Viry a Červi

Introducing the tech that keeps the lights on

The Register - Anti-Virus - 13 Listopad, 2023 - 11:15
Genuinely new ideas are rare in IT – this superhero is ready to make a real difference

Opinion  Cybersecurity has many supremely annoying aspects. It soaks up talent, time, and money like the English men's football squad, and like that benighted institution, the results never seem to change.…

Kategorie: Viry a Červi

When traditional AV solutions are not enough

The Register - Anti-Virus - 13 Listopad, 2023 - 11:10
Preventing cybercriminals from exfiltrating your data with ADX technology

Webinar  It seems counterintuitive to want to lock in a cybercriminal who has crept past all your defences to smuggle data out from under your nose.…

Kategorie: Viry a Červi

Royal Mail cybersecurity still a bit of a mess, infosec bods claim

The Register - Anti-Virus - 13 Listopad, 2023 - 07:31
Also: Most Mainers are MOVEit victims, NY radiology firm fined for not updating kit, and some critical vulnerabilities

Infosec in brief  After spending almost a year cleaning up after various security snafus, the UK's Royal Mail had an open redirect flaw on one of its sites, according to infosec types. We're told this vulnerability potentially exposes customers to malware infections and phishing attacks.…

Kategorie: Viry a Červi

Australia declares 'nationally significant cyber incident' after port attack

The Register - Anti-Virus - 13 Listopad, 2023 - 01:45
PLUS: Citrix quits China; Cambodia deports Japanese scammers; Chinese tech CEO disappears; and more

Asia in brief  Australia's National Cyber Security Coordinator has described an attack on logistics company DP World as a "nationally significant cyber incident."…

Kategorie: Viry a Červi

Ducktail fashion week

Kaspersky Securelist - 10 Listopad, 2023 - 09:00

Ducktail is a malware family that has been active since the second half of 2021 and aims to steal Facebook business accounts. WithSecure and GridinSoft have covered Ducktail attacks: the infostealer spread under the guise of documents relating to well-known companies’ and brands’ projects and products. Both public reports attribute the Ducktail attacks to a group that presumably hails from Vietnam. We have analyzed a recent campaign that ran between March and early October 2023 and targeted marketing professionals. An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language.


The campaign saw the bad actor send out an archive containing images of new products by bona fide companies along with a malicious executable disguised with a PDF icon. When started, the malware would open a real, embedded PDF file that contained the job details. The attack was tailored to target marketing professionals looking for a career change. The choice of victims and the distinctive means used by the threat actor led us to assume early on that the campaign was about spreading a new version of Ducktail.

The malware would install a browser extension capable of stealing Facebook business and ads accounts, likely for subsequent sale.

Ducktail and the malicious extension

We examined a large number of archives from the latest campaign: in each case, a copy of Ducktail was emailed in the name of a major clothing company.

The contents of the malicious archive

If opened by an interested victim, the malicious file saves a PowerShell script named param.ps1 and a PDF decoy locally to C:\Users\Public. The script uses the default PDF viewer on the device to open the decoy, pauses for five minutes, and then terminates the Chrome browser process.

While the script stands by, the parent executable saves a malicious library named libEGL.dll to C:\Users\Public\Libraries\ and then loads it. When launched, the library goes over every LNK file that it finds in:

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\,
  • C:\ProgramData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\,

and on the desktop, altering the launch string for all Chromium-based browsers (Google Chrome, Edge, Vivaldi, Brave) by adding the following code: --load-extension="C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\fjoaledfpmneenckfbpdfhkmimnjocfa"

Some of the library strings required for the malicious code to run are encrypted with the AES-CBC key “gnghfn47n467n43b” and the initialization vector “dakfhskljh92384h”.

The use of the strings containing the AES key and initialization vector as featured in the code

In addition to launching the library, the parent file saves malicious browser extension files to C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\fjoaledfpmneenckfbpdfhkmimnjocfa. The extension disguises itself with the Google Docs Offline icon and description text, while the directory that features in the path (fjoaledfpmneenckfbpdfhkmimnjocfa) is used by the bona fide extension NordVPN. It is worth noting that other variants of the malware may use different paths to host the extension.

The malicious extension as seen in Google Chrome (left) and the authentic Google Docs Offline extension (right)

The core exception script is obfuscated. It constantly sends the details of all open browser tabs to the command-and-control (C&C) server, and if detecting Facebook-related URLs, checks for ads and business accounts to try and steal them. In particular, the extension snatches cookies and details of accounts that the victim is signed in to on the device. To bypass two-factor authentication, the extension uses Facebook API requests and Vietnam’s 2fa[.]live service, which offers various auxiliaries for generating one-time access codes, among other things. This is probably how the hackers log in after the user’s authentication session has expired. Stolen credentials and cookies are forwarded to a C&C server registered in Vietnam.

Malicious file usage flowchart

In this campaign, in addition to the main script, the malware would save to the extension folder a script named jquery-3.3.1.min.js, a corrupted version of the core script from prior attacks.

DuckTail attack geography

According to our telemetry, cybercriminals most often attacked users in India. Our solutions also stopped infection attempts on devices of users in Kazakhstan, Ukraine, Germany, Portugal, Ireland, Greece, Jordan, Pakistan, Vietnam, UAE, USA, Peru and Chile.

MITRE ATT&CK Matrix Tactic Technique ID Technique Initial Access T1566.001 Phishing: Spearphishing Attachment Persistence T1176 Browser Extensions Execution T1059.001 Command and Scripting Interpreter: PowerShell T1129 Shared Modules T1204.002 User Execution: Malicious File Enterprise T1539 Steal Web Session Cookie Resource Development T1583.001 Acquire Infrastructure: Domains Reconnaissance T1589 Gather Victim Identity Information T1598.002 Phishing for Information: Spearphishing Attachment Defense Evasion T1027 Obfuscated Files or Information Command and Control T1071.001 Application Layer Protocol: Web Protocols T1132.001 Data Encoding: Standard Encoding Exfiltration T1041 Exfiltration Over C2 Channel Indicators of compromise



Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

Kaspersky Securelist - 9 Listopad, 2023 - 09:00

Almost every quarter, someone publishes major research focusing on campaigns or incidents that involve Asian APT groups. These campaigns and incidents target various organizations from a multitude of industries. Likewise, the geographic location of victims is not limited to just one region. This type of research normally contains detailed information about the tools used by APT actors, the vulnerabilities that they exploit and sometimes even a specific attribution. Despite the large number of these types of reports, companies often remain unprepared to face these kinds of attackers. With the advanced tools and techniques used by threat actors today, cybersecurity professionals require not only high-level expertise and extensive experience, but also the infrastructure supplemented by well-organized asset management and vulnerability management processes, network segmentation, fine-tuned audits, and intelligently configured data security tools. In most cases, an unprepared infrastructure is the primary factor enabling Asian APT groups to conduct successful attacks.

In this report, we share the most valuable intelligence that we gathered on Asian APT groups. Over the course of our work, we noticed that these groups attacked the greatest number of countries and industries. Most importantly, our analysis of hundreds of attacks revealed a similar pattern among various groups. They achieve specific objectives at various stages of the Cyber Kill Chain using a common but limited number of techniques encountered by security professionals all over the world. Unfortunately, security teams often have difficulty detecting these attacks in their own infrastructure.

Intended audience of this report

We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups. This report will be the most helpful to the following:

  • SOC analysts
  • Cyber Threat Intelligence analysts
  • Threat Hunting experts
  • Digital Forensics (DFIR) experts
  • Cybersecurity experts
  • Domain administrators
  • C-Level executives responsible for cybersecurity at their companies

This material can serve as a library of knowledge on the main approaches used by Asian APT groups when they hack an infrastructure. The report also contains detailed information on the attackers’ tactics, techniques and procedures (TTPs) based on the MITRE ATT&CK methodology.

Structure of the report

This report consists of six main sections:

  1. Incidents involving Asian APT groups in various regions of the planet
    Information on five unique incidents that we detected in different parts of the world. Each incident is a unique case within a specific country and industry, and we provide a description of the actions and TTPs of the perpetrators. At the end of each section, we put together a consolidated table showing a list of TTPs (related to the APT groups that we encountered in these incidents) and their overlapping use in these incidents.
  2. Technical details
    A detailed description of the individual techniques that we detected in the attacks conducted by Asian APT groups. Each technique contains the following:

    • Main description. Technical details on how the specific technique works.
    • Examples of procedures. Example implementations of this technique that we detected in attacks by Asian APT groups.
    • Data on the approaches employed to detect the described technique, and the EventIDs of events in various monitoring agents used to detect the specific threat.
    • SIGMA rules. List of SIGMA rules relevant to this technique. The actual SIGMA rules can be found in the Appendix: SIGMA.
  3. Analysis of attacker actions based on the Unified Kill Chain
    We used the Unified Kill Chain model to create our own table linked to Asian APT groups, so that we could provide a high-level look at the motivations and behavioral patterns of these actors, and provide data on the possible steps taken by Asian APT groups when they conduct potential attacks.
  4. Mitigation
    The measures undertaken to mitigate risks associated with the described TTPs.
  5. Statistics on attack victims
    Consolidated statistics on the victims of Asian APT groups throughout the world and a breakdown by country and industry.
  6. Appendix: SIGMA
    The SIGMA rules that can help to detect the techniques described in this report.

Download the full version of the Modern Asian APT groups’ tactics, techniques and procedures report (English, PDF)

WinRAR v centru pozornosti!

VIRY.CZ - 25 Květen, 2023 - 08:00

Útočníci vymýšlejí stále nové způsoby, jak minimalizovat “riziko”, že nekalou činnost odhalí nějaké to bezpečnostní řešení, či dokonce EDR. Zaujal mě například tento originální způsob mazání souborů, který použila ruská hackerská skupina Sandworm ve společnostech na Ukrajině.

Byl totiž využit populární archivační program WinRAR, u něhož se vědělo, že se již na koncových stanicích nachází. Likvidaci / mazání souborů pak neřešil přímo proces havěti, ale právě WinRAR, který byl pro tuto činnost zneužit. Tenhle program lze totiž ovládat skrze příkazovou řádku a parametr “-df” zajistí, že soubory, které “zabalí” do archivu RAR, následně z disku smaže.

Malware byl na cílové stanice dopraven skrze naplánovanou úlohu, jenž byla distribuována centrálně skrze Group Policy. Síť tak již byla útočníky kompromitována. Ještě bych rád doplnil, že o volání WinRARu se staral prostý dávkovký soubor .BAT, který v cyklu procházel disky C: až Z: a hledal v nich soubory dle definovaných přípon. Ty pak předhazoval WinRARu, který je zabalil a následně smazal (+skript pak smazal i samotný archiv).

Motiv útočníků byl jasný – snížit riziko odhalení, neboť legitimní procesy (zde WinRAR) mají přecijenom větší důvěru ze strany bezpečnostních řešení, než cokoliv jiného, s nižší reputací. Jinak z pohledu nároku na výkon je to nejnáročnější způsob mazání, které jsem kdy viděl

Více informací najdete zde.

Bonus: RAR jako nativní součást Windows 11!

Mimochodem, když jsme u RARu, co nevidět se stane součástí Windows 11 nativní podpora tohoto formátu, ale i 7z, či .gz! Když k tomu přidáme fakt, že poznámkový blok už umí správně zalámat konce řádků u textových souborů z Linuxu či MACu, k dokonalosti už zbývá snad jen to, aby Word či Excel uměl otevřít zároveň dva soubory se shodným názvem, avšak z různých míst!

Více k tomuto tématu zde.

The post WinRAR v centru pozornosti! appeared first on VIRY.CZ.

Kategorie: Viry a Červi

Student Loan Breach Exposes 2.5M Records - 31 Srpen, 2022 - 13:57
2.5 million people were affected, in a breach that could spell more trouble down the line.
Kategorie: Viry a Červi

Watering Hole Attacks Push ScanBox Keylogger - 30 Srpen, 2022 - 17:00
Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.
Kategorie: Viry a Červi

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms - 29 Srpen, 2022 - 15:56
Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
Kategorie: Viry a Červi

Ransomware Attacks are on the Rise - 26 Srpen, 2022 - 17:44
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Kategorie: Viry a Červi

Cybercriminals Are Selling Access to Chinese Surveillance Cameras - 25 Srpen, 2022 - 19:47
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
Kategorie: Viry a Červi
Syndikovat obsah