Kategorie

An ongoing espionage campaign operated by the Russia-linked Gamaredon group is targeting employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information stealing malware. "The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine," Cisco Talos researchers Asheer Malhotra and Guilherme Venere said in a Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Companies are in the midst of an employee "turnover tsunami" with no signs of a slowdown. According to Fortune Magazine, 40% of the U.S. is considering quitting their jobs. This trend – coined the great resignation - creates instability in organizations. High employee turnover increases security risks, and companies are more vulnerable to attacks from human factors worldwide.  At Davos 2022, The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com

A threat actor tracked under the moniker Webworm is taking advantage of bespoke variants of already existing Windows-based remote access trojans to fly under the radar, some of which are said to be in pre-deployment or testing phases. "The group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT," the Symantec Threat Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

UPD: A notice on Google’s response to the issue was added.

An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.

The stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices. In addition, RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.

The bundle: what’s inside beside RedLine

In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software. Among the games mentioned are APB Reloaded, CrossFire, DayZ, Dying Light 2, F1® 22, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Osu!, Point Blank, Project Zomboid, Rust, Sniper Elite, Spider-Man, Stray, Thymesia, VRChat and Walken. According to Google, the hacked channels were quickly terminated for violation of the company’s Community Guidelines.

Examples of videos spreading the bundle

The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents. Because of the expletives used by the bundle’s creators, we had to hide some file names.

Contents of the self-extracting archive

Right after unpacking, three executable files are run: cool.exe, ***.exe and AutoRun.exe. The first is the RedLine stealer mentioned above. The second is a miner, which makes sense, since the main target audience, judging by the video, is gamers — who are likely to have video cards installed that can be used for mining. The third executable file copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory, which ensures automatic startup and runs the first of the batch files.

The batch files, in turn, run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe. These are the files responsible for the bundle’s self-distribution. On top of that, one of the batch files runs the nir.exe utility, which lets malicious executable files run without displaying any windows or taskbar icons.

Contents of the first and second batch files

The size of the download.exe file is an impressive 35 MB. However, it’s basically a regular loader whose purpose is to download videos for uploading to YouTube, as well as files with the description text and links to the malicious archive. The executable file is large because it is a NodeJS interpreter glued together with the scripts and dependencies of the main application. The malware takes the file download links from a GitHub repository. In the latest modifications, a 7-Zip archive with videos and descriptions organized into directories is downloaded. The archive is unpacked using the console version of 7-Zip, included in the bundle.

Contents of the 7-Zip archive

MakiseKurisu.exe is a password stealer written in C# and modified to suit the needs of the bundle’s creators. The source code from GitHub was likely taken as the basis: the file contains many standard stealer features that are not used in any way. These include checking for a debugger and for a virtual environment, sending information about the infected system to instant messengers, and stealing passwords.

So, what remains and what do the changes amount to? The only working function in MakiseKurisu.exe is extracting cookies from browsers and storing them in a separate file without sending the stolen data anywhere. It is precisely through cookies that the bundle gains access to the infected user’s YouTube account, where it uploads the video.

The last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using download.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.

Code for video uploading

Code for sending notification to Discord

Conclusion

Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.

IoC

MD5 hashes
32dd96906f3e0655768ea09d11ea6150
1d59f656530b2d362f5d540122fb2d03
6ebe294142d34c0f066e070560a335fb
64b4d93889661f2ff417462e95007fb4
b53ea3c1d42b72b9c2622488c5fa82ed
ac56f398a5ad9fb662d8b04b61a1e4c5
f80abd7cfb638f6c69802e7ac4dcf631
e59e63cdaec7957e68c85a754c69e109
9194c2946e047b1e5cb4865a29d783f4
f9d443ad6937724fbd0ca507bb5d1076
7cd4f824f61a3a05abb3aac40f8417d4

Links to archives with the original bundle
hxxps://telegra[.]ph/2022-July-07-27
hxxps://telegra[.]ph/DayZ-Eazy-Menu-06-24
hxxps://telegra[.]ph/Cossfire-cheat-06-24
hxxps://telegra[.]ph/APB-Reloaded-hack-05-29
hxxps://telegra[.]ph/Forza-Horizon-5-Hack-Menu-07-13
hxxps://telegra[.]ph/Point-Blank-Cheat-05-29
hxxps://telegra[.]ph/Project-Zomboid-Private-Cheat-06-26
hxxps://telegra[.]ph/VRChat-Cheat-04-24

Links to GitHub
hxxps://github[.]com/AbdulYaDada/fdgkjhfdguoerldifgj
hxxps://raw.githubusercontent[.]com/AbdulYaDada/fdgkjhfdguoerldifgj/

RedLine C2
45.150.108[.]67:80

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets trackedRavie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

The operators behind the Lornenz ransomware operation have been observed exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities. "Initial malicious activity originated from a Mitel appliance sitting on the network perimeter," researchers from cybersecurity firm Arctic Wolf said in a report Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

As IT workers continue their daunting job of protecting network users from bad guys, a few new tools might help stem the tide of vulnerabilities that continue to link open source and proprietary software.

Virtual private networks, or VPNs, have gained popularity, especially among enterprises, since they offer high security without sacrificing convenience. One of the most economical cybersecurity choices available today, they are simple to set up and utilize.

Útočníci neustále hledají cesty, jak lidem do počítačů dostat malware, čím nenápadnější způsob, tím lepší. Nově se proto začali zaměřovat i na GIFy, které si mezi sebou posílají lidé v Microsoft Teams. Zneužili několik chyb v komunikační platformě a do animovaných obrázků umístili škodlivý kód, ...

A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.  Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university is said to have been already targeted by the Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Based on the findings of Malwarebytes' Threat Review for 2022, 40 million Windows business computers' threats were detected in 2021. In order to combat and avoid these kinds of attacks, malware analysis is essential. In this article, we will break down the goal of malicious programs' investigation and how to do malware analysis with a sandbox. What is malware analysis?  Malware analysis is a The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla. A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks. Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites. Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Simple but super-sneaky - use a picture of a browser, and convince people it's real...

Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team

Memory safety bugs are the most numerous category of Chrome security issues and we’re continuing to investigate many solutions – both in C++ and in new programming languages. The most common type of memory safety bug is the “use-after-free”. We recently posted about an exciting series of technologies designed to prevent these. Those technologies (collectively, *Scan, pronounced “star scan”) are very powerful but likely require hardware support for sufficient performance.

Today we’re going to talk about a different approach to solving the same type of bugs.

It’s hard, if not impossible, to avoid use-after-frees in a non-trivial codebase. It’s rarely a mistake by a single programmer. Instead, one programmer makes reasonable assumptions about how a bit of code will work, then a later change invalidates those assumptions. Suddenly, the data isn’t valid as long as the original programmer expected, and an exploitable bug results.

These bugs have real consequences. For example, according to Google Threat Analysis Group, a use-after-free in the ChromeHTML engine was exploited this year by North Korea.

Half of the known exploitable bugs in Chrome are use-after-frees:

Diving Deeper: Not All Use-After-Free Bugs Are Equal

Chrome has a multi-process architecture, partly to ensure that web content is isolated into a sandboxed “renderer” process where little harm can occur. An attacker therefore usually needs to find and exploit two vulnerabilities - one to achieve code execution in the renderer process, and another bug to break out of the sandbox.

The first stage is often the easier one. The attacker has lots of influence in the renderer process. It’s easy to arrange memory in a specific way, and the renderer process acts upon many different kinds of web content, giving a large “attack surface” that could potentially be exploited.

The second stage, escaping the renderer sandbox, is trickier. Attackers have two options how to do this:

1. They can exploit a bug in the underlying operating system (OS) through the limited interfaces available inside Chrome’s sandbox.
2. Or, they can exploit a bug in a more powerful, privileged part of Chrome - like the “browser” process. This process coordinates all the other bits of Chrome, so fundamentally has to be all-powerful.

We imagine the attackers squeezing through the narrow part of a funnel: If we can reduce the size of the narrow part of the funnel, we will make it as hard as possible for attackers to assemble a full exploit chain. We can reduce the size of the orange slice by removing access to more OS interfaces within the renderer process sandbox, and we’re continuously working on that. The MiraclePtr project aims to reduce the size of the blue slice.

Here’s a sample of 100 recent high severity Chrome security bugs that made it to the stable channel, divided by root cause and by the process they affect.

You might notice:

• This doesn’t quite add up to 100 - that’s because a few bugs were in other processes beyond the renderer or browser.
• We claimed that the browser process is the more difficult part to exploit, yet there are more potentially-exploitable bugs! That may be so, but we believe they are typically harder to exploit because the attacker has less control over memory layout.

As you can see, the biggest category of bugs in each process is: V8 in the renderer process (JavaScript engine logic bugs - work in progress) and use-after-free bugs in the browser process. If we can make that “thin” bit thinner still by removing some of those use-after-free bugs, we make the whole job of Chrome exploitation markedly harder.

MiraclePtr: Preventing Exploitation of Use-After-Free Bugs

This is where MiraclePtr comes in. It is a technology to prevent exploitation of use-after-free bugs. Unlike aforementioned *Scan technologies that offer a non-invasive approach to this problem, MiraclePtr relies on rewriting the codebase to use a new smart pointer type, raw_ptr<T>. There are multiple ways to implement MiraclePtr. We came up with ~10 algorithms and compared the pros and cons. After analyzing their performance overhead, memory overhead, security protection guarantees, developer ergonomics, etc., we concluded that BackupRefPtr was the most promising solution.

The BackupRefPtr algorithm is based on reference counting. It uses support of Chrome's own heap allocator, PartitionAlloc, which carves out a little extra space for a hidden reference count for each allocation. raw_ptr<T> increments or decrements the reference count when it’s constructed, destroyed or modified. When the application calls free/delete and the reference count is greater than 0, PartitionAlloc quarantines that memory region instead of immediately releasing it. The memory region is then only made available for reuse once the reference count reaches 0. Quarantined memory is poisoned to further reduce the likelihood that use-after-free accesses will result in exploitable conditions, and in hope that future accesses lead to an easy-to-debug crash, turning these security issues into less-dangerous ones.

class A { ... };
class B {
B(A* a) : a_(a) {}
void doSomething() { a_->doSomething(); }
raw_ptr<A> a_; // MiraclePtr
};

std::unique_ptr<A> a = std::make_unique<A>();
std::unique_ptr<B> b = std::make_unique<B>(a.get());
[…]
a = nullptr; // The free is delayed because the MiraclePtr is still pointing to the object.
b->doSomething(); // Use-after-free is neutralized.

We successfully rewrote more than 15,000 raw pointers in the Chrome codebase into raw_ptr<T>, then enabled BackupRefPtr for the browser process on Windows and Android (both 64 bit and 32 bit) in Chrome 102 Stable. We anticipate that MiraclePtr meaningfully reduces the browser process attack surface of Chrome by protecting ~50% of use-after-free issues against exploitation. We are now working on enabling BackupRefPtr in the network, utility and GPU processes, and for other platforms. In the end state, our goal is to enable BackupRefPtr on all platforms because that ensures that a given pointer is protected for all users of Chrome.

Balancing Security and Performance

There is no free lunch, however. This security protection comes at a cost, which we have carefully weighed in our decision making.

Unsurprisingly, the main cost is memory. Luckily, related investments into PartitionAlloc over the past year led to 10-25% total memory savings, depending on usage patterns and platforms. So we were able to spend some of those savings on security: MiraclePtr increased the memory usage of the browser process 4.5-6.5% on Windows and 3.5-5% on Android1, still well below their previous levels. While we were worried about quarantined memory, in practice this is a tiny fraction (0.01%) of the browser process usage. By far the bigger culprit is the additional memory needed to store the reference count. One might think that adding 4 bytes to each allocation wouldn’t be a big deal. However, there are many small allocations in Chrome, so even the 4B overhead is not negligible. PartitionAlloc also uses pre-defined bucket sizes, so this extra 4B pushes certain allocations (particularly power-of-2 sized) into a larger bucket, e.g. 4096B->5120B.

We also considered the performance cost. Adding an atomic increment/decrement on common operations such as pointer assignment has unavoidable overhead. Having excluded a number of performance-critical pointers, we drove this overhead down until we could gain back the same margin through other performance optimizations. On Windows, no statistically significant performance regressions were observed on most of our top-level performance metrics like Largest Contentful Paint, First Input Delay, etc. The only adverse change there1 is an increase of the main thread contention (~7%). On Android1, in addition to a similar increase in the main thread contention (~6%), there were small regressions in First Input Delay (~1%), Input Delay (~3%) and First Contentful Paint (~0.5%). We don't anticipate these regressions to have a noticeable impact on user experience, and are confident that they are strongly outweighed by the additional safety for our users.

We should emphasize that MiraclePtr currently protects only class/struct pointer fields, to minimize the overhead. As future work, we are exploring options to expand the pointer coverage to on-stack pointers so that we can protect against more use-after-free bugs.

Note that the primary goal of MiraclePtr is to prevent exploitation of use-after-free bugs. Although it wasn’t designed for diagnosability, it already helped us find and fix a number of bugs that were previously undetected. We have ongoing efforts to make MiraclePtr crash reports even more informative and actionable.

Continue to Provide Us Feedback

Last but not least, we’d like to encourage security researchers to continue to report issues through the Chrome Vulnerability Reward Program, even if those issues are mitigated by MiraclePtr. We still need to make MiraclePtr available to all users, collect more data on its impact through reported issues, and further refine our processes and tooling. Until that is done, we will not consider MiraclePtr when determining the severity of a bug or the reward amount.

1 Measured in Chrome 99.

Contemporary organizations understand the importance of data and its impact on improving interactions with customers, offering quality products or services, and building loyalty. Data is fundamental to business success. It allows companies to make the right decisions at the right time and deliver the high-quality, personalized products and services that customers expect. There is a challenge, The Hacker Newshttp://www.blogger.com/profile/16801458706306167627noreply@blogger.com

Government and state-owned organizations in a number of Asian countries have been targeted by a distinct group of espionage hackers as part of an intelligence gathering mission that has been underway since early 2021. "A notable feature of these attacks is that the attackers leveraged a wide range of legitimate software packages in order to load their malware payloads using a technique known as Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Hackers tied to the Iranian government have been targeting individuals specializing in Middle Eastern affairs, nuclear security, and genome research as part of a new social engineering campaign designed to hunt for sensitive information. Enterprise security firm Proofpoint attributed the targeted attacks to a threat actor named TA453, which broadly overlaps with cyber activities monitored under Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com

Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may Ravie Lakshmananhttp://www.blogger.com/profile/10975661172932160797noreply@blogger.com