects them to the address hxxp://lkysearchex41343-a.akamaihd[.]net/as?q=c by injecting the script script.js in the browser pages:

The sample also loads the mitmdump tool, which is packed using PyInstaller. To allow mitmdump to view HTTPS traffic, a special trusted certificate is added to the system. This is likewise done by superimposing a fake window over the installation confirmation box. After that, all user traffic is redirected to the SOCKS5 proxy launched using mitmdump.

Arguments for running the packed mitmdump run arguments

From the screenshot, it can be seen that all traffic passing through mitmdump (SearchSkilledData) is processed by the script SearchSkilledData.py (-s option):

This script redirects all user search queries to hxxp://lkysearchds3822-a.akamaihd[.]net. Kaspersky solutions detect this script as not-a-virus:AdWare.Python.CimpliAds.a.

Cimpli adware thus becomes firmly anchored in the system; in the event that traffic does not pass through the proxy server, the JS code of the extension injected in the page handles the redirection of queries. The attacker gains access to the user’s search queries and can modify the search engine results to display advertising. As a result, the user is inundated with unsolicited ads.

Note that Cimpli is not the only family of adware apps that Shlayer can download. The list also includes AdWare.OSX.Bnodlero, AdWare.OSX.Geonei, and AdWare.OSX.Pirrit, which made up almost all the remaining positions in the Top 10 threats for macOS in 2019.

Family ties

The behavioral similarities between the Python version of Shlayer and earlier modifications of the family written in Bash are not hard to spot: harvesting IDs and system versions, downloading an archive to a temporary directory, executing the downloaded file, deleting traces of downloading — we’ve seen this course of actions before. Moreover, both modifications use curl with the combination of options -f0L, which is basically the calling card of the entire family:

Top: an old modification of the Trojan; bottom: the latest version

Finding legitimate use for curl with options –f0L is not an easy task

Distribution

Distribution is a vital part of any malware’s life cycle, and the creators of Shlayer have taken this issue to heart. Looking for the latest episode of your favorite TV show? Want to watch a live broadcast of a soccer match? Then take extra care, since the chances of a run-in with Shlayer are high.

Examples of Shlayer landing pages

We noticed at once several file partner programs in which Shlayer was offered as a monetization tool. Having analyzed various offers, we identified a general trend: Shlayer stands out from the field for the relatively high installation fee (though only installations performed by U.S.-based users count). The prospect of a juicy profit likely contributed to the popularity of the offer (we counted more than 1000 partner sites distributing Shlayer).

Description of the offer on a partner program website

In most cases, it was advertising landing pages that brought users to the next stage of the distribution chain — nicely crafted fake pages prompting to install the malware under the veil of a Flash Player update. This is primarily how the Trojan-Downloader.OSX.Shlayer.a modification was distributed.

Fake Flash Player download page

The version of Trojan-Downloader.OSX.Shlayer.e discussed above was propagated in a slightly different way. Similar to the previous scheme, users ended up on a page seemingly offering an Adobe Flash update. But they were redirected there from large online services boasting a multimillion-dollar audience. Time and again, we have uncovered links pointing to malware downloads in the descriptions of YouTube videos:

Another example is links to Shlayer distribution pages contained in the footnotes to Wikipedia articles:

These links were not added by the cybercriminals themselves: we found that all those malicious domains had recently expired, and, judging by the WHOIS data, they now belong to a single individual. On the websites, the newly minted owner posted a malicious script that redirects users to Shlayer download landing pages. There are already over 700 such domains in total.

Our statistics show that the majority of Shlayer attacks are against users in the U.S. (31%), followed by Germany (14%), France (10%), and the UK (10%). This is wholly consistent with the terms and conditions of partner programs that deliver the malware, and with the fact that almost all sites with fake Flash Player download pages had English-language content.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Geographic distribution of users attacked by the Shlayer Trojan, February 2018 – October 2019 (download)

Conclusion

Having studied the Shlayer family, we can conclude that the macOS platform is a good source of revenue for cybercriminals. The Trojan links even reside on legitimate resources — attackers are adept in the art of social engineering, and it is hard to predict how sophisticated the next deception technique will be.

Kaspersky solutions detect Shlayer and its artifacts and download pages with the following verdicts:

• HEUR:Trojan-Downloader.OSX.Shlayer.*
• not-a-virus:HEUR:AdWare.OSX.Cimpli.*
• not-a-virus:AdWare.Script.SearchExt.*
• not-a-virus:AdWare.Python.CimpliAds.*
• not-a-virus:HEUR:AdWare.Script.MacGenerator.gen

IOCS:

• 4d86ae25913374cfcb80a8d798b9016e
• fa124ed3905a9075517f497531779f92
• 594aa050742406db04a8e07b5d247cdd

Malicious links:

• hxxp://80.82.77.84/.dmg
• hxxp://sci-hub[.]tv
• hxxp://kodak-world[.]com

C&C Urls:

• hxxp://api.typicalarchive[.]com
• hxxp://api.entrycache[.]com
• hxxp://api.macsmoments[.]com

If you have ever contacted Microsoft for support in the past 14 years, your technical query, along with some personally identifiable information might have been compromised. Microsoft today admitted a security incident that exposed nearly 250 million "Customer Service and Support" (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support

The competition targets the systems that run critical infrastructure and more.