Viry a Červi

BEC Gang Exploits G Suite, Long Domain Names in Cyberattacks

VirusList.com - 14 Květen, 2020 - 14:38
BEC gangs like "Exaggerated Lion" are using tricky tactics - like exploiting G Suite - to scam companies out of millions.
Kategorie: Viry a Červi

Login with Facebook Bug Earns $20K Bounty

VirusList.com - 14 Květen, 2020 - 14:17
The cross-site scripting vulnerability could have allowed trivial account takeover.
Kategorie: Viry a Červi

Multi-part Android spyware lurked on Google Play Store for 4 years, posing as a bunch of legit-looking apps

The Register - Anti-Virus - 14 Květen, 2020 - 14:01
Mandrake handlers could snoop on whatever victim did with their phone

A newly uncovered strain of Android spyware lurked on the Google Play Store disguised as cryptocurrency wallet Coinbase, among other things, for up to four years, according to a new report by Bitdefender.…

Kategorie: Viry a Červi

Cyberthreats on lockdown

Kaspersky Securelist - 14 Květen, 2020 - 14:00

Every year, our anti-malware research team releases a series of reports on various cyberthreats: financial malware, web attacks, exploits, etc. As we monitor the increase, or decrease, in the number of certain threats, we do not usually associate these changes with concurrent world events – unless these events have a direct relation to the cyberthreats, that is: for example, the closure of a large botnet and arrest of its owners result in a decrease in web attacks.

However, the COVID-19 pandemic has affected us all in some way, so it would be surprising if cybercriminals were an exception. Spammers and phishers were naturally the trailblazers in this – look for details in the next quarterly report – but the entire cybercrime landscape has changed in the last few months. Before we discuss the subject, let us get something out of the way: it would be farfetched to attribute all of the changes mentioned below to the pandemic. However, certain connections can be traced.

Remote work

The first thing that caught our attention was remote work. From an information security standpoint, an employee within the office network and an employee connecting to the same network from home are two completely different users. It seems cybercriminals share this view, as the number of attacks on servers and remote access tools has increased as their usage has grown. In particular, the average daily number of bruteforce attacks on database servers in April 2020 was up by 23% from January.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique computers subjected to bruteforce attacks, January through April 2020 (download)

Cybercriminals use brute force to penetrate a company’s network and subsequently launch malware inside its infrastructure. We are monitoring several cybercrime groups that rely on the scheme. The payload is usually ransomware, mostly from the Trojan-Ransom.Win32.Crusis, Trojan-Ransom.Win32.Phobos and Trojan-Ransom.Win32.Cryakl families.

RDP-attacks and ways to counter these were recently covered in detail by Dmitry Galov in his blog post, “Remote spring: the rise of RDP bruteforce attacks“.

Remote entertainment

Online entertainment activity increased as users transitioned to a “remote” lifestyle. The increase was so pronounced that some video streaming services, such as YouTube, announced that they were changing their default video quality to help with reducing traffic. The cybercriminal world responded by stepping up web threats: the average daily number of attacks blocked by Kaspersky Web Anti-Virus increased by 25% from January 2020.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Web-based attacks blocked, January through April 2020 (download)

It is hard to single out one specific web threat as the driver – all of the threats grew more or less proportionally. Most web attacks that were blocked originated with resources that redirected users to all kinds of malicious websites. Some of these were phishing resources and websites that subscribed visitors to unsolicited push notifications or tried to scare them with fake system error warnings.
We also noticed an increase in Trojan-PSW browser script modifications that could be found on various infected sites. Their main task was to capture bank card credentials entered by users while shopping online and transfer these to cybercriminals.
Websites capable of silently installing cookie files on users’ computers (cookie stuffing) and resources that injected advertising scripts into users’ traffic together accounted for a significant share of the web threats.

'iOS security is f**ked' says exploit broker Zerodium: Prices crash for taking a bite out of Apple's core tech

The Register - Anti-Virus - 14 Květen, 2020 - 12:31
Million-dollar payouts zero out as hackers follow the money en masse

Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won't pay anything for some iOS bugs due to an oversupply.…

Kategorie: Viry a Červi

COMpfun authors spoof visa application with HTTP status-based Trojan

Kaspersky Securelist - 14 Květen, 2020 - 12:00

You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic. If you’re wondering whether the actor behind the malware is still developing new features, the answer is yes. Later in November 2019 our Attribution Engine revealed a new Trojan with strong code similarities. Further research showed that it was obviously using the same code base as COMPFun.

What’s of interest inside

The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application. It is not clear to us exactly how the malicious code is being delivered to a target. The legitimate application was kept encrypted inside the dropper, along with the 32- and 64-bit next stage malware.

Overall infection chain. Interestingly, C2 commands are rare HTTP status codes

We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.

The authors keep the RSA public key and unique HTTP ETag in encrypted configuration data. Created for web content caching reasons, this marker could also be used to filter unwanted requests to the C2, e.g., those that are from network scanners rather than targets. Besides the aforementioned RSA public key to communicate with the C2, the malware also uses a self-generated AES-128 key.

Who is the author?

We should mention here once again that the COMPfun malware was initially documented by G-DATA in 2014; and although the company did not identify which APT was using the malware. Based mostly on victimology, we were able to associate it with the Turla APT with medium-to-low level of confidence.

What the Trojan is able to do

Its functions include the ability to acquire the target’s geolocation, gathering host- and network-related data, keylogging and screenshots. In other words, it’s a normal full-fledged Trojan that is also capable of propagating itself to removable devices.

As in previous malware from the same authors, all the necessary function addresses resolve dynamically to complicate analysis. To exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the Trojan implements LZNT1 compression and one-byte XOR encryption.

Encrypted data Algorithm Key source Exfiltrated keystrokes, screenshots, etc. RSA Public key from configuration data Configuration data in .rsrc section XOR (plus LZNT1 compression) Hardcoded one-byte key Parameters inside the HTTP GET/POST requests AES-128 (plus ETag from config) Generated by Trojan and shared in beacon Commands and arguments from C2 for HTTP status 427 (dir, upl, usb, net) AES-128 Generated by Trojan and shared in beacon

Encryption and compression used by the Trojan for various tasks

Initial dropper

The first stage dropper was downloaded from the LAN shared directory. The file name related to the visa application process perfectly corresponds with the targeted diplomatic entities. As with all modules with a similar code base, the dropper begins by dynamically resolving all the required Windows API function addresses and puts them into structures. It then decrypts the next stage malware from its resource (.rsrc) section. The algorithm used to decrypt the next stage is a one-byte XOR using the key “0x55”, followed by LZNT1 decompression.

The following files are dropped to the disk in addition to the original application that the malware tries to mimic:

MD5 hash File name Features 1BB03CBAD293CA9EE3DDCE6F054FC325 ieframe.dll.mui 64-bit Trojan version A6AFA05CBD04E9AF256D278E5B5AD050 ExplorerFrame.dll.mui 32-bit Trojan version

The dropper urges users to run the file as administrator (using messages such as “need to run as admin”), then drops a version corresponding to the host’s architecture and sets the file system timestamp to 2013.12.20 22:31.

Interestingly, the dropper’s abilities aren’t limited to PE lures; as an alternative, this stage is also able to use .doc and .pdf files. In such cases, the dropper will open the files using the “open” shell command instead of running the legitimate spoofed executable application.

Main module – HTTP status-based Trojan SHA256 710b0fafe5fd7b3d817cf5c22002e46e2a22470cf3894eb619f805d43759b5a3 MD5 a6afa05cbd04e9af256d278e5b5ad050 Compiled 2015.06.26 09:42:27 (GMT) Type I386 Windows GUI DLL Size 593408 Internal name ExplorerFrame.dll.mui

The analysis below is based on the 32-bit sample from the table above. The legitimate ExplorerFrame.dll.mui is a language resource for the ExplorerFrame.dll file used by Windows Explorer.

Multi-threaded Trojan features such as monitoring USB devices to spread further and receiving commands as HTTP status codes

Initialization

As usual in this malware family’s code, a huge number of short standalone functions return all the readable strings. This is done to complicate analysis by not allowing the strings to be visible at a glance for researchers. The module’s preparation stage dynamically resolves all required Windows API function addresses into corresponding custom structures. Afterwards the malware uses indirect function calls only.

The module obtains the processor architecture (32- or 64-bit) and Windows OS version. It includes a number of anti-analysis checks for virtual machine-related devices (VEN_VMWARE, VBOX_HARDDISK, Virtual_DVD_ROM, etc.) to avoid controlled execution. It also notes which security products are running on the host (Symantec, Kaspersky, Dr.Web, Avast).

Before every communication with the C2, the malware checks if software such as debuggers (WinDbg, OllyDbg, Visual Studio) and host (Process Explorer or Monitor, etc.) or network monitoring (Wireshark, TCPView, etc.) programs are running. It also checks for internet connectivity and does not attempt to communicate if the checks fail.

The DLL also checks for potentially available launch processes that it can inject itself into. In the case of PaymentRequired, this could be system, security product or browser processes. Then the malware forms the corresponding code to drop files, delete files, etc.

The last step in the initialization procedure is to decrypt and decompress the configuration file. Decryption is done via a one-byte XOR using the 0xAA key, followed by decompression using the LZNT1 algorithm. From the configuration, the malware parses the RSA public key, ETag and IP addresses to communicate with its control servers.

Decrypted configuration data contains an RSA public key to encrypt exfiltrated data, C2 IPs and unique ETag to communicate with them

HTTP status-based communication module

Firstly, the module generates the following:

  • AES-128 encryption key used in HTTP GET/POST parameters and HTTP status code 427 (request new command);
  • 4-byte unique hardware ID (HWID) based on the host network adapters, CPU and first fixed logical drive serial number.

The module then chooses a process to inject the code into, in order of decreasing priority, starting from Windows (cmd.exe, smss.exe), security-related applications (Symantec’s nis.exe, Dr.Web’s spideragent.exe) and browsers (IE, Opera, Firefox, Yandex browser, Chrome).

The main thread checks if the C2 supports TLS in its configuration. If it does, communication will be over HTTPS and port 443; otherwise, the HTTP protocol and port 80 are used.

Config Parameter Value Encryption key RSA public key on the image above ETag C8E9CEAD2E084F58A94AEDC14D423E1A C2 IPs 95.183.49[.]10
95.183.49[.]29
200.63.45[.]35

Decrypted configuration content inside the analyzed sample

The first GET request sent contains an ETag “If-Match” header that is built using data from its decrypted configuration. ETags are normally used by web servers for caching purposes in order to be more efficient and save bandwidth by not resending redundant information if an ETag value matches. The implementation of ETags means the C2 may ignore all requests that are not sent from its intended targets if they don’t have the required ETag value.

HTTP status RFC status meaning Corresponding command functionality 200 OK Send collected target data to C2 with current tickcount 402 Payment Required This status is the signal to process received (and stored in binary flag) HTTP statuses as commands 422 Unprocessable Entity (WebDAV) Uninstall. Delete COM-hijacking persistence and corresponding files on disk 423 Locked (WebDAV) Install. Create COM-hijacking persistence and drop corresponding files to disk 424 Failed Dependency (WebDAV) Fingerprint target. Send host, network and geolocation data 427 Undefined HTTP status Get new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command 428 Precondition Required Propagate self to USB devices on target 429 Too Many Requests Enumerate network resources on target

C2 HTTP status code descriptions, including installation, USB propagation, fingerprinting, etc.

HTTP 427 can receive any of the following appended commands:

Command Command functionality dir Send directory content to C2 encrypted with RSA public key from config upl Send file to C2 encrypted with RSA public key from config usb Not implemented yet. Possibly same function planned as for HTTP status 428 net Not implemented yet. Possibly same function planned as for HTTP status 429 Removable device propagation module

If initialization is successful, the malware starts one more thread for dispatching Windows messages, looking for removable devices related to a WM_DEVICECHANGE event. The module runs its own handlers in the event of a USB device being plugged into or unplugged from the host.

Other spying modules: keylogger, screenshot tool and more

The user’s activity is monitored using several hooks. All of them gather the target’s data independently of any C2 command. Keystrokes are encrypted using the RSA public key stored in the configuration data and sent once every two seconds, or when moreа than 512 bytes are recorded. These 512 characters also include left mouse button clicks (written as the “MSLBTN” string) and Windows title bar texts. For clipboard content, the module calculates an MD5 hash and if it changes, encrypts the clipboard content with the same RSA public key and then sends it.

In a separate thread, the Trojan takes a bitmap screenshot using the GDIPlus library, compresses it with the LZNT1 algorithm, encrypts it using the key from the configuration data and sends it to the control server. A screenshot will be taken of the target and sent anyway, independently of any C2 command.

Last but not least

There are several choices – albeit not major additional technical ones – that the malware author made which we consider to be noteworthy.

The COM-hijacking-based persistence method injects its corresponding code and structure as a parameter into a legitimate process’s memory. The malware geolocates victims using legitimate web services: geoplugin.net/json.gp, ip-api.com/json and telize.com/geoip.

The unusual thread synchronization timeout calculation in the HTTP status thread is peculiar. Mathematically, the partial sum of the series is precisely:

This series, in the case of a full sum, is just a representation of the exponent. The developers probably used the exponent to make timeouts in the communication thread more unpredictable and grow at a fast rate, and the compiler calculated it this way.

So what did the COMPFun authors achieve?

We saw innovative approaches from the COMpfun developers twice in 2019. First, they bypassed TLS encrypted traffic via PRNG system function patching, and then we observed a unique implementation of C2 communications using uncommon HTTP status codes.

The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.

Indicators of compromise

File MD5 Hashes
Trojan 32-bit: A6AFA05CBD04E9AF256D278E5B5AD050
Trojan 64-bit: 1BB03CBAD293CA9EE3DDCE6F054FC325

IPs
95.183.49.10
95.183.49.29
200.63.45.35

Update now! Windows gets another bumper patch update

Sophos Naked Security - 14 Květen, 2020 - 11:36
Windows users won't have to fix ‘big’ exploited or public flaws this month, but May's Patch Tuesday is one of the biggest patch rounds.

There's Norway you're going to believe this: Government investment fund conned out of $10m in cyber-attack

The Register - Anti-Virus - 14 Květen, 2020 - 08:04
Police pining to drop the Lillehammer on crooks

Updated  The Norwegian Investment Fund has been swindled out of $10m (£8.2m) by fraudsters who pulled off what's been described as "an advanced data breach."…

Kategorie: Viry a Červi

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

The Register - Anti-Virus - 14 Květen, 2020 - 07:03
Update, update, update. Plus: Flash, Struts, Drupal also make appearances

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.…

Kategorie: Viry a Červi

'Malware' takes Aussie money-manager MyBudget down for five days

The Register - Anti-Virus - 14 Květen, 2020 - 06:10
Bills going unpaid by service that exists to pay bills

UPDATE  One of Australia's largest debt-management services has gone TITSUP, leaving thousands of users in financial limbo.…

Kategorie: Viry a Červi

Now there's nothing stopping the PATRIOT Act allowing the FBI to slurp web-browsing histories without a warrant

The Register - Anti-Virus - 14 Květen, 2020 - 00:50
Thanks for nothing, Bernie Sanders

An amendment that would require the FBI get a warrant before they access Americans’ web-browsing history failed to pass by a single vote in the US Senate on Wednesday.…

Kategorie: Viry a Červi

Senator demands deep probe into spyware-for-cops after NSO Group touts hacking toolkit to American plod

The Register - Anti-Virus - 13 Květen, 2020 - 23:57
'Aggressive oversight' needed, Congress urged

Updated  A prominent senator has called for “aggressive oversight” into the sale of hacking-and-spying tools to police forces in America.…

Kategorie: Viry a Červi

Texas Courts Won’t Pay Up in Ransomware Attack

VirusList.com - 13 Květen, 2020 - 21:10
Texas appellate courts and judicial agencies’ websites and computer servers were shut down after a ransomware attack.
Kategorie: Viry a Červi

Leaked NHS Docs Reveal Roadmap, Concerns Around Contact-Tracing App

VirusList.com - 13 Květen, 2020 - 21:07
Future features include plenty of self-reporting options, and officials' fears the data could be misused.
Kategorie: Viry a Červi

Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID

The Register - Anti-Virus - 13 Květen, 2020 - 20:15
Claims consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID

Privacy pressure group Noyb has filed a legal complaint against Google on behalf of an Austrian citizen, claiming the Android Advertising ID on every Android device is "personal data" as defined by the EU's GDPR and that this data is illegally processed.…

Kategorie: Viry a Červi

Beware the DHL delivery message email – it could be a package scam

Sophos Naked Security - 13 Květen, 2020 - 18:29
Here's a DHL delivery scam with a simple twist - simplicity and a total lack of drama...

Ramsay Malware Targets Air-Gapped Networks

VirusList.com - 13 Květen, 2020 - 17:56
The cyber-espionage toolkit is under active development.
Kategorie: Viry a Červi

Healthcare Giant Magellan Struck with Ransomware, Data Breach

VirusList.com - 13 Květen, 2020 - 17:52
Logins, personal information and tax info were all exfiltrated ahead of the ransomware attack, thanks to a phishing email.
Kategorie: Viry a Červi

Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys

The Register - Anti-Virus - 13 Květen, 2020 - 17:45
Assault on TOP500-listed machine may have hit Euro HPC too, warn sysops

Updated  One of Britain's most powerful academic supercomputers has fallen victim to a "security exploitation" of its login nodes, forcing the rewriting of all user passwords and SSH keys.…

Kategorie: Viry a Červi

Feds Reveal Hidden Cobra’s Trove of Espionage Tools

VirusList.com - 13 Květen, 2020 - 15:19
The APT's new cyber-attack tools are laid bare on three-year anniversary of WannaCry.
Kategorie: Viry a Červi
Syndikovat obsah