Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Guide to Navigating the Complexities of Linux Security

LinuxSecurity.com - 8 Únor, 2024 - 14:51
Implementing robust security measures in Linux-based systems is essential and doesn't need to be complex. In this article, we'll provide a comprehensive overview of key concepts and best practices you can use to fortify your Linux environment against evolving threats.
Kategorie: Hacking & Security

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

The Hacker News - 8 Únor, 2024 - 14:05
The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern
Kategorie: Hacking & Security

Chinese Hackers Operate Undetected in U.S. Critical Infrastructure for Half a Decade

The Hacker News - 8 Únor, 2024 - 14:05
The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Chytré zubní kartáčky nikdo nehacknul a neudělal z nich botnet. Nač si kazit dobrý příběh pravdou

Zive.cz - bezpečnost - 8 Únor, 2024 - 12:45
Některé zprávy vypadají tak lákavě, že vidina co nejvíce přečtení vyhraje nad kritickým myšlením a mnohý novinář je převypráví, anž by trochu zapátral, zda je to vlastně celé vůbec pravda. Když jsme včera viděli, že zahraničními médii začíná rezonovat zpráva „Hackeři ovládli tisíce chytrých ...
Kategorie: Hacking & Security

Unified Identity – look for the meaning behind the hype!

The Hacker News - 8 Únor, 2024 - 11:39
If you've listened to software vendors in the identity space lately, you will have noticed that “unified” has quickly become the buzzword that everyone is adopting to describe their portfolio. And this is great! Unified identity has some amazing benefits!  However (there is always a however, right?) not every “unified” “identity” “security” “platform” is made equal. Some vendors call the
Kategorie: Hacking & Security

Unified Identity – look for the meaning behind the hype!

The Hacker News - 8 Únor, 2024 - 11:39
If you've listened to software vendors in the identity space lately, you will have noticed that “unified” has quickly become the buzzword that everyone is adopting to describe their portfolio. And this is great! Unified identity has some amazing benefits!  However (there is always a however, right?) not every “unified” “identity” “security” “platform” is made equal. Some vendors call the The Hacker Newshttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

HijackLoader Evolves: Researchers Decode the Latest Evasion Methods

The Hacker News - 8 Únor, 2024 - 11:28
The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,"
Kategorie: Hacking & Security

HijackLoader Evolves: Researchers Decode the Latest Evasion Methods

The Hacker News - 8 Únor, 2024 - 11:28
The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling. "The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe," Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Google Starts Blocking Sideloading of Potentially Dangerous Android Apps in Singapore

The Hacker News - 8 Únor, 2024 - 11:17
Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data. "This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts
Kategorie: Hacking & Security

Google Starts Blocking Sideloading of Potentially Dangerous Android Apps in Singapore

The Hacker News - 8 Únor, 2024 - 11:17
Google has unveiled a new pilot program in Singapore that aims to prevent users from sideloading certain apps that abuse Android app permissions to read one-time passwords and gather sensitive data. "This enhanced fraud protection will analyze and automatically block the installation of apps that may use sensitive runtime permissions frequently abused for financial fraud when the user attempts Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

Kaspersky Securelist - 8 Únor, 2024 - 11:00

The developers of banking Trojan malware are constantly looking for inventive ways to distribute theirs implants and infect victims. In a recent investigation, we encountered a new malware that specifically targets users of more than 60 banking institutions, mainly from Brazil. What caught our attention was the sophisticated infection chain that makes use of various advanced technologies, setting it apart from known banking Trojan infections.

This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. The Nim language defines itself as a “statically typed compiled systems programming language that combines successful concepts from mature languages like Python, Ada and Modula”. The adoption of less popular/cross-platform languages by cybercriminals is something we identified as a trend in our Crimeware and financial cyberthreats for 2024.

In this article, we will delve into the workings of the infection chain and explore the capabilities of this Trojan.

Forget old Delphi and MSI

In the banking Trojan landscape, the use of the Delphi language or MSI installers is a recurring trend among malware creators. It’s a well-known fact in the cybersecurity community that this method serves as a widely used initial infection vector.

Coyote does things a little differently. Instead of going down the usual route with MSI installers, it opted for a relatively new tool for installing and updating Windows desktop applications: Squirrel. As the authors explain, “Squirrel uses NuGet packages to create installation and update packages, which means that you probably already know most of what you need to create an installer.

Coyote infection chain

By using this tool, Coyote hides its initial stage loader by presenting it as an update packager.

Malicious Squirrel installer contents

The Node.js loader script

When Squirrel is executed, it eventually runs a NodeJS application compiled with Electron. This application executes obfuscated JavaScript code (preload.js), whose primary function is to copy all executables found in a local folder named temp to the user’s captures folder inside the Videos folder. It then runs a signed application from that directory.

NodeJS project structure

Several executables have been identified in use, including those associated with Chrome and OBS Studio. The banker is loaded through DLL sideloading of a dependency of these executables. In all cases analyzed by our team, DLL sideloading occurs in the libcef.dll library.

The Nim loader

An intriguing element of the infection chain is the use of Nim, a relatively new programming language, to load the final stage. The loader’s objective is to unpack a .NET executable and execute it in memory using the CLR. This implies that the loader aims to load the executable and execute it within its process, reminiscent of how Donut operates.

Unpacked .Net executable

It’s worth noting that the same entry point, obs-browser-page.exe, is utilized for every machine reboot, serving as a means of persistence.

Last but not least, the Coyote banking Trojan

After all these steps, the Trojan is successfully executed. Coyote does not implement any code obfuscation and only uses string obfuscation with AES encryption.

Encrypted string table building

To retrieve a specific string, it calls a decryption method with the string index as a parameter. The decryption method works by creating a table of base64-encoded data. The first 16 bytes of each decoded data item serve as the IV (Initial Vector), while the rest is the encrypted data later used in the AES decryption routine.

Encrypted data structure

The key is randomly generated by each executable, and the AES decryption algorithm uses the official .Net encryption interfaces. With this approach, for each string access that Coyote needs, it searches inside the table and decrypts each string with a custom IV.

Persistence and goals

Coyote achieves persistence by abusing Windows logon scripts; it first checks if HKCU\Environment\UserInitMprLogonScript exists, and if so, it inserts the registry value as the full path to the signed application, in this case, obs-browser-page.exe.

The Coyote Trojan’s objective is consistent with typical banking Trojan behavior. It monitors all open applications on the victim’s system and waits for the specific banking application or website to be accessed.

Application monitoring routine

In our analysis we identified at least 61 related applications, all originating from Brazil. This strongly suggests that Coyote is indeed a Brazilian banking Trojan, exhibiting behavior similar to that previously reported in our Tetrade blog post.

C2 communication and control

When any banking-related application is executed and utilized, the Coyote banker contacts the C2 with this information. The C2 then responds with various actions on the machine, ranging from keylogging to taking screenshots. Communication with the attacker server will be explained in the following sections.

The Trojan establishes communication with its command and control server using SSL channels with a mutual authentication scheme. This implies that the Trojan possesses a certificate from the attacker-controlled server and uses it during the connection process.

The certificate is stored as a resource in an encrypted format that is decrypted by the X509 library from .Net. Once the malware verifies that the connection is indeed with the attacker, it proceeds to send the information collected from the infected machine and banking applications to the server. The information transmitted includes:

  • Machine name
  • Randomly generated GUID
  • Banking application being used

With this information, the attacker sends a response packet that contains specific actions. To process these actions, the attacker transmits a string with a random delimiter. Each position of the string is then converted to a list, with the first entry representing the command type.

To determine the desired command, it checks the length of the string in the first parameter, which is a random string. In other words, the only difference between commands is the size of the string.

The most important available commands are:

Length Description 12 Take a screenshot 14 Show an overlay window of a fake banking app 15 Show a Window that is in the foreground 17 Kill a process 18 Show a full-screen overlay 21 Shut down the machine 27 Block machine with a fake banking image displaying: “Working on updates…” 31 Enable a keylogger 32 Move mouse cursor to specific X, Y position

The Trojan can also request specific bank card passwords and create a phishing overlay to capture user credentials.

Conclusion

Coyote marks a notable change in Brazilian banking Trojans. Unlike its counterparts, which often use older languages like Delphi, the developers behind Coyote are skilled in modern technologies such as Node.js, .NET, and advanced packaging techniques.

The addition of Nim as a loader adds complexity to the Trojan’s design. This evolution highlights the increasing sophistication within the threat landscape and shows how threat actors are adapting and using the latest languages and tools in their malicious campaigns.

Our telemetry data reveals that up to 90% of infections originated from Brazil. All Kaspersky products detect the threat as HEUR:Trojan-Banker.MSIL.Coyote.gen.

A more detailed analysis of the latest Coyote versions is available to customers of our private Threat Intelligence Reports. For more information, please contact [email protected].

Reference IoCs (indicators of compromise)

Host-based (MD5 hash)
03 eacccb664d517772a33255dff96020
071b6efd6d3ace1ad23ee0d6d3eead76
276f14d432601003b6bf0caa8cd82fec
5134e6925ff1397fdda0f3b48afec87b
bf9c9cc94056bcdae6e579e724e8dbbd

C2 domain list
atendesolucao[.]com
servicoasso[.]com
dowfinanceiro[.]com
centralsolucao[.]com
traktinves[.]com
diadaacaodegraca[.]com
segurancasys[.]com

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

The Hacker News - 8 Únor, 2024 - 07:53
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll
Kategorie: Hacking & Security

Kimsuky's New Golang Stealer 'Troll' and 'GoBear' Backdoor Target South Korea

The Hacker News - 8 Únor, 2024 - 07:53
The North Korea-linked nation-state actor known as Kimsuky is suspected of using a previously undocumented Golang-based information stealer called Troll Stealer. The malware steals "SSH, FileZilla, C drive files/directories, browsers, system information, [and] screen captures" from infected systems, South Korean cybersecurity company S2W said in a new technical report. Troll Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

The Hacker News - 8 Únor, 2024 - 06:10
Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an
Kategorie: Hacking & Security

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

The Hacker News - 8 Únor, 2024 - 06:10
Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices. The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Linux Foundation Launches Initiative to Advance Post-Quantum Cryptography

LinuxSecurity.com - 7 Únor, 2024 - 18:34
The Linux Foundation recently announced the launch of the Post-Quantum Cryptography Alliance (PQCA ). This open and collaborative initiative aims to address the security challenges posed by quantum computing through the development and adoption of post-quantum cryptography.
Kategorie: Hacking & Security

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

The Hacker News - 7 Únor, 2024 - 16:11
The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese
Kategorie: Hacking & Security

After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back

The Hacker News - 7 Únor, 2024 - 16:11
The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity. KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese Newsroomhttp://www.blogger.com/profile/[email protected]
Kategorie: Hacking & Security

Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros

The Hacker News - 7 Únor, 2024 - 14:33
The maintainers of shim have released version 15.8 to address six security flaws, including a critical bug that could pave the way for remote code execution under specific circumstances. Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been&
Kategorie: Hacking & Security
Syndikovat obsah