Search This Blog

Showing posts with label malware. Show all posts

Malware Sload Aiming Europe Again

 

Sload (also termed as Starslord loader) has proven to be one of the most destructive malware variants in recent years. It usually acts as a downloader, which is a computer virus that accumulates and exfiltrates data from an infected system in order to analyze the target and drop a more significant payload if the target is profitable. 

Sload has been active in Europe since at least 2018, with numerous vendors reporting assaults on targets in the United Kingdom and Italy. Instead of employing an executable or a malicious document to invade devices, the malware's developers have chosen to use scripts that are intrinsic to Windows operating systems such as VBS and PowerShell as an initial foothold, tricking users into executing them using spear phishing. 

The downloader is undergoing development and has gone through several iterations; the creator is continuously changing the first stage script but the main module remains basically unchanged. 

According to early reports, this virus downloads a PowerShell script, which then downloads and executes Sload, using a rogue LNK file (Windows shortcut). Later editions start with obfuscated WSF/VBS scripts that are frequently mutated to avoid detection by anti-virus software. The initial script used in attacks has a low VirusTotal score and is meant to get beyond complex security technologies like EDRs. 

This year, Minerva Labs has noticed Sload infections arriving from Italian endpoints. The script they found is an obfuscated WSF script that decodes a sequence of malicious commands and then secretly downloads and runs a remote payload in memory after being executed. 

The script does this by renaming legal Windows binaries, which is a straightforward evasion method. Both "bitsadmin.exe" and "Powershell.exe" are copied and renamed, with the former being used to download a malicious PowerShell script and the latter loading it into memory and executing it. 

The downloader's final payload varies, but it has been known to drop the Ramnit and Trickbot banking trojans, both of which are extremely dangerous malware that can lead to ransomware attacks. 

Latest Campaign by Molerats Hackers Target Middle Eastern Governments

 

After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities. 

Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. 

TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments. 

The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May. 

The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations. 

The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites. 

The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East. 

The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox. 

The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts. 

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.

'Vigilante Malware' Blocks Users From Downloading Pirated Software

 

Scientists have unearthed one of the most abnormal findings in the malware chronicles. It is a booby trap file that attempts to make the downloader a mouse and try to prevent future unauthorized downloads. 

Andrew Brandt, Sophos Labs Principal Investigator named the malware ‘Vigilante’. When the victim downloads and runs what appears to be pirated software or games, it gets installed. Behind the scenes, the malware reports the filename that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. Lastly, Vigilante attempts to modify the victim’s computer to make piratebay.com and 1,000 other pirate sites inaccessible.

As web servers normally log a visitor's IP address, the hacker now has the access to both the pirate's IP address and the name of the software or movie that the victim attempted to use. While it is unknown what this information is used for, the attackers could share it with ISPs, copyright agencies, or even law enforcement agencies. 

“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff. Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals,” Brandt explained. 

Vigilante updates files on infected computers and hijacks them from connecting to The Pirate Bay and other Internet destinations known to be used by people who trade pirated software. Brandt has discovered some of the Trojans lurking in software packages available for Discord-hosted chat services. He found others disguised as popular games, productivity tools, and security products available through BitTorrent. 

“Pading an archive with a purposeless file of random length is an easy way to change the hash value of the archive. Filling it with a racist slur taught me everything I needed to know about its creator,” Brandt wrote on Twitter. 

Since Vigilante does not have a persistence technique, it means it has no solution to stay put in. Users who have been infected only want to edit their Hosts files to be disinfected. There are other strange things – Many Trojanized executable files are digitally signed using fake code signing tools. The signature contains a randomly generated 18-character uppercase and lowercase.

Operations of the LockBit Ransomware Group: A Quick Look

 

Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS

 

During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not in the "best interests of users." Sideloading apps entails manually downloading and installing software over the Internet rather than from an app store. Apple's security and privacy would be ruined if it were compelled to enable side-loading programmes, as Android does, he stated on June 16 while speaking remotely at the VivaTech 2021 conference in Paris, France. 

When asked about the planned European law known as the Digital Markets Act (DMA), which attempts to prohibit big digital corporations from monopolizing their market position, Cook stated that Apple opposes it because it would require the company to allow consumers to install apps outside of the App Store. Cook also stated that Android has "47 times more malware" than Apple since iOS is created with a single app store. 

Explaining the reason, Cook added, "It's because we've designed iOS in such a way that there's one app store and all of the apps are reviewed prior to going on the store. And so that keeps a lot of this malware stuff out of our ecosystem, and customers have told us very continuously how much they value that, and so we're going to be standing up for the user in the discussions." 

Cook further claimed that the DMA's present language, which will compel side-loading on the iPhone, will "destroy the security" of the smartphone and many of the App Store's privacy measures. 

DMA targets firms with a huge user base, such as Apple, Google, and Amazon, and encourages them to open up their platforms to competitors. The proposed rule also intends to provide a more level playing field for businesses and individuals who rely on large "gatekeeper" online platforms to sell their goods and services in a single market. 

“We've been focusing on privacy for over a decade,” Cook stated when asked about Apple's commitment to privacy. “We see it as a basic human right. A fundamental human right. And we've been focused on privacy for decades. Steve used to say privacy was stating in plain language what people are signing up for and getting their permission. And that permission should be asked repeatedly. We've always tried to live up to that.”

Unique TTPs Connect Hades Ransomware to New Threat Group

 

Researchers claim to have uncovered the origins of Hades ransomware's operators, as well as the unique tactics, methods, and procedures (TTPs) they use in their attacks. 

The Hades ransomware initially appeared in December 2020, following a series of attacks on a variety of institutions, but limited information about the culprits has been released to date. 

Gold Winter has been identified as the threat group behind the Hades ransomware, according to Secureworks' Counter Threat Unit (CTU). They also disclosed data about Gold Winter's actions that set it apart from other similar threat organizations, implying that it is a financially driven, most likely Russian-based "big game hunter" after high-value targets, primarily North American manufacture. 

The researchers stated, “Some third-party reporting attributes Hades to the Hafnium threat group, but CTU research does not support that attribution.” 

“Other reporting attributes Hades to the financially motivated Gold Drake threat group based on similarities to that group’s WastedLocker ransomware. Despite the use of similar application programming interface (API) calls, the CryptOne crypter, and some of the same commands, CTU researchers attribute Hades and WastedLocker to two distinct groups as of this publication” 

According to the researchers, the investigation of Gold Winter showed TTPs that were not found in other ransomware families, with some showing resemblance but with uncommon characteristics added.

As per the researchers, GoldWinter: 

- It names and shames victims, but it doesn't employ a centralized leak site to make stolen information public. Instead, Tor-based Hades websites appear to be personalized for each victim, including a victim-specific Tox chat ID for conversation. Tox instant messaging is a technique CTU researchers haven't seen in other ransomware families. 

- Is renowned for copying ransom notes from other high-profile families like REvil and Conti, substituting webpages with contact email addresses, and adding unique victim identifiers.

- Replaces randomly generated five-character strings for the victim ID and encrypted file extension with words—e.g., cypherpunk. 

- SocGholish malware disguised as a phoney Chrome update and single-factor authentication VPN access is used as first access vectors. 

- Deletes volume shadow copies using the “vssadmin.exe Delete Shadows/All/Quiet” command but uses a distinctive self-delete command with an unusual inclusion of a “wait for” command. 

Marcelle Lee, senior security researcher, CTU-CIC at Secureworks, tells CSO, “Typically when we see a variety of playbooks used around particular ransomware, it points to the ransomware being delivered as ransomware-as-a-service (RaaS) with different pockets of threat actors using their own methods. We do not, however, think that is the case with Hades.” It is most likely that Gold Winter operates as a private ransomware group, she added.

It is also possible that Gold Winter has been organized by another threat group to throw law enforcement and researchers off their trail, Lee continues. 

For Hades, Lee suggests adopting common ransomware defense and mitigation strategies: Implement an endpoint detection and response solution, as well as multi-factor authentication for internet-facing devices and for user apps, as well as efficient asset management. She also suggests efficient patch management and membership to customized threat intelligence to raise awareness of emerging dangers and have a tested incident plan and team.

3.2 Million PCs Compromised in a Malware Campaign

 

Security researchers at Nordlocker have discovered that 1.2 terabytes of personal details and information were stolen through a customized malware strain which was largely spread through illegal software, including pirated games and a cracked version of Adobe Photoshop. 

Between 2018 and 2020 the malware had infected 3.2 million PCs and stole over 6 million files from infected Desktop and Downloads folders. The stolen files were mostly made up of three million text files, 900,000 image files, and 600,000+ Word files. Inside the treasure trove of stolen data were 1.1 million unique email addresses and 26 million login credentials, among other things.

“Screenshots made by the malware reveal that it spread via illegal software (Adobe Photoshop), Windows cracking tools, and pirated games. Moreover, the malware also photographed the user if the device had a webcam," NordLocker said.

Researchers said cybercriminal gang accidentally revealed the location of the database containing the stolen data, and once NordLocker was privy, it worked with a third-party company that specializes in researching data breaches to evaluate the database's contents. 

Researchers warn that custom malware such as this is particularly dangerous, noting that they are “cheap, customizable, and can be found all over the web.” They note that custom malware can be purchased at very low prices and often include tutorials on how to use stolen data, meaning that individuals should be incredibly careful when accessing files online.

This particular malware campaign does not have a name, in part because it flew under the radar while active, then presumably disappeared. According to NordLocker, nameless (or custom) trojans like this one is hawked on the dark web in forums and private chats, sometimes for no more than $100.

"Their low profile often helps these viruses stay undetected and their creators unpunished...It's a booming market where the creator sells the malware, teaches the buyer how to use it, and even shows how to profit off the stolen data," NordLocker says. 

Nordlocker recommended using a variety of methods to keep yourself and your data safe, including clearing your cookies every month and only installing software from developer websites and well-known sources.

Nefilm Ransomware Group Eyes for $1bn+ Revenue Companies

 


On Tuesday, Trend Micro released a case study analyzing Nefilim, a ransomware gang that the researchers believe is or was once linked with Nemty as a ransomware-as-a-service (RaaS) outfit. 

Nemty first surfaced in 2019 together with Sentinel Labs, Trend Micro claims that Nefilim first surfaced in March 2020. Both actors, named "Water Roc" by the firm, offered RaaS subscription services with a 70/30 split, with margins dropping to 90/10 when high-profile victims were snatched by affiliates. 

According to Trend Micro, Nefilim looks for vulnerabilities in exposed Remote Desktop Services (RDP) services and public proof-of-concept (PoC) exploit code. The two known vulnerabilities, CVE-2019-19781 and CVE-2019-11634 in Citrix gateway devices were patched in 2020. When unpatched services are discovered, however, exploit code is run and first access is gained. Nefilim starts by downloading a Cobalt Strike beacon, Process Hacker (for terminating endpoint security agents), Mimikatz credentials dumper, and other tools. 

Nefilim was also able to exploit CVE-2017-0213, an outdated weakness in Windows Component Object Model (COM) software, in one case reported by the researchers. Even though a patch was released in 2017, the problem remained, allowing the group to raise their powers to administrator levels. 

For lateral movement and access to corporate networks, ransomware operators may use stolen or easily forced credentials and MEGAsync could be used to steal data during an assault. The ransomware Nefilim will then be installed and begin encrypting data. Although the extensions differ, the group has been related to the extensions .Nephilim, Merin, and .Off-White. 

For each file queued for encryption, a random AES key is produced. The malware will then use a fixed RC4 key to decrypt a ransom note, which provides email addresses for victims to reach them regarding payment. 

The researchers stated, "To enable file decryption in case the victim pays the ransom amount, the malware encrypts the generated AES key with a fixed RSA public key and appends it to the encrypted file. To date, only the attackers can decrypt this scheme as they alone own the paired private RSA key." 

When it comes to victims, Nefilim has been linked to assaults against companies with yearly revenues of $1 billion or more; nevertheless, the malware's operators have also affected small companies. The majority of victims are in the US, followed by Europe, Asia, and Oceania. 

Trend Micro reported, "Modern attackers have moved on from widespread mass-mailed indiscriminate ransomware to a new model that is much more dangerous." 

"Today, corporations are subject to these new APT-level ransomware attacks. In fact, they can be worse than APTs because ransomware often ends up destroying data, whereas information-stealing APTs are almost never destructive. There is a more pressing need to defend organizations against ransomware attacks, and now, the stakes are much higher."

This Malware that Uses Steam Profile Images to Hide Itself

 

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don't provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve's Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker's perspective: It's as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample's second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password "PjlDbzxS#;8@x.3JT&4MsTqE0" hardcoded.

New Evil Corp Ransomware Disguised as PayloadBin to Avoid Sanctions

 

The new PayloadBIN ransomware has been linked to the Evil Corp cybercrime gang, which rebranded to avoid US Treasury Department restrictions issued by the Office of Foreign Assets Control (OFAC). The Evil Corp gang, also known as the Indrik Spider and the Dridex gang, began as a ZeuS botnet affiliate. They eventually organized a group dedicated to disseminating the Dridex banking virus and downloader via phishing emails. 

According to the FBI, Dridex was used to steal more than $100 million from banks in more than 40 nations. Following that, the software was utilized as a loader to install the BitPaymer ransomware on victims' computers. Two Russian nationals, Maksim Yakubets and Igor Turashev were indicted by a US grand jury in December 2019 for allegedly running Evil Corp. 

Yakubets was functioning "as Evil Corp's head and is answerable for overseeing the group's illicit cyber activities," the Treasury Department claimed at the time, after assisting with money laundering and the GameOver/Zeus botnet and malware operation. It said Yukabets had been working for Russia's Federal Security Service, or FSB, since at least 2017, and that it had previously sanctioned the FSB for assaults against US targets. It also announced a $5 million reward for information leading to his apprehension. 

The Babuk gang said that they would stop using ransomware encryption and instead focus on data theft and extortion after breaching the Metropolitan Police Department in Washington, DC, and taking unencrypted data. The Babuk data leak site had a graphic makeover at the end of May, and the ransomware gang rebranded as 'payload bin.' 

On Thursday, BleepingComputer discovered PayloadBIN, a new ransomware strain linked to the rebranding of Babuk Locker. When the ransomware is installed, the ransomware will append the . PAYLOADBIN extension to encrypted files. The ransom message is also known as 'PAYLOADBIN-README.txt,' and it claims that the victim's "networks are LOCKED with PAYLOADBIN ransomware." 

BleepingComputer suspected Babuk of lying about their plans to move away from ransomware and relaunched under a new name after discovering the sample. After examining the new ransomware, both Emsisoft's Fabian Wosar and ID Ransomware's Michael Gillespie confirmed that it is a rebranding of Evil Corp's prior ransomware operations.

TeamTNT Targeting Organizations Via Cryptojacking Malware

 

A cybercriminal gang known as TeamTNT has been ramping up its cloud-focused cryptojacking operations for some time now. TeamTNT operations have targeted Kubernetes clusters due to their wide usage and are an attractive target for threat actors running primarily in cloud environments with access to nearly infinite resources.

Attackers have also designed new malware called Black-T that unites open-source cloud-native tools to assist in their cryptojacking operations. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible, leading to malicious activity. 

Palo Alto’s Unit 42 researchers have discovered and confirmed close to 50,000 IPs compromised by this malicious campaign perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May. Most of the compromised nodes were from China and the US — identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers)

TeamTNT has gathered 6.52012192 Monero coins via a cryptojacking campaign, which is equal to USD 1,788. The mining operation was found to be operating at an average speed of 77.7KH/s across eight mining workers. Operations using this Monero wallet address have continued for 114 days and are still operating. 

The researchers said TeamTNT’s new campaign is the most sophisticated malware Unit 42 has seen from this gang. They said on this round the threat actor developed more sophisticated tactics for initial access, execution, defense evasion, and command and control. Although the malware is still under development and the campaign has not spread widely, Unit 42 believes the attacker will soon improve the tools and start a large-scale deployment. 

Team TNT has stolen the credentials of 16 applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance if downloaded. The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. 

Researchers believe that Microsoft Azure, Alibaba Cloud, Oracle Cloud, or IBM Cloud IAM credentials could be targeted using similar methods. Unit 42 researchers are yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.

DOJ Charges Latvian National for Helping Develop the Trickbot Malware

 

The US Department of Justice has charged a Latvian woman for her alleged role in developing the Trickbot malware, which was responsible for infecting millions of computers, targeting schools, hospitals, public utilities, and governments. 

After being arrested on February 6 in Miami, Florida, Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment. 

The DOJ said in a press release, Witte created the code used by Trickbot malware to control, launch, and manage ransomware payments. Witte is also said to have given the Trickbot Group the code required to track and monitor approved malware users and the tools and protocols needed to store login credentials obtained from victims' networks. 

The FBI's Cleveland Office and the Department of Justice's Ransomware and Digital Extortion Task Force investigated the case, which was formed to combat the rising number of ransomware and digital extortion attacks. 

FBI special agent Eric B. Smith said. In a statement, "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems.

Trickbot is a malware variant that was first discovered in October 2016 as a modular banking trojan and has subsequently been updated with new modules and capabilities. 

Microsoft and many partners reported on October 12 that they had taken down certain Trickbot C2s. Before the presidential election, the US Cyber Command apparently tried to destroy the botnet by sending infected devices a configuration file that cut them off from the botnet's C2 servers. Despite these concerted attacks on TrickBot's infrastructure, the TrickBot gang's botnet remains alive, and new malware builds are continually being released. 

The TrickBot gang is renowned for spreading the ransomware Ryuk and Conti onto the networks of valuable business targets. According to Deputy Attorney General Lisa O. Monaco, Trickbot penetrated millions of victim computers throughout the world, harvesting banking information and delivering ransomware. 

"The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added.

VMware Becomes New Target of FreakOut Malware

 

A new dangerous "Freakout" alias malware campaign has just targeted unpatched Linux workstations that handle Network Attached Storage (NAS) and run some PHP- and Java-listed Web application frameworks. 

FreakOut Botnet reappeared for the first time in November 2020 with a fresh range of attacks in January 2021. This malware targets the data storage units of TerraMaster and the web apps built on top of the Zend PHP framework along with the websites running the Liferay portal content management system. 

This Pythons-based multi-platform malware that has previously targeted Windows and Linux systems has been updated to make it to internet-exposed VMware vCenter servers that are unpatched against a vulnerability in remote code execution. 

This vulnerability in the VMware vCenter plug-in (CVE-2021-21972) for vRealize Operations (vROps) is very noteworthy since it affects the standard installation of the vCenter Server. As revealed by Shodan and BinaryEdge, thousands of unpatched vCenter servers are currently accessible via the Internet. 

FreakOut spreads to an IRC botnet managed by masters, exploiting a widespread variety of OS and apps vulnerabilities and demanding passwords over SSH. The key malware features allow operators to launch DDoS attacks, backdoor affected devices, network traffic sniff and steal data, and deploy XMRig miners to mine for Monero. 

"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notable vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. 

While the programmers of FreakOut are striving since early May to move a step forward in the malware spreading capabilities, when the activity of the botnet unexpectedly skyrocketed, to improve virus spreads. 

FreakOut bots scan for new systems, either by generating network ranges arbitrarily or by using the instructions of its masters which are communicated to IRC via the control server. The bot tries to use one of the integrated vulnerabilities or log in to a hard-coded list of SSH passwords for every IP address in the lists of scans. 

VMware vulnerabilities in ransomware attacks on business networks were also exploited in the past. As disclosed by Cisco Talos, FreakOut operators also showed that they have been constantly experimenting with different malicious loads using bespoke ransomware. 

"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems," Svajcer added. 

"Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems."

Myanmar President’s Office Hacked for the Second Time

 

A cyber-espionage hacking gang is suspected of breaking into the Myanmar president's office website and injecting a backdoor trojan into a customized Myanmar font package accessible for download on the home page. ESET, a Slovak security firm, discovered the attack on Wednesday, June 02, 2021. 

The software employed in the attack resembles malware strains used in previous spear-phishing efforts intended at Myanmar targets by a Chinese state-sponsored hacker outfit known as Mustang Panda, RedEcho, or Bronze President, according to researchers. 

Mustang Panda is mostly focused on non-governmental organizations (NGOs). It employs Mongolian language decoys and themes, as well as shared malware such as Poison Ivy and PlugX, to attack its targets. Their attack chain looks something like this: 

• A malicious link is disguised using the goo.gl link shortening tool and sent to a Google Drive folder.

• When you click on the Google Drive link, you'll be taken to a zip file that contains a.Ink file disguised as a.pdf file. 

• The user is redirected to a Windows Scripting Component (.wsc) file when they open the file. This file can be found on a malicious microblogging website.
 
• A VBScript and a PowerShell script from the Twitter page are included in the.Ink file to get the fake PDF file. 
 
• A Cobalt Strike (https://know.netenrich.com/threatintel/malware/Cobalt % 20Strike) payload is created by the PowerShell script. 

• The threat actor can operate the system remotely using Cobalt Strike's connection to the command-and-control IP address. 

Mustang Panda has a history of carefully constructed email-based attacks; for this operation, the gang appears to have modified a Myanmar Unicode font package available for download on the Myanmar presidency's website. “In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote in a Twitter thread. 

This loader, according to researchers, pings a command and control (C&C) server at 95.217.1[.]81. The loader resembled other malware copies that had previously been transmitted as file attachments in spear-phishing efforts directed at Myanmar targets.

The archives show signs of an advanced and stealthy cyber-espionage operation hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar,” even if ESET said it has yet to officially confirm Mustang Panda's involvement beyond a doubt.

This is the second time the Myanmar president's office has been hacked in order to launch a watering hole attack. The first incident occurred between November 2014 and May 2015, when the site was used to disseminate a version of the EvilGrab malware by another alleged Chinese cyber-espionage group.

How Threat Actors Try and Bypass Microsoft's Antimalware Scan Interface (AMSI)?

 

With Windows 10 and recent Windows Server platforms gaining importance, the purpose of malware developers and other cybercriminals is progressively targeted to prevent detection, by removing the anti-malware traffic cop from these platforms: Microsoft's Antimalware Scan Interface. 

AMSI, launched in 2015, offers software for communicating to security devices for file scanning, memory scanning or streaming in a supplier-agnostics manner for dangerous payloads. AMSI allows permeability of anti-malware software on Microsoft components and apps, including Windows' PowerShell engine/script hosts (wscript.exe and cscript.exe), Office document macros, the existing.NET Framework (version 4.8), and Windows Management Instrumentation (WMI) — frequently used by adversaries in “living off the land” (LOL) strategies. 

AMSI has recently been improved to integrate Excel 4.0 (XLM) macro scanning in the integration of Office 365 in an attempt to address the surge in malicious macros in an infection vector. 

Sophos experts investigated the methods used to circumvent or deactivate AMSI and stated on Wednesday that threat actors will try everything from living-off-the-ground strategies to file free attacks. 

In a 2016 tweet by the security expert Matt Graeber, the possibility of AMSI-button circumvention was emphasized, Sophos said that a single line of code has swapped the PowerShell feature for AMSI integration and may have theoretically halted PowerShell-based processes from requesting scans. 

Most post-exploitation operations, especially lateral moving, seemed concentrated on detections made between 2020 and 2021. 

The very same bypass was identified back to a specific occurrence, tied to attacks using the Proxy Logon that connected to a remote server to capture a malware downloader based on PowerShell. 

The usage of a Seatbelt, an aggressive security mechanism, is another approach used to overcome AMSI. To build a delegate process using reflecting to access the .NET interface for AmsiUtils, the PowerShell script was utilized. 

Sophos notes, nevertheless, that more than 98% of AMSI circumvention efforts are carried just via manipulating the AMSI library. A variety of malware variants are present that will try to discover the pre-loaded Memory AmsiScanBuffer and then rewrite over instructions to ensure that scanning requests fail. 

The memory element that stores the code to return the buffer scans results may be modified by other versions, leading to a failure. 

Additional tactics include Cobalt Strike – This memory patch approach comes with a PowerShell invoked remote scripts in a PowerShell pre-patch in the Agent Tesla Trojan family, amongst others. One way is to fabricate DLLs to load a false AMSI version from PowerShell. Also, DLL has been an old method and now it's impossible to load unapproved engines, or in most cases virtual machines, because of better Microsoft security (VMs). 

"Given how prevalent those tactics have become, particularly in ransomware operator intrusions, AMSI can play a particularly important role in keeping Windows 10 and Windows Server systems from being compromised," Sophos says. "But AMSI is not a panacea. And while Microsoft's Windows Defender provides some protection against AMSI bypasses, attackers are continuously finding ways to obfuscate and conceal malicious content from anti-malware signature detections."

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Kaspersky detected a new method of cyber attacks on corporate data

Kaspersky Lab noted that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.

The company explained that scammers get into the corporate network with the help of phishing emails that are sent on behalf of different companies in order to obtain user data or vulnerabilities in the system. After that, they find the BitLocker function in the control panel, perform encryption, and assign themselves the keys, usernames, and passwords that this program generates.

As the company said, as soon as the scammers get access to the server, which contains information about all corporate devices, they can completely encrypt the IT infrastructure of the organization.

Sergey Golovanov, the chief expert at Kaspersky Lab, explained that it is now difficult to estimate the actual number of attacks since the attackers use standard operating system tools.

"At this stage, we can assume that this is not a targeted campaign: the attacked companies are not similar both in size and in areas of activity," the expert said. According to Mr. Golovanov, scammers make phishing emails without taking into account the specifics of the enterprise and are widespread.

Earlier, Kaspersky Lab recorded hacker attacks on ten Russian financial and transport companies using a previously unknown Quoter ransomware program, as well as phishing emails with a banking Trojan program. The hackers sent out phishing emails with topics such as "Request for refund" or "Copies of Last Month's documents". As soon as the recipient clicked on the link or opened the attachment, a malicious RTM Trojan was downloaded to their device.

This Entertainment-Themed Campaign Installs Malware in User Computer System

 

A popular phishing campaign tries to somehow get users to believe that they've enrolled in the film streaming platform to force customers to call on a phone number for cancellation – a technique that contains BazaLoader malware that harms the computer. 

BazaLoader is a C++ downloader for installing and performing other modules. In April 2020, BazaLoader was first observed by Proofpoint. 

BazaLoader develops a backdoor on Windows machines that could be exploited to provide initial access to other malware attacks - even ransomware. Ryuk Ransomware is generally delivered through BazaLoader, which can have severely harmful consequences to a successful compromise amongst cybercriminals. The operation of BazaLoader demands important human contact in the implementation and installation of the BazaLoader backdoor. 

The operator of the threat used customer service agents to lead victims to download and install the malware unwittingly. This campaign represents a broader pattern used as part of a sophisticated attack chain by BazaLoader threat actors that use call centers. 

The initial stage of the effort, which is detailed by cybersecurity investigators at Proofpoint, involves distributing tens of thousands of phishing emails affirming to come from 'BravoMovies,' a bogus movie streaming platform created by cybercriminals themselves. 

The site seems plausible and people behind it generated false film posters utilizing open-source pictures that are available online – but the way the site has numerous orthographic mistakes can suggest that something must be wrong if one looks very carefully. 

The email received states that the victim has subscribed and charged $39.99 a month - but if they contact a support number, that suspected subscription may be terminated. 

When the user contacts the number to which they are associated, the "customer service" professional claims to walk them through the withdrawal procedure – but what they are doing tells the unwitting victim how they may install BazaLoader on their computer systems. 

These are done by directing the caller to a "Subscription" website, wherein part of the procedure invites users to click a Microsoft Excel downloading link. This document contains macros that will silently upload BazaLoader to the system if it is activated, spreading malware on the victim's PC. 

"Malicious attachments are often blocked by threat detection software. By directing people to phone the call center as part of the attack chain, the threat actors can bypass threat detection mechanisms that would otherwise flag its attachments as spam," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told ZDNet. 

"Social engineering is the key to this attack chain and threat actors depend upon their social engineering lures to cause recipients to take any action to complete the attack chain and get the malware on the target's machine," said DeGrippo further added. 

It should also be pointed out that while getting an e-mail claiming that the user's credit card will be billed if they do not answer, with the creation of a sense of urgency such as this is a common method employed in phishing operations to make a user obey instructions.

JSWorm: A Notorious Ransomware

 

The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of "big-game hunting." The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace. 

Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. As part of each “rebranded” edition, several versions were released that changed various aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys. 

JSWorm is a ransomware variant of the GusCrypter malware family. Its purpose is to extort money from victims by encrypting all personal data and requesting a ransom for the decryption key. It's a member of the GusCrypter clan. JSWorm is typically transmitted via spam email attachments. 

The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it's possible that the encryption will be permanent. 

Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. As a result of the altered Windows Registry values, ransomware is launched every time the user restarts the device. These modifications, however, are made after the encryption and ransom demand have been completed. 

JSWorm was available as a public RaaS from its inception in 2019 until the first half of 2020, and it was observed spreading through the RIG exploit kit, the Trik botnet, fake payment websites, and spam campaigns. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications (Citrix ADC) and insecure RDP access. 

The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher. The key is generated by concatenating the strings user name, system MAC address, and volume serial number at the start of the programme execution. The content of each of the victim's files is encrypted using a custom version of Blowfish. The encryption is limited to 100,000 bytes, most likely to speed up the encryption of large files. The initial data is overwritten by the encrypted data.