Search This Blog

Showing posts with label Windows 10. Show all posts

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

Windows 10 New Feature Hunts and Thwarts PUAs/PUPs


Per reports, Microsoft has hinted that the next main version of Windows 10 will come stacked with a fresh security feature that would allow the users to facilitate the Windows Defender’s secret feature that helps hunt and bar the installation of known PUAs (Potentially Unwanted Applications).

PUA’s are also widely known as PUPs that stands for Potentially Unwanted Programs. These aren’t as well known by the users in the cyber-crime world as all the other major threats but are a valid threat nevertheless.

Per sources, these are software that is installed on devices via fooling the targets. The term for which the PUP/PUA stands is self-explanatory with regards to applications or programs that your device may not really need.

PUPs/PUAs go around with tactics like either by employing “silent installs” to dodge user permissions or by “bundling” an unrequired application with the installer of an authentic program.

Sources mention that PUAs most commonly contain applications that alter browser history, hinder security controls, install root certificates, track users and sell their data, and display invasive ads.

As per reports, the May 2020 update is to be rolled out to the users in the last week of this month. Microsoft mentioned that it has added a fresh new feature in its setting panel that would allow users to bar the installation of any unwanted applications or programs in the form of known PUAs/PUPs.

As it turns out, researchers mention that the feature has been available in the Windows Defender for quite a lot of time, but for it to kick start it would need group policies and not the usual Windows user interface.

As per sources, to enable the feature a user must go to ‘Start’, ‘Settings’, ‘Update & Security’, ‘Windows Security’, ‘App & Browser Control’, and finally 'Reputation-based Protection Settings’. Once updated, the feature would show two settings, the above-mentioned feature is disabled by default and would need to be enabled manually. However, Microsoft suggests, enabling both the settings.

Reports mention, that the “Block Apps” feature will scan for PUAs that have already been downloaded or installed, so if the user’s using a different browser Windows Security would intercept it after it’s downloaded. However, the “Block Downloads” feature hunts the PUAs while they are being downloaded.

Windows 10 Users Beware! Astaroth Malware Campaign is Back and More Malicious!


A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.

Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.

Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.

Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.

Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.

According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.

Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “Arquivo_PDF_.zip”.

It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extremely unusual attack mechanism.

Once the victim clicks on the LNK file with the .zip file in it, the malware runs an obfuscated BAT command line, which releases a JavaScript file into the ‘Pictures’ folder and commands the explorer.exe that helps run the file.

Researchers mention and sources confirm that using the ADS permits the stream data to stay unidentifiable in the File Explorer, in this version Astaroth reads and decrypts plugins from ADS streams in desktop.ini that let Astaroth to rob email and browser passwords. It also unarms security software.

Per sources, the plugins are the “NirSoft WebBrowserPassView” tool is for regaining passwords and browsers and the “NirSoft MailPassView” tool is for getting back the email client passwords.

This is not the only legitimate tool Astaroth exploits. A command-line tool that goes by the name of “BITSAdmin” which aids admins to create download and upload jobs with tracking their progress is exploited to download encrypted payloads.

Reportedly, Astaroth has previously wreaked havoc on continents like Asia, North America, and Europe.

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.


Modified TrickBot Trojan can now Steal Windows Active Directory Credentials


TrickBot trojan, a strain of malware that has been around affecting users since 2016 - is now evolved to steal Windows Active Directory credentials. Today, in the cybersecurity ecosystem it is considered as one of the top threats abusing businesses, experts estimate that TrickBot is responsible for compromising more than 250 million email accounts till date. Earlier, TrickBot went a step further while targeting Windows 10 users by disabling Windows defender onto their systems rather than just bypassing the protection. Fundamentally, TrickBot is a banking Trojan and is generally deployed through spearphishing emails like invoices mailed to the accounts department. Typically, it is attached as infected Microsoft Excel or Word documents. The malware can be spread across an organization in a number of ways, one of them is via exploiting vulnerabilities in a protocol called SMB which makes the process of sharing and accessing files on other systems easy for Windows computers.

First identified by Sandor Nemes, a security researcher from Virus Total, this new module of TrickBot dubbed as "ADII" further amplifies the threat it possesses for security, it steals Windows Active Directory information by executing a set of commands.

An Active Directory database is being created and stored into the default C:\Windows\NTDS folder on the domain controller, a server here is acting as the domain controller. Now, all the information including passwords, computers, users, and groups of Windows Active Directory are saved in a file by the name "ntds.dit" in the database. As all the aforementioned information is sensitive in nature, Windows resort to a BootKey that is located in the system component of the Registry and encrypts the information with the help of it. Admins who are responsible for database maintenance use a special tool known as "ntdsutil" to work with that database. Reportedly, standard file operations cannot access the BootKey.

How TrickBot Goes About Stealing Active Directory Credentials?


Administrators use the command "install from media", also known as "ifm", to create a dump of Active Directory. The command leads to the creation of an installation media for setting up new Domain Controllers. The new module "ADII" exploits the ifm command to produce a copy of the Windows Active Directory database; after the database is dumped into the %Temp% folder, the bot collects the information and transfers it to the admin. The collected data can be effective in infecting more systems in the same network and could also be employed by various other malware in search of similar vulnerabilities.

Microsoft Enters 2020 with Two New Products


Microsoft plans to come up with two products with the advent of the New Year, Windows 10X-powered Surface Neo and Android-powered Surface Duo and this could be an indication of 2020 being the year of foldable and dual-screen devices from smartphone and PC creators.

Microsoft's new operating system, Windows 10 X, is set to power the main rush a.k.a the first wave of foldable and dual-screen equipment scheduled for holiday 2020 and Surface Neo is said to have been the primary equipment to be dispatched with Windows 10 X, however, the Redmond giant is additionally preparing the OS for dual-screen PCs from accomplices.

Windows 10 X is additionally expected to power the dual-screen PCs created by Microsoft OEM accomplices like HP, Dell, and Lenovo. A leak as of late affirmed that Windows 10 X will be coming to workstations and other customary PC form factors in the future, however apparently the operating system is as yet 'immature'.


Anyway because of the moderate-paced advancement of the operating system and inadequate adaptable panel supply as per another report, Intel probably won't promote foldable notebooks in the future.

Despite the fact that Intel's dual-screen model highlights a 17-inch display and it would run Windows 10 X, the company will postpone the unveiling which was initially planned for CES 2020 because of issues with “immature OS support”.

The report refers to 'upstream supply chain' as the source of the talk likewise including that Intel won't promote foldable notebooks until mid-2020.

Windows 10 X was announced at the October 2019 occasion and Microsoft has ever since protected it under much 'secrecy' and still hasn't uncovered when it intends to launch Windows 10 X, yet the operating system is reputed to finalize at some point in 2020, a couple of months or weeks before the launch of Surface Neo and other much-awaited foldable devices.

A new zero-day Exploit Leaked to Bypass Already Patched Vulnerability (CVE-2019-0841)



An exploit broker and hacker, SanboxEscaper made a comeback and published the details about a new zero-day which affects the already patched local privilege escalation vulnerability, CVE-2019-0841 on Windows 10 and Windows 9 operating server.

The details of the zero-day have been published on GitHub and the account and repository from which the details were leaked are the same as the ones which attributed to the leaks of 8 other previously released zero-days. 

SandboxEscaper have been actively involved in leaking zero-day exploits since August 2018, some of the previously leaked zero-days are listed below:

LPE in Advanced Local Procedure Call (ALPC)
LPE in Microsoft Data Sharing (dssvc.dll)
LPE in the Windows Error Reporting (WER) system
LPE exploit in the Windows Task Scheduler process
Sandbox escape for Internet Explorer 11
Bypass of the CVE-2019-0841 protections
LPE targeting the Windows Installer folder

The hacker who recently exploited CVE-2019-0841 vulnerability which was patched by Microsoft in April can further install malicious programs, edit and delete data. The vulnerability can be executed by deleting all files, folders, and subfolders in the Edge Browser.

Commenting on the matter, Will Dormann, Vulnerability Analyst at the CERT/CC, says, “I’ve confirmed that this works on a fully-patched (latest May updates) Windows 10 (1809 and 1903) system. This exploit allows a normal desktop user to gain full control of a protected file.”

“Make sure you have multiple cores in your VM (not multiple processors, multiple \b cores\b0 ).\par. It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits”

Basically, it requires the attacker to log in as a local user and then execute this exploit which triggers the vulnerability, which then allows the attacker to access and change system permissions and gain full control of the system making him act as the admin.