Viry a Červi

Microsoft spots surge in pro-Russia exploits of video platform to spread propaganda

An unknown pro-Russia influence group spent time recruiting unwitting Hollywood actors to assist in smear campaigns against Ukraine and its president Volodymyr Zelensky.…

End-of-year deadline looms on US surveillance

Two competing bills to reauthorize America's FISA Section 702 spying powers advanced in the House of Representatives committees this week, setting up Congress for a battle over warrantless surveillance before the law lapses in the New Year.…

Interpol increasingly concerned as abject abuse of victims scales far beyond Asia origins

Human trafficking for the purposes of populating cyber scam call centers is expanding beyond southeast Asia, where the crime was previously isolated.…

Says it was probably hacked, which isn't good news either

A trio of Polish security researchers claim to have found that trains built by Newag SA contain software that sabotages them if the hardware is serviced by competitors.…

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Russia-backed attackers have named new targets for their ongoing phishing campaigns, with defense-industrial firms and energy facilities now in their sights, according to agencies of the Five Eyes alliance.…

Akamai says it reported the flaws to Microsoft. Redmond shrugged

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers.…

As Cyber Solidarity Act edges closer to full adoption in Europe

The US Cybersecurity and Infrastructure Security Agency (CISA) has signed a working arrangement with its EU counterparts to increase cross-border information sharing and more to tackle criminals.…

NHS Trust admits highly sensitive data left online for nearly three years

More than 22,000 patients of Cambridge University Hospitals NHS Foundation Trust were hit by data leaks that took place between 2020 and 2021.…

Indictments allege plot to shift FPGAs, accelerometers, and spycams

A Belgian man has been arrested and charged for his role in a years-long smuggling scheme to export military-grade electronics from the US to Russia and China.…

Plans to share 'vast amounts of data' – very carefully

Australia is building a top-secret cloud to host intelligence data and share it with the US and UK, which have their own clouds built for the same purpose.…

Issue has been around since at least 2012

A years-old Bluetooth authentication bypass vulnerability allows miscreants to connect to Apple, Android and Linux devices and inject keystrokes to run arbitrary commands, according to a software engineer at drone technology firm SkySafe.…

Watch this webinar to find out how Zero Trust fits into the edge security ecosystem

Commissioned  Edge security is a growing headache. The attack surface is expanding as more operational functions migrate out of centralized locations and into distributed sites and devices.…

Apparently no one thought to check if this D-Link router 'issue' was actually exploitable

A security vulnerability previously added to CISA's Known Exploited Vulnerability catalog (KEV), which was recognized by CVE Numbering Authorities (CNA), and included in reputable threat reports is now being formally rejected by infosec organizations.…

Why we need the confidence to deploy secure, compliant AI-powered applications and workloads

Sponsored Feature  Every organisation must prioritise the protection of mission critical data, applications and workloads or risk disaster in the face of an ever-widening threat landscape.…

Illegally distributed software historically has served as a way to sneak malware onto victims’ devices. Oftentimes, users are not willing to pay for software tools they need, so they go searching the Web for a “free lunch”. They are an excellent target for cybercriminals who realize that an individual looking for a cracked app will be willing to download an installer from a questionable website and disable security on their machine, and so they will be fairly easy to trick into installing malware as well.

We recently discovered several cracked applications distributed by unauthorized websites and loaded with a Trojan-Proxy. Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods.

Postinstall script

Unlike the original, untampered with, applications typically distributed as a disk image, the infected versions came in the form of .PKG installers. These files are handled by the Installer dedicated utility in macOS, and they can run scripts before and after actual installation. In the examples we gathered, scripts were run only after the application was installed.

Contents of the malware script

A look at the script code reveals that the /Contents/Resources/ directory contains two suspicious files in addition to the cracked application resources: WindowServer and p.plist. The script replaces the ~/Library/Application Support/WindowServer and ~/Library/LaunchAgents/GoogleHelperUpdater.plist files with the two files from the resources folder, and grants administrator permissions to these. As an installer often requests administrator permissions to function, the script run by the installer process inherits those.

The p.plist (or GoogleHelperUpdater.plist) is a configuration file. Its contents suggest that it imitates a Google configuration file and has only one job: auto-starting the WindowServer file, with a path set to ${VAR}, as a system process after the operating system is loaded.

Contents of the p.plist file

WindowServer

WindowServer is a universal format binary file. We have found several versions of the application, with the earliest one uploaded to VirusTotal on April 28, 2023. None of the versions were flagged by any anti-malware vendors as malicious.

After starting, the Trojan creates log files and attempts to obtain a C&C server IP address via DNS-over-HTTPS (DoH), thus making the DNS request indistinguishable from a regular HTTPS request and hiding it from traffic monitoring.

Beginning of application code (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

Example of GET request in C&C IP address function (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

After receiving a response, it establishes a connection with the C&C server at register[.]akamaized[.]ca via WebSocket by sending the application version and expecting a command with a relevant message in return. See below for a list of supported commands.

Command # Purpose 0x34 Process message 0x35 Pause command processing 0x36 Continue command processing 0x37 Terminate command processing 0x38 Await next command

During our research efforts, we did not receive a server response containing any command but 0x38. An analysis of the program code suggests that the 0x34 command should be accompanied by a message containing the IP address to connect to, the protocol to use and the message to send. The client supports both TCP and UDP connections.

TCP and UDP connection code (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

As mentioned earlier, we have discovered several versions of the Trojan, with a number of distinguishing features:

• Unlike its predecessors, the latest of the versions we know of cannot check its own version or update. The update function is there, but it is not invoked anywhere in the code.

  Snippet of the update function (MD5: 063d956b55da0d18f3f732c2bbd4bc28)

• Older versions obtain a C&C IP address by means of a regular DNS request rather than DoH.
• All versions of the Trojan write logs to log.txt and dbg.dmp, without cleaning up after shutdown or providing any means for the operators to analyze the logs. Thus, it is possible to ascertain the presence of the malware in the system both by checking the known paths and searching for key tags across all text files.

Versions targeting other platforms

Besides the macOS application, we discovered several specimens for Android and Windows that connected to the same C&C server. These are also Trojan-Proxies that hide inside cracked software.

Indicators of compromise

MD5:
Trojan-Proxy binaries:
063d956b55da0d18f3f732c2bbd4bc28 — WindowServer
f6d1aa43d40727104f0517c91b117f72 — WindowServer
f40affab8ee804a49893fd1df3710622 — WindowServer

Postinstall Scripts:
2a4fff0b167654edc7f62a747ea13067
0049c3960ab98e11db3872a98078b7a6
ed7fd28bc482d9a822d78f515d18e93c
a0fe67385390bab476d9b716f4097907

Property Lists:
0049c3960ab98e11db3872a98078b7a6 — GoogleHelperUpdater.plist
2a4fff0b167654edc7f62a747ea13067 — GoogleHelperUpdater.plist

PKGs:
7b4b44bf6c3d8eb31f14206c0d76c321 — 4K Image Compressor.pkg
00cbaee9a21dd0ca13ecbeca30ef9b26 — 4K Video Downloader Pro v4.24.3 macOS.pkg
3432f1cb6be21938be87ad0b12202423 — Aiseesoft Mac Data Recovery.pkg
af7b3ac1adc4f4d563c75e8583c0f239 — Aiseesoft Mac Video Converter Ultimate.pkg
ec1698e7900210c642a2772e8d040f8c — allavsoft.pkg
0c369d305e101381dfbd2f277417ca69 — AnyMP4 Android Data Recovery for Mac.pkg
6f58024bfe61351035711f33a2133c40 — AweCleaner.pkg
9b83fc25080d542a9fd71bbe0678e593 — Downie 4.pkg
338f882d4fc0c2cc96eca6edb1d6a6f0 — FonePaw Data Recovery.pkg
b35db7dd042ca92ad7180f6a1e2bdad8 — iNet Network Scanner.pkg
e06b0fef08b711f8ba307d1c13cc1b97 — MacDroid.pkg
7934bede64f6473576e400aefafae2b3 — MacX Video Converter Pro.pkg
0003a4d2207462e24fbc711fa1b84533 — MouseBoost Pro.pkg
b5a334d92906f8a85cc86c582d3232bf — MWeb Pro.pkg
3627fa05f7fb975a4be8392a14474757 — NetShred X.pkg
01675deeb459c0cec6eb6b409698c42a — NetWorker Pro.pkg
d874167ece5528e9e997b60906940afa — Path Finder.pkg
f5cceb3eea65d0f7ae5a6b62d07cb869 — Patternodes.pkg
311b665dad3d6ea77225b5a6529a8f0c — Perfectly Clear Workbench.pkg
0e59a269fa6a34cc6fab8873e79e8011 — Print to PDF.pkg
d9e4e16ec9206ba427d280a955248829 — Project Office X.pkg
206ff97436f3c229502040128bd39bbe — Rocket Typist.pkg
59033b56c99c49a392ed7e653d296375 — Sketch.pkg
d933d00c01d1e0fd2df960e166a1e4b5 — SponsorBlock.pkg
704f2606b0a12e42046c95e530bf5f38 — SystemToolkit.pkg
1920e42d286080cc1ed6272db859e7b5 — TransData.pkg
b056054c992a386144304f1f3470234c — Vellum.pkg
11fc6ec7cdb93f23c9756a788a4204bc — VideoDuke.pkg
a2d5f2c28b2b79cf29942f8bdd847a72 — Wondershare UniConverter 13.pkg
19d3fcff714d7ffa1e325d46f6ddb8b2 — SQLPro Studio.pkg
128068daf917c2df36bccdec97c3b66a — WinX HD Video Converter for Mac.pkg
63086d31bb186abb294a5a737f235098 — Artstudio Pro.pkg
9297a3753ddff6dae048a2a75a42e529 — Magic Sort List.pkg
7f2d204f197e1205f74de603cba40010 — FoneLab Mac Data Retriever.pkg
98c185a785f2ac075849336001bc5b9c — Apeaksoft Video Converter Ultimate for Mac.pkg

Android samples:
d605b5673ca89a767662a4a83662eaa0 — s276.apk
fb3c42ca1ff0ba96ac146c1672357994 — Swipis_v2.6.1[Mobile].apk

Windows samples:
a408e30bbd449367291366d337d54f82 — wsclient.exe

URL:
register[.]akamaized[.]ca:6101/strvn

Bitbucket, Confluence and Jira all in danger, again. Sigh

Atlassian has emailed its customers to warn of four critical vulnerabilities, but the message had flaws of its own – the links it contained weren't live for all readers at the time of despatch.…

Limited options will be available into 2028, for an undisclosed price

Microsoft on Tuesday warned that full security support for Windows 10 will end on October 14, 2025, but offered a lifeline for customers unable or unwilling to upgrade two years hence.…

Predicts cyber crims will find binary brainboxes harder to battle

Cisco's executive veep for security Jeetu Patel has predicted that AI will change the infosec landscape, but that end users will eventually pay for the privilege of having a binary brainbox by their side when they go into battle.…

GRU-linked crew going after our code warns Microsoft - Outlook not good

Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets – like government, defense, and aerospace agencies in the US and Europe – since March, according to Microsoft. …

Tardy IT admins likely to get a chilly reception over the lack of updates

CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability.…