Viry a Červi

Supermicro servers fixed after insecure firmware updating discovered

Sophos Naked Security - 10 Září, 2018 - 14:16
Researchers have sounded a warning about the security of Baseboard Management Controllers (BMCs) - a critical component that datacentres depend on to manage servers.

North Korean programmer charged for Sony, WannaCry attacks and more

Sophos Naked Security - 10 Září, 2018 - 13:48
Park Jin Hyok is allegedly with Lazarus Group, a hacking team connected to attacks on a wide array of industries and public utilities.

Sextortion scum armed with leaked credentials are persistent pests

The Register - Anti-Virus - 10 Září, 2018 - 13:29
If you're going to batter 8,497 folk with over 60,000 threats, odds are someone will crack

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests.…

Kategorie: Viry a Červi

Google Chrome will now generate unique passwords for you

Sophos Naked Security - 10 Září, 2018 - 13:10
Chrome will now generate a unique password for users as a part of the everyday credential creation process.

‘Only paper ballots by 2020!’ call experts after election tampering

Sophos Naked Security - 10 Září, 2018 - 12:35
The National Academy of Sciences says the US election system uses insecure technology and is fighting off attempts to destabilize it.

LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company

Kaspersky Securelist - 10 Září, 2018 - 12:00

What happened?

Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.

The campaign described in this report was active immediately prior to Central Asian high-level meeting and we suppose that actor behind still follows regional political agenda.

Which malicious modules are used?

The malware consists of three different modules:

  • A custom C++ installer that decrypts and drops the driver file in the corresponding system directory, creates a Windows autorun service for driver persistence and adds the encrypted in-memory Trojan to the system registry.
  • A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
  • A last-stage C++ Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.

NDISProxy driver and RAT work together once the installer has set up all the modules

These modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to communicate with an external C2 if the new infected host only has a LAN IP. Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers.

We assess with high confidence that NDISProxy is a new tool used by LuckyMouse. Kaspersky Lab products detect the described artefacts. For more information please contact:

How does it spread?

We detected the distribution of the 32-bit dropper used for this campaign among different targets by the end of March 2018. However, we didn’t observe any spear phishing or watering hole activity. We believe the operators spread their infectors through networks that were already compromised instead.

How does it work? Custom installer Installer MD5 hash Timestamp (GMT) Size Bits dacedff98035f80711c61bc47e83b61d 2018.03.29 07:35:55 572 244 32 9dc209f66da77858e362e624d0be86b3 2018.03.26 04:16:00 572 244 32 3cbeda2c5ac41cca0b0d60376a2b2511 2018.03.26 04:16:00 307 200 32

The initial infectors are 32-bit portable executable files capable of installing 32-bit or 64-bit drivers depending on the target. The installer logs all the installation process steps in the load.log file within the same directory. It checks if the OS is Windows Vista or above (major version equal to 6 or higher) and decrypts its initial configuration using the DES (Data Encryption Standard) algorithm.

The set of well-known port numbers (HTTP, HTTPS, SMB, POP3S, MSSQL, PPTP and RDP) in the configuration is not used, which along with the “[test]” strings in messages suggests this malware is still under development.

The installer creates a semaphore (name depending on configuration) Global\Door-ndisproxy-mn and checks if the service (name also depends on configuration) ndisproxy-mn is already installed. If it is, the dropper writes “door detected” in load.log. The autorun Windows service running NDISProxy is the “door” in developer terms.

The installer also decrypts (using the same DES) the shellcode of the last stage Trojan and saves it in three registry values named xxx0, xxx1, xxx2 in key HKLM\SOFTWARE\Classes\32ndisproxy-mn (or 64ndisproxy-mn for 64-bit hosts). The encrypted configuration is saved as the value filterpd-ndisproxy-mn in the registry key HKCR\ndisproxy-mn.

Initial installer saves XOR-encrypted Trojan’s shellcode and DES-encrypted configuration in system registry

The installer creates the corresponding autostart service and registry keys. The “Altitude” registry value (unique ID for the minifilter driver) is set to 321 000, which means “FSFilter Anti-Virus” in Windows terms:

NDISProxy network filtering driver Driver MD5 hash Timestamp Size Bits 8e6d87eadb27b74852bd5a19062e52ed 2018.03.29 07:33:58 40400 64 d21de00f981bb6b5094f9c3dfa0be533 2018.03.29 07:33:52 33744 32 a2eb59414823ae00d53ca05272168006 2018.03.26 04:15:28 40400 64 493167e85e45363d09495d0841c30648 2018.03.26 04:15:21 33744 32 ad07b44578fa47e7de0df42a8b7f8d2d 2017.11.08 08:04:50 241616 64

This digitally signed driver is the most interesting artefact used in this campaign. The network filtering modules serve two purposes: first they decrypt and inject the RAT; second, they set its communication channel through RDP port 3389.

The drivers are signed with a digital certificate issued by VeriSign to LeagSoft, a company developing information security software such as data loss prevention (DLP) solutions.

This driver makes extensive use of third-party publicly available C source code, including from the Blackbone repository available at GitHub.

Feature Public repository Driver memory injection Blackbone NDIS network filtering driver Microsoft Windows Driver Kit (WDK) sample code “Windows Filtering Platform Stream Edit Sample/C++/sys/stream_callout.c” Parse HTTP packets Http-parser

The driver again checks if the Windows version is higher than Vista, then creates a device named \\Device\\ndisproxy-%s (where the word after “-” varies – see Appendix for all variants) and its corresponding symbolic link \\DosDevices\\Global\\ndisproxy-%s.

The driver combines all the Trojan-related registry values from HKLM\SOFTWARE\Classes\32ndisproxy-mn and de-XORs them with a six-byte hardcoded value. It then injects the resulting Trojan executable shellcode into lsass.exe memory using Blackbone library functions.

NDISProxy works as a network traffic filter engine, filtering the traffic going through RDP port 3389 (the port number is hardcoded) and injecting messages into it.

The communication between the user-mode in-memory Trojan and the driver goes through the custom control codes used by the DeviceIoControl() Windows API function. Apart from the auxiliary codes, there are two codes worth mentioning:

Driver control code Meaning 0x222400 Start traffic filtering at RDP port 3389 0x22240C Inject given data into filtering TCP stream. Used for Trojan communication with C2 In-memory C++ Trojan SHA256 c69121a994ea8ff188510f41890208625710870af9a06b005db817934b517bc1 MD5 6a352c3e55e8ae5ed39dc1be7fb964b1 Compiled 2018.03.26 04:15:48 (GMT) Type I386 Windows GUI DLL Size 175 616

Please note this Trojan exists in memory only; the data above is for the decrypted Windows registry content without the initial shellcode

This RAT is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory. Code starts with a shellcode – instead of typical Windows portable executable files loader this malware implements memory mapping by itself.

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.

The Trojan is an HTTP server, allowing LAN connection. It uses a SOCKS tunneler to communicate with the C2

This Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

Who’s behind it and why?

We found that this campaign targeted Middle Asian governments’ entities. We believe the attack was highly targeted and was linked to a high-level meeting. We assess with high confidence that the Chinese-speaking LuckyMouse actor is responsible for this new campaign using the NDISProxy tool described in this report.

In particular, the choice of the Earthworm tunneler is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse C2. The choice of victims in this campaign also aligns with the previous interests shown by this actor.

Consistent with current trends

We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult.

This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.

Indicators of Compromise

Note: The indicators in this section are valid at the time of publication. Any future changes will be updated directly in the corresponding .ioc file.

File Hashes



Auxiliary Earthworm SOCKS tunneler and Scanline network scanner

Domains and IPs






Registry keys and values


Driver certificate

A lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed files as malicious.

Subject ShenZhen LeagSoft Technology Co.,Ltd. Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21 Issuer VeriSign Class 3 Code Signing 2010 CA Valid to 2018-07-19

Monday review – the hot 24 stories of the week

Sophos Naked Security - 10 Září, 2018 - 11:22
From Google buying Mastercard card records and Google warning users of FBI snooping to Chrome making it harder to use Flash, and more!

VB2018: last-minute talks announced

Virus Bulletin News - 10 Září, 2018 - 07:46
We are excited to announce the final additions to the VB2018 programme in the form of 10 'last-minute' papers covering up-to-the-minute research and hot topics and two more invited talks.

Read more
Kategorie: Viry a Červi

Gits exposed, kinky app devs spanked, Feds spy on spyware buyers, etc

The Register - Anti-Virus - 8 Září, 2018 - 11:46
Mac APT unearthed and other infosec bits and bytes summarized just for you

Roundup  This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had……

Kategorie: Viry a Červi

‘Domestic Kitten’ Mobile Spyware Campaign Aims at Iranian Targets - 7 Září, 2018 - 23:11
Spreading via fake Android apps, the malware lifts a range of sensitive information from victims' devices.
Kategorie: Viry a Červi

Dear America: Want secure elections? Stick to pen and paper for ballots, experts urge

The Register - Anti-Virus - 7 Září, 2018 - 22:39
Computer voting not yet ready for prime time, say boffins

The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure.…

Kategorie: Viry a Červi

Top antivirus tool nuked from macOS App Store – after it phoned browser histories to China

The Register - Anti-Virus - 7 Září, 2018 - 21:58
Caution urged on downloads after Apple tears down utility

Apple has removed an app called Adware Doctor:Anti Malware &Ad from the macOS App Store following claims it sent users' browser histories to a remote server in China.…

Kategorie: Viry a Červi

Silicon Valley CEO admits $1.5m wire fraud: Bouxtie boss forged signatures to investors

The Register - Anti-Virus - 7 Září, 2018 - 21:39
When I said I have $2m in the bank...

Bouxtie had everything you can dream of in a Silicon Valley startup. A stupid name (it's pronounced "bow-tie"), a vastly over-confident CEO with a story, millions in VC money, and a nonsensical business model built around an app.…

Kategorie: Viry a Červi

Open .Git Directories Leave 390K Websites Vulnerable - 7 Září, 2018 - 21:01
An exhaustive scan shows hundreds of thousands of websites potentially exposing sensitive data such as database passwords, API keys and so on.
Kategorie: Viry a Červi

Revealed: British Airways was in talks with IBM on outsourcing security just before hack

The Register - Anti-Virus - 7 Září, 2018 - 18:20
El Reg leaked memo sent weeks before crooks swiped payment cards

Exclusive  Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a "group-wide strategic and proactive approach" to counter threats.…

Kategorie: Viry a Červi

British Airways Website, Mobile App Breach Compromises 380k - 7 Září, 2018 - 17:36
The airline said information like name, address and bank card details like CVC code were compromised.
Kategorie: Viry a Červi

Feel the shame: Email-scammed staffers aren't telling bosses about it

The Register - Anti-Virus - 7 Září, 2018 - 16:13
Fraud on rise and IT workers (of all people) most susceptible

The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed.…

Kategorie: Viry a Červi

Threatpost News Wrap Podcast For Sept. 7 - 7 Září, 2018 - 16:00
The Threatpost team breaks down the biggest news from the week ended Sept. 7.
Kategorie: Viry a Červi

Teen hacker admits to SWATting schools, airline flight

Sophos Naked Security - 7 Září, 2018 - 15:18
The teenager made bomb threats to schools, and to a flight between the UK and San Francisco while it was in mid-air.

Former NASA contractor arrested on charges of sextorting seven women

Sophos Naked Security - 7 Září, 2018 - 15:16
Richard Gregory Bauer allegedly weaseled private information out of the women on Facebook by pretending to be working on a class project.
Syndikovat obsah