Search This Blog

Showing posts with label SMB. Show all posts

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.