Search This Blog

Showing posts with label DLL. Show all posts

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

PRIVATELOG Relies on Common Log File System to Evade Detection

 

Researchers have revealed data about a new malware family that uses the Common Log File System (CLFS) to conceal a second-stage payload in registry transaction files in order to avoid detection. The malware, named PRIVATELOG, and its installer, STASHLOG, were discovered by FireEye's Mandiant Advanced Practices team. Details about the threat actor's identity and motivations are still unknown. 

CLFS (Common Log File System) is a general-purpose logging subsystem for producing high-performance transaction logs that is available to both kernel-mode and user-mode applications. It debuted with Windows Server 2003 R2 and has since been incorporated into subsequent Windows operating systems. CLFS can be used for event logging as well as data logging. TxF and TxR employ CLFS to save transactional state changes before committing a transaction. Any integrated Windows utility will not be able to examine the Binary Log File(s) created by CLFS. 

CLFS's goal, like that of any other transactional logging system, is to record a series of steps required for a particular activity so that they can be accurately replayed in the future to commit the transaction to secondary storage or undone if necessary.

Despite the fact that the malware has yet to be found in real-world attacks aimed at consumer environments or seen launching any second-stage payloads, Mandiant believes PRIVATELOG is still in development, might be the work of a researcher, or could be used in a highly targeted attack. 

“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions. This is similar in nature to malware which may rely, for example, on the Windows Registry or NTFS Extended Attributes to hide their data, which also provide locations to store and retrieve binary data with the Windows API.” explained Mandiant researchers.

PRIVATELOG and STASHLOG have features that allow malicious software to remain undetected on infected machines, such as the use of obfuscated strings and control flow techniques that are specifically designed to make static analysis difficult. 

Mandiant researchers examined a PRIVATELOG sample that is an un-obfuscated 64-bit DLL named prntvpt.dll that contains exports that are similar to those found in legal prntvpt.dll files. By hijacking the search order used to load DLLs, PRIVATELOG expects to be loaded from PrintConfig.dll. YARA rules are provided by Mandiant to detect PRIVATELOG and STASHLOG malware, as well as it's variations.

IISerpent Trojan Manipulates Search Engine Optimization

 

Security researchers recently had to cope with a huge number of malware attacks targeting the Internet Information Services (IIS) component. The IISerpent Trojan is the most recent malware family to be added to the list. 

The malware is installed as a Microsoft IIS add-on. After that, it intercepts HTTP requests and traffic, but there's a catch. This IIS malware works differently than other IIS malware that leverages this opportunity to steal credentials and private data, such as the IISpy Backdoor. It only gets to work if it recognizes requests to specific search engines, rather than ordinary HTTP traffic. Search engines have crawlers that scour the Web for pages to index or re-index on a regular basis. It is possible for pages on the same domain to link to one another. Crawlers utilize specific algorithms to determine a page's search engine ranking. 

Buying adverts or implementing search engine optimization (SEO) strategies are two valid ways to improve page ranking in search engine result pages, however not all digital marketers follow the laws. SEO-boosting practices (which, however, contravene webmaster guidelines) such as loading pages with unrelated keywords or buying backlinks to improve a website's reputation are referred to as unethical SEO (historically known as black hat SEO).

IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%\system32\inetsrv\config\ApplicationHost.config file. IISerpent ensures both persistence and execution because all IIS modules are loaded by the IIS Worker Processes (w3wp.exe) and used to handle inbound HTTP requests.

IISerpent exports a function called RegisterModule, which provides module initialization, just like all native IIS modules. Its event handlers — methods of the module class (inherited from CHttpModule) that are called on certain server events – hide the underlying harmful functionality. IISerpent's code class alters the IIS server's OnBeginRequest and OnSendResponse methods, causing the malware's handlers to be called every time the IIS server begins processing a new inbound HTTP request and transmits the response buffer. 

Because everything appears normal to the webmaster and users - all the 'magic' happens in the background – these assaults are extremely difficult to detect. Of course, a short glance at a backlink analysis or network traffic data will suggest that something is amiss. 

The worst thing about the IISerpent Trojan's attack is that the websites that are attacked could lose their good SEO ranking. This is possible because search engine crawlers will quickly notice the link between the original page and the counterfeit website, which will usually result in SEO penalties.

International Law Enforcement Takes Down Emotet Malware in a Joint Operation

 

Emotet, one of the most dangerous email spam botnets in recent history, is being wiped out today from all infected devices with the help of a malware module delivered in January by law enforcement. The botnet's takedown is the result of an international law enforcement action that allowed investigators to take control of the Emotet's servers and disrupt the malware's operation. 

This specifically designed malware code forced the Emotet to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in an international law enforcement operation.

After the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by the Bundeskriminalamt, Germany's federal police agency. Law enforcement then distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to all infected systems that automatically uninstalled the malware on Sunday.

“The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated,” Mariya Grozdanova, a threat intelligence analyst at Redscan, stated.

Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts. Computer security biz Digital Shadows highlighted the extent of the Emotet epidemic and said its removal is an overall win for everyone. 

Paul Robichaux, senior director of product management at IT forensics firm Quest, stated to The Register: “These kinds of large-scale, coordinated attacks and global botnets are too big for individual organizations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem. However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments.”