Viry a Červi

Sphinx Malware Returns to Riddle U.S. Targets

VirusList.com - 11 Květen, 2020 - 17:38
The banking trojan has upgraded and is seeing a resurgence on the back of coronavirus stimulus payment themes.
Kategorie: Viry a Červi

Celebrity personal data taken in ransomware attack

Sophos Naked Security - 11 Květen, 2020 - 16:48
Ransomware crooks are apparently threatening to dump personal data for a long list of celebs including Lady Gaga, Madonna, Nicki Minaj and more.

Mama mia! Nintendo in need of a plumber after leak sprays N64, GameCube, Wii code

The Register - Anti-Virus - 11 Květen, 2020 - 13:43
Plus: Cognizant cognisant of whopping $70m in damage, malware creeps hit hospital firm, phishing campaigns, and much more

Roundup  It has been a full week in infosec news. Here are a few things you should know about, beyond what we've already covered.…

Kategorie: Viry a Červi

Clearview AI won’t sell vast faceprint collection to private companies

Sophos Naked Security - 11 Květen, 2020 - 11:50
… nor to anybody, even law enforcement, in the place where privacy-oblivious biometrics companies are forced to their knees: Illinois.

Microsoft opens IoT bug bounty program

Sophos Naked Security - 11 Květen, 2020 - 11:27
Microsoft really wants to secure the Internet of Things (IoT), and it's enlisting citizen hackers' help to do it.

Monday review – the hot 16 stories of the week

Sophos Naked Security - 11 Květen, 2020 - 11:07
It's weekly roundup time!

One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch

The Register - Anti-Virus - 9 Květen, 2020 - 01:42
Zero-click remote-code exec hole found by Googler, updates emitted

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.…

Kategorie: Viry a Červi

DEF CON is canceled... No, for real. The in-person event is canceled. We're not joking. It's canceled. We mean it

The Register - Anti-Virus - 8 Květen, 2020 - 22:18
Virus knocks hackers online: Show will try going virtual amid pandemic

Annual Las Vegas hacker gathering DEF CON has officially called off its physical conference for this year due to the coronavirus pandemic.…

Kategorie: Viry a Červi

Black Hat USA, DEF CON 28 Go Virtual

VirusList.com - 8 Květen, 2020 - 21:49
Due to the coronavirus pandemic, there will be no in-person Black Hat USA or DEF CON conferences this year.
Kategorie: Viry a Červi

Hackers Breach 3.5 Million MobiFriends Dating App Credentials

VirusList.com - 8 Květen, 2020 - 18:01
The emails, hashed passwords and usernames of 3.5 million users of the dating app MobiFriends were put up for sale on an underground forum.
Kategorie: Viry a Červi

Report: Microsoft’s GitHub Account Gets Hacked

VirusList.com - 8 Květen, 2020 - 17:36
The Shiny Hunters hacking group said it stole 500 GB of data from the tech giant’s repositories on the developer platform, which it owns.
Kategorie: Viry a Červi

Naikon’s Aria

Kaspersky Securelist - 8 Květen, 2020 - 17:00

Our colleagues at Checkpoint put together a fine research writeup on some Naikon resources and activity related to “aria-body” that we detected in 2017 and similarly reported in 2018. To supplement their research findings, we are summarizing and publishing portions of the findings reported in our June 2018 “Naikon’s New AR Backdoor Deployment to Southeast Asia”. This malware and activity aligns with much of what the Checkpoint researchers brought to light today.

The Naikon APT became well-known in May 2015, when our public reporting first mentioned and then fully described the group as a long running presence in the APAC region. Even when the group shutdown much of their successful offensive activity after years of campaigns, Naikon maintained several splinter campaigns. Matching malware artifacts, functionality, and targeting demonstrates that the group continues to wage cyber-espionage campaigns in the South China Sea region during 2018.

“Aria-Body” or “AR” is a set of backdoors that maintain compilation dates between January 2017 and February 2018. It can be particularly difficult to detect, as much of this code operates in memory, injected by other loader components without touching disk. We trace portions of this codebase back to “xsFunction” exe and dll modules used in Naikon operations going back to 2012, as their compiled modules implement a subset of the xsFunction feature set. In all likelihood, this new backdoor and related activity is an extension of or merge with the group’s “Paradir Operation”. In the past, the group targeted communications and sensitive information from executive and legislative offices, law enforcement, government administrative, military and intelligence organizations within Southeast Asia. In many cases we have seen that these systems also were targeted previously with PlugX and other malware. So, the group has evolved bit since 2015, and their activity targeting these same profiles continues into 2018. We identified at least a half dozen individual variants from 2017 and 2018.

Technical Details

It seems clear that the same codebase has been reused by Naikon since at least 2012, and recent AR backdoors were built from that same code. Their use was tightly clustered in previously and heavily Naikon-targeted organizations, again lending confidence to clustering these resources and activity with previous “Naikon”.


Naikon’s new AR backdoor is a dll loaded into any one of multiple processes, providing remote access to a system. AR load attempts have been identified within processes with executable images listed here:

  • c:\windows\system32\svchost.exe
  • c:\windows\syswow64\svchost.exe
  • c:\program files\windows nt\accessories\services.exe
  • c:\users\dell\appdata\roaming\microsoft\windows\start menu\programs\startup\acrobat.exe
  • c:\alphazawgyi\svchost.exe

Because this AR code is injected into processes, the yara rule provided in the Appendix is best run against memory dumps of processes maintaining a main image in the list above. The AR modules have additionally been seen in some others, including “msiexec.exe” processes.

Below are characteristics of the oldest AR and the newest known AR component in our collection.

MD5 c766e55c48a4b2e7f83bfb8b6004fc51 SHA256 357c8825b3f03414582715681e4e0316859b17e702a6d2c8ea9eb0fd467620a4 CompiledOn Tue Jan  3 09:23:48 2017 Type PE32 DLL Internal name TCPx86.dll Size 176kb Exports AzManager, DebugAzManager MD5 2ce4d68a120d76e703298f27073e1682 SHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db CompiledOn Thu Feb 22 10:04:02 2018 Type PE32 DLL Internal Name aria-body-dllX86.dll Size 204kb Exports AzManager, DebugAzManager

When the dll is loaded, it registers a Windows class calling a specific Window procedure with a removable drive check, a CONNECT proxied callback to its main C2, an IP location verification against checkip.amazonaws[.]com, and further communications with a C2. Some previous modules’ flow may include more or less system information collection prior to the initial callback.

The most recent version of the backdoor utilizes another Window procedure to implement a raw input device based keystroke collector. This keylogger functionality was newly introduced to the malware code in February 2018, and was not present in previous versions.

The approximately 200 – 250kb AR backdoor family provides a familiar and slightly changing functionality set per compiled module. Because Checkpoint covers the same technical points in their post, we provide this simple summary list:

  • Persistence handling
  • File and directory handling
  • Keylogging
  • Shell/Process Management
  • Network activity and status listing and management
  • System information collection and management
  • Download management
  • Windows management
  • Extension management
  • Location/IP verification
  • Network Communications over HTTP
Similarities to past Naikon components

Naikon components going back to 2012 maintain heavy similarities with the current “Aria-body” modules. Not only is some of the functionality only lightly modified, but the same misspellings in error logging remains in their codebase. Let’s examine an older 2013 Naikon module and a newer 2017 Naikon AR module here.

It’s clear that the underlying codebase continues to be deployed:

e09254fa4398fccd607358b24b918b63, CompiledOn: 2013:09:10 09:00:15

c766e55c48a4b2e7f83bfb8b6004fc51, CompiledOn: 2017:01:03 09:23:48

Kudos to the Checkpoint researchers for providing new details of the Naikon story into the public discussion.

For reference, some hashes and a YARA rule are provided here. More incident, infrastructure, IOCs, and details have been and are available to our threat intel customers (please, contact intelreports@kaspersky.com).

Indicators of compromise

AR aria-body dll
c766e55c48a4b2e7f83bfb8b6004fc51
2ce4d68a120d76e703298f27073e1682

Loaders and related Naikon malware
0ed1fa2720cdab23d969e60035f05d92
3516960dd711b668783ada34286507b9

Verdicts – 2018 and Later
Trojan.Win32.Generic.gen
Trojan.Win32.SEPEH.gen
DangerousObject.Multi.Generic
Backdoor.Win64.Agent.h*
Backdoor.Win32.Agent.m*
Trojan-Downloader.Win32.Agent.x*

YARA Rules

rule apt_ZZ_Naikon_ARstrings : Naikon { meta: copyright = "Kaspersky" description = "Rule to detect Naikon aria samples" hash = "2B4D3AD32C23BD492EA945EB8E59B758" date = "2020-05-07" version = "1.0" strings: $a1 = "Terminate Process [PID=%d] succeeds!" fullword wide $a2 = "TerminateProcess [PID=%d] Failed:%d" fullword wide $a3 = "Close tcp connection returns: %d!" fullword wide $a4 = "Delete Directory [%s] returns:%d" fullword wide $a5 = "Delete Directory [%s] succeeds!" fullword wide $a6 = "Create Directory [%s] succeeds!" fullword wide $a7 = "SHFileOperation [%s] returns:%d" fullword wide $a8 = "SHFileOperation [%s] succeeds!" fullword wide $a9 = "Close tcp connection succeeds!" fullword wide $a10 = "OpenProcess [PID=%d] Failed:%d" fullword wide $a11 = "ShellExecute [%s] returns:%d" fullword wide $a12 = "ShellExecute [%s] succeeds!" fullword wide $a13 = "FindFirstFile [%s] Error:%d" fullword wide $a14 = "Delete File [%s] succeeds!" fullword wide $a15 = "CreateFile [%s] Error:%d" fullword wide $a16 = "DebugAzManager" fullword ascii $a17 = "Create Directroy [%s] Failed:%d" fullword wide $m1 = "TCPx86.dll" fullword wide ascii $m2 = "aria-body" nocase wide ascii condition: uint16(0) == 0x5A4D and filesize < 450000 and (2 of ($a*) and 1 of ($m*)) }

rule apt_ZZ_Naikon_codebase : Naikon { meta: report = "Naikon New AR Backdoor Deployment to Southeast Asia" description = "Naikon typo" author = "Kaspersky" copyright = "Kaspersky" version = "1.0" date = "2018-06-28" last_modified = "2018-06-28" strings: $a1 = "Create Directroy [%s] Failed:%d" wide condition: uint16(0) == 0x5A4D and filesize < 450000 and $a1 }

Podcast: Shifting Cloud Security Left With Infrastructure-as-Code

VirusList.com - 8 Květen, 2020 - 15:00
Companies are looking to "shift left" with Infrastructure-as-Code (IaC) security capabilities to improve developer productivity, avoid misconfigurations and prevent policy violations.
Kategorie: Viry a Červi

If you miss the happier times of the 2000s, just look up today's SCADA gear which still has Stuxnet-style holes

The Register - Anti-Virus - 8 Květen, 2020 - 12:56
Schneider Electric patches vulns after Trustwave raises alarm

Two Schneider Electric SCADA products had vulnerabilities similar to the ones exploited in the Iran-bothering Stuxnet worm, an infosec outfit has claimed.…

Kategorie: Viry a Červi

Vote for Naked Security in the European Blogger Awards 2020!

Sophos Naked Security - 8 Květen, 2020 - 12:40
If you enjoy what you read, hear and see from the Naked Security team, please vote for us - it means a lot!

More crypto-stealing Chrome extensions swatted by Google

Sophos Naked Security - 8 Květen, 2020 - 12:15
Google deleted more malicious extensions from the Chrome Web Store after they were found to be phishing cryptocurrency users.

Bored at home? Cisco has just the thing: A shed-load of security fixes to install, from a Kerberos bypass to crashes

The Register - Anti-Virus - 8 Květen, 2020 - 01:13
Switchzilla issues a whopping 30+ patches in time for the long UK weekend

Cisco has emitted a fresh round of software updates to address nearly three dozen security holes in its products.…

Kategorie: Viry a Červi

FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

The Register - Anti-Virus - 7 Květen, 2020 - 23:24
High-frequency audio could be used to stealthily track netizens

Technical folks looking to improve web privacy haven't been able to decide whether sound beyond the range of human hearing poses enough of a privacy risk to merit restriction.…

Kategorie: Viry a Červi

Blue Mockingbird Monero-Mining Campaign Exploits Web Apps

VirusList.com - 7 Květen, 2020 - 23:01
The cybercriminals are using a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution before moving laterally through the enterprise.
Kategorie: Viry a Červi

Cisco Fixes High-Severity Flaws In Firepower Security Software, ASA

VirusList.com - 7 Květen, 2020 - 20:43
Cisco has fixed 12 high-severity flaws in its Adaptive Security Appliance software and Firepower Threat Defense software.
Kategorie: Viry a Červi
Syndikovat obsah