Kategorie
New 'HrServ.dll' Web Shell Detected in APT Attack Targeting Afghan Government
Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches
Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale
Tell Me Your Secrets Without Telling Me Your Secrets
Hamas-Linked Cyberattacks Using Rust-Powered SysJoker Backdoor Against Israel
Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories
Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks
Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails
6 Steps to Accelerate Cybersecurity Incident Response
Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks
Consumer cyberthreats: predictions for 2024
In our previous summary of consumer predictions, we delved into tactics that we expected scammers and cybercriminals to use in 2023. As anticipated, they capitalized on major events and cultural crazes, using tricks that ranged from fake Barbie doll deals to exploiting the buzz around long-awaited video game releases, for example, by disguising malware as a cracked Hogwarts Legacy version, a classic move we have seen for years.
Cybercriminals continued targeting gamers’ accounts filled with valuable in-game items or giving access to games on several devices, and often used in-game currency to lure victims to participate in their scams. However, our prediction of continued console shortage spurred by the release of the PS5 VR set by Sony was not fulfilled, as the company announced in January the shortage was over.
Although we anticipated the arrival of a new social network to shake up the scene, none materialized. Instead, ChatGPT turned out to be the major tech revelation. Recognizing the heightened interest in new tech, cybercriminals cleverly targeted a broader potential audience with a stealer disguised as a ChatGPT desktop app. As ChatGPT went viral, other chatbots powered by generative AI appeared, and these technologies were quickly adopted as assistants in diverse areas including education. Teachers now use tools based on large language models (LLM) to create lesson plans, math word problems, and email to communicate with parents. Students use these tools in their hobbies and homework, and entrust their mental health to ChatGPT-like bots.
Speaking of education, although 2023 saw ransomware attacks against schools, university data breaches, such as those occurring through third-party platforms and traditional back-to-school scams, we have not seen a significant surge in attacks on educational platforms or learning management systems (LMS) so far in 2023, so that prediction was only partially fulfilled. Neither have we seen any significant evolution of gamification in education, which makes the prediction false for now, although we may still see it come true in the long term.
As the initial Metaverse excitement took a backseat to AI, the threat landscape was milder than expected. Yet, metaverse company breach that led to malicious email sent out to its users hinted at ongoing risks. Despite the fact that our predictions regarding Metaverse did not fully materialize in 2023, we reiterate what we said earlier, as we consider this a long-term trend. Mark Zuckerberg’s recent interview in Metaverse revived consumer interest in this topic, potentially luring cyber-troublemakers. We foresee this trend continuing, which will emphasize the need for a decision-making policy on emerging metaverses.
Although we have not seen any cases of cybercriminals targeting mental health apps in 2023, their security was discussed from a variety of perspectives. In March, a mental health startup disclosed that it inadvertently had been exposing personally identifiable information about more than 3 million people to third-party entities. In May, Mozilla published an extensive study on mental health app privacy, demonstrating that there was considerable room for improvement.
As we look to 2024, we believe that the consumer threat landscape will be heavily influenced by political, cultural, and technological events and trends. Below, we share our insights into potential consumer threats in the upcoming year.
Consumer threat predictions for 2024 More charity scams comingClimate disasters, the pandemic, and numerous military conflicts worldwide are thrusting people into challenging life situations. Charitable foundations and activists step in to provide financial and humanitarian aid. The noble desire to assist those in need becomes a breeding ground for scammers who exploit the generosity of some and the problems of others. According to the United Nations, 2023 marked the year with the highest number of violent conflicts since World War II, and the prospects for resolving many of these remain unclear. Unfortunately, this ambiguity sets the stage for an anticipated increase in charity-related scams in 2024.
Not just threats: collaboration of online stores and charitiesJust a few years ago, donations required separate transactions to distinct organizations on different websites. However, the current trend showcases a growing popularity of collaborations between online services and charitable foundations. For instance, when making an online store purchase, rounding up the amount automatically channels the additional funds to a charity. This streamlined donation process both makes donating more accessible and generates higher amounts in aid. It is highly likely that the near future will see an uptick in collaboration between online stores and charitable foundations.
Internet segmentationAmid growing geopolitical tensions, some web resources have blocked users from certain countries and regions. There are two main reasons for that: political pressure and DDoS attacks. In the first case, website owners residing in certain countries involved in a geopolitical conflict are forced to lock their political opponents out of their content. In the other case, organizations use geofencing to protect their resources from DDoS attacks. Whichever the reason, this leads to the segmentation of the internet, which damages the availability of information. Unfortunately, we expect this trend to continue in 2024, with more websites to be geofenced, which will make searching for information more complicated.
VPN services on the riseA VPN creates an encrypted tunnel that effectively conceals user traffic from internet service providers and potential snoopers, thus reducing the number of parties that can access user data even on public Wi-Fi. Just a few years ago, the term was mostly understood by tech specialists and enthusiasts. However, with an increase in cyberliteracy, more individuals are now actively seeking ways to protect their personally identifiable information.
Additionally, current international conflicts have heightened national security concerns, which led to growing interest from government organizations and law enforcement agencies in detecting suspicious user data. Cognizant of these measures, individuals may perceive a potential impact on their data privacy and thus turn to robust privacy solutions like VPN.
Besides enhancing user privacy, VPN also addresses issues like internet segmentation and website geofencing, which are often consequences of geopolitical changes. These practices restrict access to information by location, but certain VPN clients can break through these barriers, allowing broader access to information.
As a result, demand for VPN solutions is expected to see a significant rise globally in the upcoming year.
Security over user comfort to spawn new security issuesIn recent years, security concerns have prompted certain countries and territories to ban popular apps. For instance, in May 2023, the Montana governor signed a bill prohibiting all TikTok usage in the state starting in January 2024. This social media app is also banned from government devices in a number of countries worldwide. In Canada, a similar ban on the WeChat messenger was introduced in October.
While the stated goal of this policy is to protect sensitive data, banning popular apps may prove counterproductive. In the absence of TikTok and WeChat, demand for custom mods and unofficial alternatives may increase, likely to be exploited by cybercriminals. Malicious clones of the banned apps may rise to fill the void in 2024. We expect such attacks to become a trend in the near future.
P2E in cybercriminals’ sightsThe play-to-earn (P2E) gaming sector, which draws millions of players, involves earning real-world values like cryptocurrency through active participation in games. Given the substantial investment and the appeal of making money in P2E games, cybercriminals are poised to escalate their focus on exploiting this sector. The theft of $620 million worth of crypto from Axie Infinity is indicative, and we anticipate further incidents in the future.
The recent surge in Bitcoin’s rate, coupled with the allure of easy money-making through gaming, might draw increased attention from cybercriminals, positioning P2E players as a prime target. Heightened security measures and player education are imperative to shield the expanding P2E ecosystem from the escalating cyberthreats it faces.
Universal deepfake check toolThe evolution of deepfake technology, once a cause for widespread concern, has progressed significantly. Despite initial attempts to combat this phenomenon, the increasing quality of deepfakes has compelled society to reluctantly acknowledge its existence as a significant cyberthreat, which underscores an urgent need for a quick and reliable means of checking the authenticity of visual content.
This trajectory is anticipated to continue, and in the near future, the potential for a more high-profile incident, linked to major a deepfake campaign involving political figures or celebrities, could stimulate the creation of a universal, user-friendly tool, which would empower individuals to verify the authenticity of any image, video or audio content.
Voice deepfakes on the riseIn addition to already-familiar image deepfakes, voice cloning represents a major development pathway. Highly disruptive attacks, such as the 2020 incident at a UAE bank, have underscored the potential of voice deepfakes as a cybercrime tool.
As demonstrated by OpenAI’s latest presentation on voice assistants, the company’s advances in artificial voice content could contribute to progress. However, the technology could be exploited by fraudsters. Potential exploitation could lead to even more accessible deceptive content being created. A surge in the development of voice fakes is anticipated, and this evolution of deepfake technology is expected to continue.
Scammers go after premieresAs blockbuster movies like Dune: Part Two, Deadpool 3, Joker 2, Gladiator 2, and Avatar 3 move closer to hitting the screens, expect a surge in scams. Hollywood actors’ recent strike may have the pirating of “hot new films” as one of its side-effects, creating an ideal environment for a multitude of phishing sites. These deceptive platforms will claim to offer exclusive access, taking advantage of viewers’ eagerness to watch the highly anticipated releases.
The trend is not limited to film premiers. GTA VI, slated for release in 2024, is poised to be next year’s biggest gaming highlight. Just like GTA V before it, this will be an online game that uses in-game currency, and it will likely attract scammers. Classic schemes that involve pre-order keys and seemingly enticing prices will resurface as the gaming community welcomes the release of this highly awaited title.
N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack
New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login
North Korean Hackers Pose as Job Recruiters and Seekers in Malware Campaigns
AI Solutions Are the New Shadow IT
HrServ – Previously unknown web shell used in APT attack
In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Our analysis of the sample led to the discovery of related variants compiled in 2021, indicating a potential correlation between these separate occurrences of malicious activity.
Initial infectionAccording to our telemetry data, the PAExec.exe process initiates the creation of a scheduled task on the system named MicrosoftsUpdate (sic), which in turn is designed to execute a .BAT file.
"schtasks" /create /sc DAILY /tn MicrosoftsUpdate /tr "$system32\cmd.exe /c $public\JKNLA.bat $public\hrserv.dll" /ru system /fThe .BAT file accepts the path of a DLL file as an argument. In this instance, the script is provided with the file $public\hrserv.dll, which is then copied to the System32 directory. After this operation, the script configures a service via the system registry and the sc utility. It then activates the newly created service.
HrServ web shell MD5 418657bf50ee32acc633b95bac4943c6 SHA1 cb257e00a1082fc79debf9d1cb469bd250d8e026 SHA256 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5 Link time 2023-Aug-30 08:28:15 File type PE32+ executable (DLL) (console) x86-64, for MS Windows Compiler Microsoft Visual C/C++(2015 v.14.0)The sequence of operations starts with the registration of a service handler. HrServ then initiates an HTTP server utilizing the HTTP server API for its functionality. It calls the HttpAddUrlToGroup function to register the following URL so that matching requests are routed to the request queue.
http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/Client-server communication uses custom encoding techniques that include Base64 encoding and FNV1A64 hashing algorithms.
Based on the type and information within an HTTP request, specific functions are activated. These functions are distinguished by the GET parameter named cp. In addition, the DLL file utilizes the value of the NID cookie for various purposes. The use of the GET parameter pattern and the cookie value is consistent with practices employed by Google. We suspect that this intentional similarity in naming conventions is intended to disguise these requests in network traffic, making it more challenging to detect such malicious activity.
An example of such a request would be:
&cp=1&client=desktop-gws-wiz-on-focus-serp&xssi=t&hl=en-TW&authuser=0&pq=
Request type
cp value
Description
GET
0
Call VirtualAlloc and copy a custom decoded NID cookie value, then create a new thread.
POST
1
Create a file using the custom decoded NID cookie value and write the custom decoded POST data to that file.
GET
2
Read a file using the custom decoded NID cookie value and return it as a response by appending it to the end of the “data:image/png;base64” string;
If an error occurs while reading the file, HrServ responds with the string:
data:image/png;base64,c3Dlc+DheRzlKBV2Yh92KS//;
GET
4
Return Outlook Web App HTML data.
POST
6
Call VirtualAlloc and copy the custom decoded POST data, then create a new thread.
GET
7
Return Outlook Web App HTML data [Duplicate].
Code execution
If the cp value in the request is 6, this indicates a code execution process.
- Initially, it extracts the value of the NID cookie and applies its custom decoding technique
- It writes this decoded value to the specified registry path, denoted as “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\RemoteFile”
- The custom-decoded POST data is then copied to the memory, after which a new thread is created and the process enters a sleep state.
In a particular observed scenario, the cp value is unknown. A multifunctional implant is activated in the system memory. The implant creates a file in the directory “%temp%”, retrieves information from the registry, performs some actions based on this information, and records the output of these actions in the created file. As a result, the registry and the temporary file are used as a communication channel between the implant and HrServ.
Available commands of the memory implant
Based on our telemetry data, after successfully establishing a foothold and placing the memory implant in the system memory, the next actions are to erase the previously existing traces by deleting the scheduled “MicrosoftsUpdate” job and both the initial DLL and batch files:
schtasks /delete /tn MicrosoftsUpdate /f cmd /c "del /f/s/q $public\hrserv.dll & del /f/s/q $public\JKNLA.bat"Older variants
We have also discovered earlier, differently named variants of HrServ. These DLL files date back to early 2021. They also use the custom encoding algorithm and behave the same way after a file read error. However, there are subtle differences.
- The web shell URL of these older variants differs from the current one:
https://+:443/owa/MSExchangeService.svc - These samples exhibit a distinct behavior by creating a process and retrieving its output through a pipe, as opposed to allocating a memory section and creating a thread from it.
The only known victim according to our telemetry is a government entity in Afghanistan.
AttributionThe TTPs analyzed in this investigation are not associated with any known threat actors we are tracking, but there are a few things that we observed:
- the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include “hl”. This specifies the host language of the user interface. Although this parameter has no functionality within the attack vector, the assigned value “en-TW” specifies that the Google search interface should be displayed in English, but the search results should be displayed in Traditional Chinese:
&cp=1&client=desktop-gws-wiz-on-focus-serp&xssi=t&hl=en-TW&authuser=0&pq= - the samples include help strings for specific conditions, in English. We saw multiple typos that suggest the actor behind the samples is not a native English speaker.
An error message with a typo
ConclusionThe analyzed sample represents a capable web shell. Based on the compile timestamps, its origins date back to at least 2021. This sophisticated malware variant exhibits the ability to initiate in-memory executions. In the observed scenario, communication is established through registry manipulations and temporary files.
Notably, the web shell and memory implant use different strings for specific conditions. In addition, the memory implant features a meticulously crafted help message. Considering these factors, the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior. Despite the malware’s prolonged activity over several years, multiple instances involving these samples have not been documented. Our efforts are ongoing as we continue to monitor related activity, with the goal of unraveling the mystery in future investigations.
Indicators of compromise File hashesb9b7f16ed28140c5fcfab026078f4e2e
418657bf50ee32acc633b95bac4943c6
d0fe27865ab271963e27973e81b77bae
890fe3f9c7009c23329f9a284ec2a61b
ClearFake Campaign Expands to Target Mac Systems with Atomic Stealer
LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In
Play Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals
New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- …
- následující ›
- poslední »

















