Viry a Červi

Pensioners, employees and medical pros among those aiming to be compensated for data exposure

The number of claimants signing up to a collective action against Capita over the infamous March cyber security break-in and subsequent data exposure keeps going up, according to the lawyer overseeing the case.…

Global threat statistics

In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%.

Percentage of ICS computers on which malicious objects were blocked, by half year

That said, he percentage of attacked ICS computers dropped in Q1 2023, but then rose again in Q2 2023, reaching highest quarterly figure since 2022 – 26.8%.

Percentage of ICS computers on which malicious objects were blocked, by quarter

Geography

The percentage of ICS computers on which malicious objects were blocked varied across countries from 53.3% in Ethiopia to 7.4% in Luxembourg.

The percentage of computers on which malicious activity was prevented varied across regions from 40.3% in Africa to 14.7% in Northern Europe.

Percentage of ICS computers on which malicious objects were blocked, by regions

Australia and New Zealand, the United States and Canada, Western Europe, and Northern Europe historically have had the lowest percentages of ICS computers on which malicious objects are blocked.

In H1 2023, however, those were the very regions where the percentages of attacked ICS computers increased by the most percentage points.

H1 2023 changes in the percentages of ICS computers on which malicious objects were blocked, by region

Africa and the Asian regions where the percentage of ICS computers on which malicious objects are blocked historically has been high, showed a downward trend.

Percentage of ICS computers on which malicious objects were blocked in Africa and regions of Asia

Individual industries

In H1 2023, the percentage of ICS computers on which malicious objects were blocked increased in engineering and ICS integration (by 2 pp), manufacture (by 1.9 pp) and energy (by 1.5 pp).

Percentage of ICS computers on which malicious objects were blocked in selected industries

Building automation is still the leader among the industries under review.

Categories of malicious objects

Only one of the categories grew in H1 2023: denylisted internet resources. The percentage of ICS computers on which threats in this category are blocked has grown for the second half-year in a row.

Percentage of ICS* computers on which the activity of malicious objects of various categories was prevented

The percentages of ICS computers on which Spyware, Malicious documents, Malicious miners in the form of Windows executables, Ransomware were blocked had been declining since mid-2022:

Percentage of ICS computers on which the activity of malicious objects of various categories was prevented

In H1 2023, the percentage of ICS computers on which these categories of threats were blocked, dropped in virtually every region.

Main threat sources

The internet, email clients and removable devices remained the key sources of threats to computers in the operational technology infrastructure of organizations.

Percentage of ICS computers on which malicious objects from various sources were blocked

The full report has been published on the Kaspersky ICS CERT website.

 

Running unsupported and unpatched versions of Exchange Server will do that to a country

Sri Lanka's Computer Emergency Readiness Team (CERT) is currently investigating a ransomware attack on the government's cloud infrastructure that affected around 5,000 email accounts, it revealed on Tuesday.…

'Obtaining a disruptive capability could be one possible motivation behind this surge in attacks'

Espionage-ware thought to have been developed by China has once again been spotted within the power grid of a neighboring nation.…

Plus: Adobe and Android also tackle abused-in-the-wild flaws

Patch Tuesday  It's every Windows admin's favorite day of the month: Patch Tuesday. Microsoft emitted 59 patches for its September update batch, including two for bugs that have already been exploited.…

$50k to breathe new life into its corpse. The rest of us must move on to OpenSSL 3.0

OpenSSL 1.1.1 has reached the end of its life, making a move to a later version essential for all, bar those with extremely deep pockets.…

Exploit observed in the wild against codec lib in browsers, apps

Updated  Google and Mozilla have rushed out a fix for a vulnerability within their browsers – Chrome and Firefox, respectively – noting an exploit already exists in the wild.…

UPDATE 13.09.2023. Free Download Manager team issued an official statement regarding this incident.

Over the last few years, Linux machines have become a more and more prominent target for all sorts of threat actors. According to our telemetry, 260,000 unique Linux samples appeared in the first half of 2023. As we will demonstrate in this article, campaigns targeting Linux can operate for years without being noticed by the cybersecurity community.

We discovered one such long-lasting attack when we decided to investigate a set of suspicious domains, among them:

• 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
• c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
• 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
• c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

To a security researcher’s eye, these domains look alarming, as they can be a sight of malware using domain-generation algorithms for C2 communications. We thus decided to take a close look at the fdmpkg[.]org domain.

A malicious Debian repository

We identified that the domain in question has a deb.fdmpkg[.]org subdomain. Going there in the browser shows the following web page:

As suggested by the page, this subdomain claims to host a Debian repository of a piece of software called ‘Free Download Manager’. We further discovered a Debian package of this software available for download from the https://deb.fdmpkg[.]org/freedownloadmanager.deb URL. This package turned out to contain an infected postinst script that is executed upon installation. This script drops two ELF files to the paths /var/tmp/crond and /var/tmp/bs. It then establishes persistence by creating a cron task (stored in the file /etc/cron.d/collect) that launches the /var/tmp/crond file every 10 minutes.

The version of Free Download Manager installed by the infected package was released on January 24, 2020. Meanwhile, the postinst script contains comments in Russian and Ukrainian, including information about improvements made to the malware, as well as activist statements. They mention the dates 20200126 (January 26, 2020) and 20200127 (January 27, 2020).

A DNS-based backdoor

Once the malicious package is installed, the executable /var/tmp/crond gets launched on every startup through cron. This executable is a backdoor, and it does not import any functions from external libraries. To access the Linux API, it invokes syscalls with the help of the statically linked dietlibc library.

Upon startup, this backdoor makes a type A DNS request for the <hex-encoded 20-byte string>.u.fdmpkg[.]org domain. In response to this request, the backdoor receives two IP addresses that encode the address and port of a secondary C2 server. The following addresses were returned at the time of our research:

• 172.111.48[.]101
• 127.1.0[.]80

The first IP address in the list above is the address of the secondary C2 server, while the second address contains the connection port (encoded in the third and fourth octets) and the connection type (encoded in the second octet).

After parsing the response of the DNS request, the backdoor launches a reverse shell, using the secondary C2 server for communications. The communication protocol is, depending on the connection type, either SSL or TCP. In the case of SSL, the crond backdoor launches the /var/tmp/bs executable and delegates all further communications to it. Otherwise, the reverse shell is created by the crond backdoor itself.

A Bash stealer

Having found out that the crond backdoor creates a reverse shell, we decided to check how this shell is used by attackers. To do that, we installed the infected Free Download Manager package in a malware analysis sandbox. Having analyzed the traffic generated by crond, we determined that the attackers deployed a Bash stealer to the sandbox. This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).

After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.

We did not observe any other activity performed via the reverse shell, and thus the whole infection chain can be described with the graph below:

Mystery of the infection vector

After analyzing all components in the chain, we wanted to find out how the infected Debian package was distributed to victims. We checked the official website of Free Download Manager (freedownloadmanager[.]org). Packages available for download from this website turned out to be hosted on the files2.freedownloadmanager[.]org domain, and they were not backdoored.

We then decided to conduct an open-source check on the fdmpkg[.]org domain. This check revealed a dozen posts on websites such as StackOverflow and Reddit, where users have been discussing problems caused by the infected Free Download Manager distribution, not realizing they actually became victims of malware. These posts were made over the course of three years – from 2020 to 2022.

In one such post on Unix Stack Exchange, the author complains about the message ‘Waiting for process: crond’ that prevents the computer from shutting down:

The responses to this post, which came from users dealing with the same problem, suggest that this issue is caused by the Free Download Manager software. They advise to remove the files /etc/cron.d/collect, /var/tmp/crond and /var/tmp/bs. However, none mention that these three files are malicious.

In another post created in 2020, a Reddit user asked whether it is OK to install Free Download Manager without running the postinst script, which, unbeknownst to the user, contained malware.

Moreover, the post author pasted the contents of the script, and another Reddit user pointed out in the comments that it may be malicious. However, these users did not identify the website distributing the infected package or find out what this script does.

We additionally found a post on Reddit mentioning that the official website of this software was distributing malware in 2015. However, the malware described in this post turned out to be unrelated to the campaign that we discovered.

All these posts on social networks made us think that the malicious Debian package could have been distributed via a supply chain attack, through the freedownloadmanager[.]org website. So, we decided to look for further facts that could prove or disprove this claim.

An unexpected redirection

While checking videos on Free Download Manager that are hosted on YouTube, we identified several tutorials demonstrating how to install this software on Linux machines. We observed the following actions that happen in all these videos:

• The video makers opened the legitimate website of Free Download Manager (freedownloadmanager[.]org) in the browser;
• They afterwards clicked on the Download button for the Linux version of the software;
• They were redirected to the malicious https://deb.fdmpkg[.]org/freedownloadmanager.deb URL that hosts the infected version of Free Download Manager.

We also noted that the redirection to the malicious deb.fdmpkg[.]org domain was not occuring in all cases. In another video posted within the same timeframe, , a user clicked on the ‘Download’ button hosted on the software website and ended up downloading Free Download Manager from the legitimate website.

Thus, it is possible that the malware developers scripted the malicious redirection to appear with some degree of probability or based on digital fingerprint of the potential victim.

We further inspected the legitimate Free Download Manager website, wanting to find out if the software developers were aware their website was potentially compromised. In one of the comments made on the software’s blog in 2021, a user complains about observing access to the 5d6167ef729c91662badef0950f795bf362cbb99.u.fdmpkg[.]org domain. A reply to this comment from the user ‘blogadmin’ says that Free Download Manager is not related to this domain and advises to make use only of official versions of the software:

However, nobody bothered to discover how this user ended up installing this suspicious version of Free Download Manager. As such, the official website of this software continued distributing the malicious Debian package until at least 2022.

Origins of the backdoor

Having established how the infected Free Download Manager package was distributed, we decided to check whether the implants discovered over the course of our research have code overlaps with other malware samples. It turned out that the crond backdoor represents a modified version of a backdoor called Bew. Kaspersky security solutions for Linux have been detecting its variants since 2013.

Code of the 2013 version of Bew (left, MD5: 96d8d47a579717223786498113fbb913) and the crond backdoor (right, MD5: 6ced2df96e1ef6b35f25ea0f208e5440)

The Bew backdoor has been analyzed multiple times, and one of its first descriptions was published in 2014. Additionally, in 2017, CERN posted information about the BusyWinman campaign that involved usage of Bew. According to CERN, Bew infections were carried out through drive-by downloads.

As for the stealer, its early version was described by Yoroi in 2019. It was used after exploitation of a vulnerability in the Exim mail server.

The Bash stealer described in 2019 (left, MD5: 8C7EFB0493B6FB805B2C2F0593DE0AB1) and the stealer used in the FDM campaign in 2022 (right, MD5: AD7F99D44931489B2C38DF7A5A166C4D)

Why wasn’t the malicious package discovered earlier?

The malware observed in this campaign has been known since 2013. In addition, the implants turned out to be quite noisy, as demonstrated by multiple posts on social networks. According to our telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia. Given these facts, it may seem paradoxical that the malicious Free Download Manager package remained undetected for more than three years.

We assess that this is due to the following factors:

• As opposed to Windows, Linux malware is much more rarely observed;
• Infections with the malicious Debian package occurred with a degree of probability: some users received the infected package, while others ended up downloading the benign one;
• Social network users discussing Free Download Manager issues did not suspect that they were caused by malware.

While the campaign is currently inactive, this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyberattacks on Linux machines with the naked eye. Thus, it is essential that Linux machines, both desktop and server, are equipped with reliable and efficient security solutions.

We additionally contacted the developers of Free Download Manager and notified them about this campaign. At the time of publishing this article, we had not received a response from them.

Indicators of Compromise

File checksums
b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d (Malicious Debian Package)
2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 (crond backdoor)
93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea (bs backdoor)
d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5 (atd uploader)

File paths
/etc/cron.d/collect
/var/tmp/crond
/var/tmp/bs
/var/tmp/atd

Network indicators
fdmpkg[.]org
172.111.48[.]101

A new low, even for these lowlifes

Updated  Cybercrime crew BianLian says it has broken into the IT systems of a top nonprofit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data.…

Ransomware? Some would be willing to bet on that

MGM Resorts has shut down some of its IT systems following a "cybersecurity incident" that the casino-and-hotel giant says is currently under investigation.…

Akamai reckons traffic flood peaked at 55.1 million packets per second

Akamai says it thwarted a major distributed denial-of-service (DDoS) attack aimed at a US bank that peaked at 55.1 million packets per second earlier this month.…

Defence against the dark arts of phishing

Webinar  Almost half of all losses to cybercrime come from Business Email Compromise (BEC), according to the FBI. It appears that even the most astute among us can fall foul of a cunningly crafted phishing email masquerading as a missive from a trusted source.…

Introduction

Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures. We hope this article will help you to stay one step ahead of threats like this one.

Cuba ransomware gang

Cuba data leak site

The group’s offensives first got on our radar in late 2020. Back then, the cybercriminals had not yet adopted the moniker “Cuba”; they were known as “Tropical Scorpius”.

Cuba mostly targets organizations in the United States, Canada and Europe. The gang has scored a series of resonant attacks on oil companies, financial services, government agencies and healthcare providers.

As with most cyberextortionists lately, the Cuba gang encrypts victims’ files and demands a ransom in exchange for a decryption key. The gang infamously uses complex tactics and techniques to penetrate victim networks, such as exploitation of software vulnerabilities and social engineering. They have been known to use compromised remote desktop (RDP) connections for initial access.

The Cuba gang’s exact origins and the identities of its members are unknown, although some researchers believe it might be a successor to another ill-famed extortion gang, Babuk. The Cuba group, like many others of its kind, is a ransomware-as-a-service (RaaS) outfit, letting its partners use the ransomware and associated infrastructure in exchange for a share of any ransom they collect.

The group has changed names several times since its inception. We are currently aware of the following aliases it has used:

• ColdDraw
• Tropical Scorpius
• Fidel
• Cuba

This past February, we came across another name for the gang — “V Is Vendetta”, which deviated from the hackers’ favorite Cuban theme. This might have been a moniker used by a sub-group or affiliate.

There is an obvious connection with the Cuba gang: the newly discovered group’s website is hosted in the Cuba domain:

http[:]//test[.]cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd[.]onion/

Website of V IS VENDETTA

Cuba remains active as at the time of writing this, and we keep hearing about new extortion victims.

Victimology

In this section, we used data consensually provided by our users and information about victims from open sources, such as other security vendors’ reports and the data leak site of the ransomware gang itself.

The group has attacked numerous companies around the world. Industry affiliation does not seem to be a factor: victims have included retailers, financial and logistical services, government agencies, manufacturers, and others. In terms of geography, most of the attacked companies have been located in the United States, but there have been victims in Canada, Europe, Asia and Australia.

Geographic distribution of Cuba victims

Ransomware

The Cuba ransomware is a single file without additional libraries. Samples often have a forged compilation timestamp: those found in 2020 were stamped with June 4, 2020, and more recent ones, June 19th, 1992.

Cuba extortion model

Extortion models

Four extortion models exist today in terms of tools used for pressuring the victim.

• Single extortion: encrypting data and demanding a ransom just for decryption.
• Double extortion: besides encrypting, attackers steal sensitive information. They threaten to both withhold the encryption key and publish the stolen information online unless the victim pays up. This is the most popular model among ransomware gangs today.
• Triple extortion: adding a threat to expose the victim’s internal infrastructure to DDoS attacks. The model became widespread after the LockBit gang got DDoS’ed, possibly by a victim. After getting targeted, the hackers realized that DDoS was an effective pressure tool, something they stated openly, setting an example for others. To be fair, isolated cases of triple extortion predate the LockBit case.
• The fourth model is the least common one, as it implies maximum pressure and is thus more costly. It adds spreading news of the breach among the victim’s investors, shareholders and customers. DDoS attacks in that case are not necessary. This model is exemplified by the recent hack of Bluefield University in Virginia, where the AvosLocker ransomware gang hijacked the school’s emergency broadcast system to send students and staff SMS texts and email alerts that their personal data had been stolen. The hackers urged not to trust the school’s management, who they said were concealing the true scale of the breach, and to make the situation public knowledge as soon as possible.

The Cuba group is using the classic double extortion model, encrypting data with the Xsalsa20 symmetric algorithm, and the encryption key, with the RSA-2048 asymmetric algorithm. This is known as hybrid encryption, a cryptographically secure method that prevents decryption without the key.

Cuba ransomware samples avoid encrypting files with the following name extensions: .exe, .dll, .sys, .ini, .lnk, .vbm and .cuba, and the following folders:

• \windows\
• \program files\microsoft office\
• \program files (x86)\microsoft office\
• \program files\avs\
• \program files (x86)\avs\
• \$recycle.bin\
• \boot\
• \recovery\
• \system volume information\
• \msocache\
• \users\all users\
• \users\default user\
• \users\default\
• \temp\
• \inetcache\
• \google\

The ransomware saves time by searching for, and encrypting, Microsoft Office documents, images, archives and others in the %AppData%\Microsoft\Windows\Recent\ directory, rather than all files on the device. It also terminates all SQL services to encrypt any available databases. It looks for data both locally and inside network shares.

List of services that the Cuba ransomware terminates

Besides encrypting, the group steals sensitive data that it discovers inside the victim’s organization. The type of data that the hackers are after depends on the industry that the target company is active in, but in most cases, they exfiltrate the following:

• Financial documents
• Bank statements
• Company accounts details
• Source code, if the company is a software developer

Arsenal

The group employs both well-known, “classic” credential access tools, such as mimikatz, and self-written applications. It exploits vulnerabilities in software used by the victim companies: mostly known issues, such as the combination of ProxyShell and ProxyLogon for attacking Exchange servers, and security holes in the Veeam data backup and recovery service.

Malware

• Bughatch
• Burntcigar
• Cobeacon
• Hancitor (Chanitor)
• Termite
• SystemBC
• Veeamp
• Wedgecut
• RomCOM RAT

Tools

• Mimikatz
• PowerShell
• PsExec
• Remote Desktop Protocol

Vulnerabilities

ProxyShell:

• CVE-2021-31207
• CVE-2021-34473
• CVE-2021-34523

ProxyLogon:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Veeam vulnerabilities:

• CVE-2022-26501
• CVE-2022-26504
• CVE-2022-26500

ZeroLogon:

• CVE-2020-1472

Mapping of the attack arsenal to MITRE ATT&CK® tactics

Profits

The incoming and outgoing payments in the bitcoin wallets whose identifiers the hackers provide in their ransom notes exceed a total of 3,600 BTC, or more than $103,000,000 converted at the rate of $28,624 for 1 BTC. The gang owns numerous wallets, constantly transferring funds between these, and uses bitcoin mixers: services that send bitcoins through a series of anonymous transactions to make the origin of the funds harder to trace.

Part of the transaction tree in the BTC network

Investigation of a Cuba-related incident and analysis of the malware Host: SRV_STORAGE

On December 19, we spotted suspicious activity on a customer host, which we will refer to as “SRV_STORAGE” in this report. Telemetry data showed three suspicious new files:

Suspicious events in the telemetry data as discovered by the Kaspersky SOC

An analysis of kk65.bat suggested that it served as a stager that initiated all further activity by starting rundll32 and loading the komar65 library into it, which runs the callback function DLLGetClassObjectGuid.

Contents of the .bat file that we found

Let us take a look inside the suspicious DLL.

Bughatch

The komar65.dll library is also known as “Bughatch”, a name it was given in a report by Mandiant.

The first thing that caught our attention was the path to the PDB file. There’s a folder named “mosquito” in it, which translates into Russian as “komar”. The latter is a part of the DDL name suggesting the gang may include Russian speakers.

Path to the komar65.dll PDB file

The DLL code presents Mozilla/4.0 as the user agent when connecting to the following two addresses:

• com, apparently used for checking external connectivity
• The gang’s command-and-control center. The malware will try calling home if the initial ping goes through.

Analysis of komar65.dll

This is the kind of activity we observed on the infected host. After Bughatch successfully established a connection with the C2 server, it began collecting data on network resources.

Bughatch activity

Looking into the C2 servers, we found that in addition to Bughatch, these spread modules that extend the malware’s functionality. One of those collects information from the infected system and sends it back to the server in the form of an HTTP POST request.

Files we found on the Cuba C2 servers

One could think of Bughatch as a backdoor of sorts, deployed inside the process memory and executing a shellcode block within the space it was allocated with the help of Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject), to then connect to the C2 and await further instructions. In particular, the C2 may send a command to download further malware, such as Cobalt Strike Beacon, Metasploit, or further Bughatch modules.

Bughatch operating diagram

SRV_Service host Veeamp

After some time, we found a malicious process started on a neighboring host; we dubbed this “SRV_Service”:

Malicious process starting

Veeamp.exe is a custom-built data dumper written in C#, which leverages security flaws in the Veeam backup and recovery service to connect to the VeeamBackup SQL database and grab account credentials.

Analysis of Veeamp

Veeamp exploits the following Veeam vulnerabilities: CVE-2022-26500, CVE-2022-26501, CVE-2022-26504. The first two allow an unauthenticated user to remotely execute arbitrary code, and the third one, lets domain users do the same. After any of the three are exploited, the malware outputs the following in the control panel:

• User name
• Encrypted password
• Decrypted password
• User description in the Credentials table of Veeam: group membership, permissions and so on

The malware is not exclusive to the Cuba gang. We spotted it also in attacks by other groups, such as Conti and Yanluowang.

Activity we saw on SRV_Service after Veeamp finished its job was similar to what we had observed on SRV_STORAGE with Bughatch:

Bughatch activity on SRV_Service

As was the case with SRV_STORAGE, the malware dropped three files into the temp folder, and then executed these in the same order, connecting to the same addresses.

Avast Anti-Rootkit driver

After Bughatch successfully established a connection to its C2, we watched as the group used an increasingly popular technique: Bring Your Own Vulnerable Driver (BYOVD).

Exploiting a vulnerable driver

The malicious actors install the vulnerable driver in the system and subsequently use it to various ends, such as terminating processes or evading defenses through privilege escalation to kernel level.

Hackers are drawn to vulnerable drivers because they all run in kernel mode, with a high level of system access. Besides, a legitimate driver with a digital signature will not raise any red flags with security systems, helping the attackers to stay undetected for longer.

During the attack, the malware created three files in the temp folder:

• aswarpot.sys: a legitimate anti-rootkit driver by Avast that has two vulnerabilities: CVE-2022-26522 and CVE-2022-26523, which allow a user with limited permissions to run code at kernel level.
• KK.exe: malware known as Burntcigar. The file we found was a new variety that used the flawed driver to terminate processes.
• av.bat batch script: a stager that helps the kernel service to run the Avast driver and executes Burntcigar.

Analysis of the BAT file and telemetry data suggests that av.bat uses the sc.exe utility to create a service named “aswSP_ArPot2”, specifying the path to the driver in the С\windows\temp\ directory and the service type as kernel service. The BAT file then starts the service with the help of the same sc.exe utility and runs KK.exe, which connects to the vulnerable driver.

Contents of the .bat file that we found

Burntcigar

The first thing we noticed while looking into Burntcigar was the path to the PDB file, which contained a folder curiously named “Musor” (the Russian for “trash”), more indication that the members of the Cuba gang may speak Russian.

Path to the KK.exe PDB file

We further discovered that the sample at hand was a new version of Burntcigar, undetectable by security systems at the time of the incident. The hackers had apparently updated the malware, as in the wake of previous attacks, many vendors were able to easily detect the logic run by older versions.

You may have noticed that in the screenshot of our sample below, all data about processes to be terminated is encrypted, whereas older versions openly displayed the names of all processes that the attackers wanted stopped.

Comparison between the old and new version of Burntcigar

The malware searches for process names that suggest a relation to popular AV or EDR products and adds their process IDs to the stack to terminate later.

Burntcigar uses the DeviceIoContol function to access the vulnerable Avast driver, specifying the location of the code that contains the security issue as an execution option. The piece of code contains the ZwTerminateProcess function, which the attackers use for terminating processes.

Analysis of Burntcigar

Fortunately, our product’s self-defense was able to cope with the malware by blocking all hooks to the driver.

Later, we discovered similar activity exploiting the Avast anti-rootkit driver on the Exchange server and the SRV_STORAGE host. In both cases, the attackers used a BAT file to install the insecure driver and then start Burntcigar.

Burntcigar activity on the neighboring hosts

SRV_MAIL host (Exchange server)

On December 20, the customer granted our request to add the Exchange server to the scope of monitoring. The host must have been used as an entry point to the customer network, as the server was missing critical updates, and it was susceptible to most of the group’s initial access vectors. In particular, SRV_MAIL had the ProxyLogon, ProxyShell and Zerologon vulnerabilities still unremediated. This is why we believe that the attackers penetrated the customer network through the Exchange server.

Telemetry data starts coming in

On SRV_MAIL, the SqlDbAdmin user showed the same kind of activity as that which we had observed on the previous hosts.

Malicious activity by SqlDbAdmin

We found that the attackers were using the legitimate gotoassistui.exe tool for transferring malicious files between the infected hosts.

GoToAssist is an RDP support utility often used by technical support teams, but the application is often abused to bypass any security defenses or response teams when moving files between systems.

Sending malicious files via gotoassistui.exe

We also found that new Bughatch samples were being executed. These used slightly different file names, callback functions and C2 servers, as our systems were successfully blocking older versions of the malware at that time.

Bughatch activity

SqlDbAdmin

We wondered who that SqlDbAdmin was. The answer came through a suspicious DLL, addp.dll, which we found manually on a compromised host.

Suspicious dynamic library

We found that it used the WIN API function NetUserAdd to create the user. The name and password were hard-coded inside the DLL.

Analysis of addp.dll

As we looked further into the library, we found that it used the RegCreateKey function to enable RDP sessions for the newly created user by modifying a registry setting. The library then added the user to the Special Account registry tree to hide it from the system login screen, an interesting and fairly unconventional persistence technique. In most cases, bad actors add new users with the help of scripts thatsecurity products rarely miss.

Analysis of addp.dll

Cobalt Strike

We found a suspicious DLL, ion.dll, running on the Exchange server as part of the rundll32 process with unusual execution options. At first, we figured that the activity was similar to what we had earlier seen with Bughatch. However, further analysis showed that the library was, in fact, a Cobalt Strike Beacon.

Execution of the suspicious ion.dll file

When we were looking at the ion.dll code, what caught our attention was execution settings and a function that uses the Cobalt Strike configuration. The library used the VirtualAlloc function for allocating process memory to execute the Cobalt Strike Beacon payload in, later.

Analysis of ion.dll

All configuration data was encrypted, but we did find the function used for decrypting that. To find the Cobalt Strike C2 server, we inspected a rundll32 memory dump with ion.dll loaded into it, running with the same settings it did on the victim host.

Memory dump of rundll32

Finding out the name of the C2 helped us to locate the history of communications with that server within the telemetry data. After the malware connected to the C2, it downloaded two suspicious files into the Windows folder on the infected server and then executed these. Unfortunately, we were not able to obtain the two files for analysis, as the hackers had failed to disable security at the previous step, and the files were wiped off the infected host. We do believe, though, that what we were dealing with was the ransomware itself.

Communications with the attackers’ C2 server

The customer promptly isolated the affected hosts and forwarded the incident to the Kaspersky Incident Response team for further investigation and search for possible artifacts. This was the last we saw of the malicious actor’s activity in the customer system. The hosts avoided encryption thanks to the customer following our recommendations and directions, and responding to the incident in time.

New malware

We found that VirusTotal contained new samples of the Cuba malware with the same file metadata as the ones in the incident described above. Some of those samples had successfully evaded detection by all cybersecurity vendors. We ran our analysis on each of the samples. As you can see from the screenshot below, these are new versions of Burntcigar using encrypted data for anti-malware evasion. We have made Yara rules that detect these new samples, and we are providing these in the attachment to this article.

New malware samples

BYOVD (Bring Your Own Vulnerable Driver)

We will now take a closer look at an attack that uses insecure drivers, which we observed as we investigated the incident and which is currently growing in popularity as various APT and ransomware gangs add it to their arsenals.

Bring Your Own Vulnerable Driver (BYOVD) is a type of attack where the bad actor uses legitimate signed drivers that are known to contain a security hole to execute malicious actions inside the system. If successful, the attacker will be able to exploit the vulnerabilities in the driver code to run any malicious actions at kernel level!

Understanding why this is one of the most dangerous kinds of attacks takes a quick refresher on what drivers are. A driver is a type of software that acts as an intermediary between the operating system and the device. The driver converts OS instructions into commands that the device can interpret and execute. A further use of drivers is supporting applications or features that the operating system originally lacks. As you can see from the image below, the driver is a layer of sorts between user mode and kernel mode.

User mode and kernel mode interaction diagram. Source:
https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

Applications running in user mode have fewer privileges to control the system. All they can get access to is a virtualized memory area that is isolated and protected from the rest of the system. The driver runs inside the kernel memory, and it can execute any operations just like the kernel itself. The driver can get access to critical security structures and modify those. Modifications like that make the system liable to attacks that use privilege escalation, disabling of OS security services, and arbitrary reading and writing.

The Lazarus gang made use of that technique in 2021 as they gained write access to kernel memory and disabled Windows security features by abusing a Dell driver that contained the CVE-2021-21551 vulnerability.

There is no sure-fire defense from legitimate drivers, because any driver could prove to have a security flaw. Microsoft has published a list of recommendations to protect against this type of techniques:

• Enable Hypervisor-Protected Code Integrity.
• Enable Memory Integrity.
• Enable validation of driver digital signatures.
• Use the vulnerable driver blocklist.

However, studies suggest that the recommendations are irrelevant even with every Windows protection feature enabled, and attacks like these go through anyway.

To counter this technique, many security vendors started adding a self-defense module into their products that prevents malware from terminating processes and blocks every attempt at exploiting vulnerable drivers. Our products have that feature too, and it proved effective during the incident.

Conclusion

The Cuba cybercrime gang employs an extensive arsenal of both publicly available and custom-made tools, which it keeps up to date, and various techniques and methods including fairly dangerous ones, such as BYOVD. Combating attacks at this level of complexity calls for sophisticated technology capable of detecting advanced threats and protecting security features from being disabled, and a massive, continuously updated threat knowledge base that helps to detect malicious artifacts manually.

The incident detailed in this article shows that investigation of real-life cyberattacks and incident response, such as Managed Detection and Response (MDR), are sources of the latest information about malicious tactics, techniques and procedures. In particular, during this investigation, we discovered new and previously undetected samples of the Cuba malware, and artifacts suggesting that at least some of the gang members spoke Russian.

That said, effective investigation and response begin with knowledge of current cyberthreats, which is available from Threat Intelligence services. At Kaspersky, the Threat Intelligence and MDR teams work closely while exchanging data and enhancing their services all the time.

Appendix

Sigma and YARA rules: https://github.com/BlureL/SigmaYara-Rules
Indicators of Compromise: Download PDF
Mitre ATT&CK matrices: Download PDF

ALSO: Verizon turns self in for reduced fine, malvertising comes to macOS, and this week's critical vulnerabilities

Infosec in brief  Watch out, cyber security researchers: Suspected North Korean-backed hackers are targeting members of the infosec community again, according to Google's Threat Analysis Group (TAG).…

How to protect organizations from Business Email Compromise

Webinar  It is a stratospheric number of emails pinging around the globe and the sheer volume offers a seductively lucrative phishing opportunity to the legion of bad actors out there.…

No user interaction needed for this one as Pegasus turns up via iMessage

Apple devices are again under attack, with a zero-click, zero-day vulnerability used to deliver Pegasus spyware to iPhones discovered in the wild.…

UPDATE 11.09.2023. Google has informed us that all the apps were deleted from the Google Play store

A while ago we discovered a bunch of Telegram mods on Google Play with descriptions in traditional Chinese, simplified Chinese and Uighur. The vendor says these are the fastest apps which use a distributed network of data processing centers around the world.

What can possibly be wrong with a Telegram mod duly tested by Google Play and available through the official store? Well, lots of things, as a matter of fact: not only do threat actors find ways to penetrate Google Play, but they also sell their stuff. So, we went on to analyze the messenger mod.

When launched, the app is no different from the original Telegram.

But let’s take a look at its code to be on the safe side.

At first it gives an impression of a perfectly ordinary Telegram mod: most packages look the same as the standard ones. But, on closer examination, you can see the package called com.wsys, which is not typical for Telegram. Let’s see what functions call this package methods.

Functions calling the suspicious com.wsys library

The list of functions that call com.wsys, suggests that this piece of code means to get access to the user’s contacts. It looks fishy to say the least, considering that the package is not a part of the messenger’s standard feature set.

connectSocket()

The com.wsys library runs in the connectSocket() method added to the main activity class responsible for the app’s start screen. The method is called when you start the app or switch to another account. It collects such user-related information as name, user ID, and phone number, after which the app connects to the command server.

Connecting to the command server

One more unpleasant surprise awaits the user when receiving a message: in the incoming message processing code, threat actors have added a call for the uploadTextMessageToService method.

Incoming message processing by the malware

Compare: the clean Telegram version does not contain the method in the same code area.

Incoming message processing by Telegram

When receiving a message, uploadTextMessageToService collects its contents, chat/channel title and ID, as well as sender’s name and ID. The collected information is then encrypted and cached into a temporary file named tgsync.s3. The app sends this temporary file to the command server at certain intervals.

Encryption of exfiltrated data

The app’s malicious functionality does not end at stealing messages. A call for the uploadFriendData method has been added to the contacts processing code.

uploadFriendData

The method is used to collect information about the user’s contacts: IDs, nicknames, names, and phone numbers. All these go to the command server much in the same way.

If the user decides to change their name of phone number, this information will end up in rogue hands as well.

Collection of changed user data

When the user receives or sends a file, the app creates an encrypted copy of it which then get forwarded to the attackers’ account residing in one of the popular cloud storages.

Exfiltration of sent files

Conclusion

Attacks employing various unofficial Telegram mods are on the rise of late. Often, they replace crypto wallet addresses in users’ messages or perform ad fraud. Unlike those, the apps described in this article come from a class of full-fledged spyware targeted at users from a specific locale (China) and capable of stealing the victim’s entire correspondence, personal data, and contacts. And yet their code is only marginally different from the original Telegram code for smooth Google Play security checks.

As you can see, being an official store item does not guarantee an app’s security, so be wary of third-party messenger mods, even those distributed by Google Play. We reported the threat to Google but, as of the time of writing, some of the apps are still available for downloading.

IOC

Md5
39df26099caf5d5edf264801a486e4ee
b9e9a29229a10deecc104654cb7c71ae
e0dab7efb9cea5b6a010c8c5fee1a285
Efcbcd6a2166745153c329fd2d486b3a
8e878695aab7ab16e38265c3a5f17970
65377fa1d86351c7bd353b51f68f6b80
19f927386a03ce8d2866879513f37ea0
a0e197b9c359b89e48c3f0c01af21713
c7a8c3c78ac973785f700c537fbfcb00

С&C
sg[.]telegrnm[.]org

Sometimes using AI to make hilariously wrong images that still drive social media engagement

Microsoft, which earlier this week admitted not being able to detect a Chinese attack on its own infrastructure, has published a report [PDF] titled "Digital threats from East Asia increase in breadth and effectiveness." In the report, Redmond's Threat Intelligence group expounds on its fresh insight into evolving online aggressions from both China and North Korea.…

Confidential figures for Tesla, Snap, Roku, Avnet, others swiped and used to rack up millions in ill-gotten gains

Vladislav Klyushin, the Russian owner of security penetration testing firm M-13, was jailed for nine years in the US on Thursday for his involvement in a cyber-crime operation that stole top corporations' confidential financial information to make $93 million through insider trading.…

Top admin, HR managers, devs go on transatlantic deny-list

The US and UK governments named and sanctioned 11 Russians said to be connected to the notorious Trickbot cybercrime crew this week.…