![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
<div class="wp-block-image">
line 342, column 0: (191 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (36 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (36 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 342, column 0: (18 occurrences) [help]
<div class="wp-block-image">
line 352, column 0: (36 occurrences) [help]
>
line 366, column 0: (182 occurrences) [help]
<div class="wp-block-image">
line 417, column 0: (188 occurrences) [help]
<div class="wp-block-image">
line 447, column 0: (7 occurrences) [help]
line 755, column 0: (5 occurrences) [help]
line 1094, column 0: (2 occurrences) [help]
line 1094, column 0: (2 occurrences) [help]
line 1121, column 3: (55 occurrences) [help]
]]></content:encoded>
^
line 1125, column 0: (3 occurrences) [help]
<enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/ ...
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Avast Threat Labs</title> <atom:link href="https://decoded.avast.io/feed/" rel="self" type="application/rss+xml" /> <link>https://decoded.avast.io/</link> <description>Uncovering Tactics, Techniques and Procedures of malicious actors</description> <lastBuildDate>Thu, 13 Feb 2025 12:03:06 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.6.2</generator> <image> <url>https://decoded.avast.io/wp-content/uploads/sites/2/2019/07/cropped-Asset-25ldpi-32x32.png</url> <title>Avast Threat Labs</title> <link>https://decoded.avast.io/</link> <width>32</width> <height>32</height></image> <item> <title>Out with the Old, In with the Bold: Gen Threat Labs</title> <link>https://decoded.avast.io/salat/out-with-the-old-in-with-the-bold-gen-threat-labs/?utm_source=rss&utm_medium=rss&utm_campaign=out-with-the-old-in-with-the-bold-gen-threat-labs</link> <dc:creator><![CDATA[Michal Salát]]></dc:creator> <pubDate>Thu, 13 Feb 2025 16:00:00 +0000</pubDate> <category><![CDATA[Mobile]]></category> <category><![CDATA[PC]]></category> <category><![CDATA[Reports]]></category> <category><![CDATA[desktop]]></category> <category><![CDATA[malware]]></category> <category><![CDATA[mobile]]></category> <category><![CDATA[report]]></category> <category><![CDATA[risk]]></category> <category><![CDATA[threats]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8857</guid> <description><![CDATA[<p>For years, Avast Decoded has been your go-to for the latest in cybersecurity insights and research. But as cybercriminals evolve, so do we. Starting now, our groundbreaking research, expert analysis and the stories that keep the digital world safe are moving to one place: the Gen Insights Blog. By uniting our expertise under the Gen […]</p><p>The post <a href="https://decoded.avast.io/salat/out-with-the-old-in-with-the-bold-gen-threat-labs/">Out with the Old, In with the Bold: Gen Threat Labs</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<p>For years, Avast Decoded has been your go-to for the latest in cybersecurity insights and research. But as cybercriminals evolve, so do we. Starting now, our groundbreaking research, expert analysis and the stories that keep the digital world safe are moving to one place: the <a href="https://www.gendigital.com/blog/insights" target="_blank" rel="noreferrer noopener">Gen Insights Blog</a>.</p> <p>By uniting our expertise under the Gen brand, we’re amplifying our reach and impact, bringing you the most comprehensive look at the evolving threat landscape.</p> <p>Our global team of researchers spans trusted cybersecurity brands like Norton, Avast, LifeLock, Avira, AVG, and more. Together, we’re covering a broader range of critical topics—scams, deepfakes, digital identity theft, ransomware, and beyond. It’s a new look, a broader scope, and a deeper commitment to protecting Digital Freedom.</p> <p>Our latest <a href="https://www.gendigital.com/blog/insights/reports/threat-report-q4-2024" target="_blank" rel="noreferrer noopener">Q4/2024 Threat Report</a> proves why this move matters. Here’s a taste of what we uncovered:</p> <ul class="wp-block-list"><li>2.55 billion threats blocked – that’s 321 attacks every second.</li> <li>Social media = scam central – 56% of all social media threats came from Facebook alone.</li> <li>Deepfake crypto scams exploded – one campaign stole over $7M using AI-generated videos.</li> <li>Mobile malware is getting smarter – banking trojans surged, spyware disguised as loan apps is extorting victims.</li> <li>Ransomware jumped another 50% – and it’s not slowing down.</li></ul> <p>These insights are just the beginning. The <a href="https://www.gendigital.com/blog/insights" target="_blank" rel="noreferrer noopener">Gen Insights Blog</a> will now be your hub for everything from cutting-edge research to actionable tips from our Gen Threat Labs team. Want to understand how AI is reshaping scams? Curious about the latest defenses against ransomware? It’s all here — and it’s more dynamic, insightful and forward-looking than ever before.</p> <p>Don’t miss a beat.<strong> Read the full <a href="https://www.gendigital.com/blog/insights/reports/threat-report-q4-2024" target="_blank" rel="noreferrer noopener">Q4/2024 Threat Report</a> now</strong>.</p> <p>To stay up to date with the latest news, insights and research, subscribe to the Gen Insights RSS feed.</p> <p>Welcome to the next chapter of Cyber Safety. <img src="https://s.w.org/images/core/emoji/15.0.3/72x72/1f510.png" alt="🔐" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p><p>The post <a href="https://decoded.avast.io/salat/out-with-the-old-in-with-the-bold-gen-threat-labs/">Out with the Old, In with the Bold: Gen Threat Labs</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>Predictions 2025: The Future of Cybersecurity Unveiled</title> <link>https://decoded.avast.io/threatintel/predictions-2025-the-future-of-cybersecurity-unveiled/?utm_source=rss&utm_medium=rss&utm_campaign=predictions-2025-the-future-of-cybersecurity-unveiled</link> <dc:creator><![CDATA[Threat Intelligence Team]]></dc:creator> <pubDate>Wed, 04 Dec 2024 13:05:41 +0000</pubDate> <category><![CDATA[Other/Research]]></category> <category><![CDATA[PC]]></category> <category><![CDATA[Reports]]></category> <category><![CDATA[predictions]]></category> <category><![CDATA[threats]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8850</guid> <description><![CDATA[<p>The digital world is evolving at breakneck speed. In 2025, we’re set to witness transformative changes in cybersecurity that will redefine trust, security, and how we navigate our digital lives. Here’s what we see coming: Read the full blog to explore the trends in depth. The future of cybersecurity will demand both solutions and vigilance. […]</p><p>The post <a href="https://decoded.avast.io/threatintel/predictions-2025-the-future-of-cybersecurity-unveiled/">Predictions 2025: The Future of Cybersecurity Unveiled</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<p>The digital world is evolving at breakneck speed. In 2025, we’re set to witness transformative changes in cybersecurity that will redefine trust, security, and how we navigate our digital lives.</p> <p>Here’s what we see coming:</p> <ul class="wp-block-list"><li><strong>AI Blurs Reality</strong>: Hyper-personalized AI experiences will raise questions about truth, ethics, and independent thought.</li> <li><strong>Deepfake Evolution</strong>: Sophisticated forgeries will make it harder to distinguish real from fake, eroding trust in visual and audio content.</li> <li><strong>Hyper-Personalized Scams</strong>: Cybercriminals will craft highly targeted attacks using personal data and social engineering.</li> <li><strong>Financial Fraud Takes New Forms</strong>: From deepfake scams to physical coercion, financial theft will span the digital and physical worlds</li> <li><strong>Data Theft on the Rise</strong>: Forgotten accounts and large-scale breaches will fuel increasingly precise and damaging attacks.</li></ul> <p>Read the <a href="https://www.gendigital.com/blog/insights/leadership-perspectives/predictions-2025" target="_blank" rel="noreferrer noopener">full blog</a> to explore the trends in depth.</p> <p>The future of cybersecurity will demand both solutions and vigilance. It’s a landscape where trust and innovation must coexist and where preparation is our strongest defense.</p> <p>At Gen, we’re committed to powering digital freedom for individuals, families, and businesses, no matter what challenges lie ahead.</p><p>The post <a href="https://decoded.avast.io/threatintel/predictions-2025-the-future-of-cybersecurity-unveiled/">Predictions 2025: The Future of Cybersecurity Unveiled</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>Gen Q3/2024 Threat Report</title> <link>https://decoded.avast.io/threatresearch/gen-q3-2024-threat-report/?utm_source=rss&utm_medium=rss&utm_campaign=gen-q3-2024-threat-report</link> <dc:creator><![CDATA[Threat Research Team]]></dc:creator> <pubDate>Tue, 19 Nov 2024 13:30:00 +0000</pubDate> <category><![CDATA[Mobile]]></category> <category><![CDATA[PC]]></category> <category><![CDATA[Reports]]></category> <category><![CDATA[desktop]]></category> <category><![CDATA[malware]]></category> <category><![CDATA[mobile]]></category> <category><![CDATA[report]]></category> <category><![CDATA[risk]]></category> <category><![CDATA[threats]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8842</guid> <description><![CDATA[<p>The third quarter threat report is here—and it’s packed with answers. Our Threat Labs team had uncovered some heavy stories behind the stats, exposing the relentless tactics shaping today’s threat landscape. Here’s what you need to know: This is just the surface. Read the full report and see how our Threat Labs team is relentlessly […]</p><p>The post <a href="https://decoded.avast.io/threatresearch/gen-q3-2024-threat-report/">Gen Q3/2024 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<p>The <a href="https://www.gendigital.com/blog/insights/reports/threat-report-q3-2024" target="_blank" rel="noreferrer noopener">third quarter threat report</a> is here—and it’s packed with answers. Our Threat Labs team had uncovered some heavy stories behind the stats, exposing the relentless tactics shaping today’s threat landscape.</p> <p>Here’s what you need to know:</p> <ul class="wp-block-list"><li><strong>614% explosion in Scam-Yourself Attacks:</strong> Over 2 million users were protected from FakeCaptcha scams, where fake tutorials, phony fixes, and malicious CAPTCHA prompts trick users into compromising their own systems.</li> <li><strong>Ransomware doubled in risk,</strong> targeting outdated systems with precision campaigns like AliGater.</li> <li><strong>Mobile threats surged,</strong> with banking malware up 60% and spyware spiking 166%, preying on users through malicious SMS campaigns.</li></ul> <p>This is just the surface. Read the full report and see how our Threat Labs team is relentlessly researching, investigating and collaborating to stay ahead of cybercriminals and keep you informed and protected.</p> <p>Read the <a href="https://www.gendigital.com/blog/insights/reports/threat-report-q3-2024" target="_blank" rel="noreferrer noopener">Q3/2024 Threat Report</a>!<a id="_msocom_1"></a></p><p>The post <a href="https://decoded.avast.io/threatresearch/gen-q3-2024-threat-report/">Gen Q3/2024 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations</title> <link>https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisticated-cryptocurrency-scam-operations/?utm_source=rss&utm_medium=rss&utm_campaign=cryptocore-unmasking-the-sophisticated-cryptocurrency-scam-operations</link> <dc:creator><![CDATA[Martin Chlumecký]]></dc:creator> <pubDate>Tue, 13 Aug 2024 13:18:41 +0000</pubDate> <category><![CDATA[Mobile]]></category> <category><![CDATA[PC]]></category> <category><![CDATA[AI]]></category> <category><![CDATA[cryptocurrency]]></category> <category><![CDATA[SCAM]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8701</guid> <description><![CDATA[<p>As digital currencies have grown, so have cryptocurrency scams, posing significant user risks. The rise of AI and deepfake technology has intensified scams exploiting famous personalities and events by creating realistic fake videos. Platforms like X and YouTube have been especially targeted, with scammers hijacking high-profile accounts to distribute fraudulent content. This report delves into the CryptoCore group's complex scam operations, analyzing their use of deepfakes, hijacked accounts, and fraudulent websites to deceive victims and profit millions of dollars.</p><p>The post <a href="https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisticated-cryptocurrency-scam-operations/">CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<p class="has-text-align-right"><em>― If it sounds too good to be true, it probably is.</em></p> <p>As digital currencies have rapidly grown, so have cryptocurrency scams, presenting significant risks to crypto investors and users. These scams often attract individuals with promises of high returns or use sophisticated schemes to defraud even the most cautious. Understanding these scams is crucial for protecting potential victims and safely navigating the evolving cryptocurrency scene. With the advent of artificial intelligence (AI) and deepfake technology, scams exploiting famous personalities and major events have significantly increased since these technologies enable the creation of realistic but fake videos. Consequently, dozens of scams try to leverage the popularity and credibility of celebrities or significant events to deceive as many people as possible.</p> <p>Scammers use various media to distribute fake pages and videos. By using different platforms, they can reach a large audience and increase the probability of attracting more people with fraudulent content. The first documented medium used by scammers for this purpose was X, at the time Twitter, in 2018. Specifically, scammers took over three popular and verified Twitter accounts of British fashion retailer Matalan, film distributor Pathe UK, and US publisher Pantheon Books. The attackers used Elon Musk’s name and likeness to promote a fraud ad via Tweets. <a href="#reference">[1]</a>. Since at least 2019, hackers have also been hijacking high-profile YouTube channels to broadcast cryptocurrency scams.</p> <p>In an effort to combat these hijacks, Google has spent considerable time researching techniques used by hackers-for-hire that were used to compromise thousands of YouTube creators. Nevertheless, this has not completely stopped scammers, who still manage to hijack accounts from time to time <a href="#reference">[2, 3]</a>. The issue gained enough importance to attract the interest of other researchers, motivating several scientific publications that tried to address the issue of crypto scams on various platforms, starting from the aforementioned YouTube and Twitter and including other platforms that have gained prominence in recent years, such as TikTok, Telegram, and WhatsApp <a href="#reference">[4-9]</a>.</p> <p>It is to no one’s surprise that these sources describe very similar <em>modus operandi</em> and associated techniques across all these platforms. The deepfakes utilizing AI are naturally becoming key instruments in crypto scam campaigns. In recent years, there has been an increasing incidence of one specific scam based on giveaway events announced by abused events and well-known personalities. The group we dubbed <strong>CryptoCore </strong>has become famous for its sophisticated tactics and successful exploitation of unsuspecting victims. This scam group and its giveaway campaigns leverage deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive users into sending their cryptocurrencies to the scammers’ wallets.</p> <p>This report delves into the intricacies of the CryptoCore group’s scam and analyses their <em>modus operandi</em>. We will describe key exploited events, including hijacked YouTube accounts and deepfake videos, alongside a technical analysis of the fraudulent sites. One purpose of this study is to present a fundamental analysis – and key statistics – of fraudulent wallets that have received profits in the millions of dollars, as well as provide statistical data on detections, showing how victims are lured into suspicious websites and ultimately end up crypto scam victims.</p> <p>By gathering information and insights on the CryptoCore group’s operations and giveaway scams to better understand how they operate and how they manipulate victims, we hope to help counter their operations and protect the digital world.</p> <p><strong>Table of Content</strong></p> <ol class="wp-block-list"><li><a href="#modus-operandi">Modus Operandi</a></li> <li><a href="#Reconstructing-Scammer-Operation">Reconstructing the Scammers’ Operation</a></li> <li><a href="#crypto-wallet-analysis">Crypto Wallet Analysis</a></li> <li><a href="#hijacked-yt-accounts">Hijacked YouTube Accounts</a></li> <li><a href="#video-policy">Video Policy & Providers’ Safeguards</a></li> <li><a href="#abused-events">Abused Events</a></li> <li><a href="#deepfake-videos">Use of Deepfake Videos</a></li> <li><a href="#technical-analysis">Technical Analysis</a></li> <li><a href="#detections">Detections</a></li> <li><a href="#conclusion">Conclusion</a></li></ol> <h4 class="wp-block-heading" id="modus-operandi">Modus Operandi</h4> <p>The primary attack vector relies on a simple exploitation of trust in established brands and famous individuals as well as the interest in major cultural and political events. The most common method is convincing a potential victim that messages or events published online are official communication from a trusted social media account or event page, thereby piggybacking on the trust associated with the chosen brand, person, or event. This initial vector usually directs the victim to a fake website that promises quick and easy profits. To pressure the victim even more, they often use limited time “giveaway” offers that urge the person to complete a quick action. Otherwise, they will allegedly lose the opportunity for a quick profit.</p> <p>The initial attack vector most commonly manifests as events where famous people invest a certain sum of money to raise awareness about an allegedly promising cryptocurrency that targets new cryptocurrency users. They often try to add further confusion and make the distinction more difficult by associating themselves with actual events, usually related to technology, such as space flights or fake seminars focused on cryptocurrencies.</p> <p>The success of the CryptoCore group is driven by their extensive preparation before an abused event, sophisticated infrastructure, and ability to expose fraudulent content to as many people as possible via popular social platforms.</p> <p>Before publishing malicious content, usually a video with a QR code linking to a fraudulent website, attackers must set up an environment for sharing their content, which, if successful, will lead victims to the fake page. They need to hijack an account with many subscribers/followers. Documented cases of successful hacks on YouTube users with large follower bases usually begin through phishing or malware in emails; the malware can then steal the session or credentials. The phishing email might inform the account holder, for instance, about changes in YouTube’s terms or propose cooperation in advertising on the account holder’s YouTube account <a href="#reference">[2]</a>. A similar approach is used for account holders on other popular social platforms.</p> <p>The attackers prepare deepfake content in advance and wait for an opportunity that can attract a larger audience. On the day of the event, they modify the account by changing the background and description and adding fake content to enhance authenticity. Finally, they wait for victims to search for the official event. Given the high number of subscribers of the hijacked account, there is a high probability that the search results will predominantly show fake content. Keywords related to the targeted events, combined with a large number of followers/subscribers, place hijacked accounts in the top search results.</p> <p>Once the victim is convinced that this is a unique event, they are redirected to the fraud website, which is highly professional-looking including “technical support” available via online chat. Additionally, the instructions, rules of the “unique event”, and crypto wallets are present on the website, including a fake transaction system to make the page appear more legitimate. The catch is that – if the victims send the money – there is no way to retrieve it back.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/01.-fraud-website-example.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8705","imgStyles":null,"targetWidth":1600,"targetHeight":1100,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img fetchpriority="high" decoding="async" width="1600" height="1100" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-fraud-website-example.gif" alt="" class="wp-image-8705" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Example of CryptoCore fraudulent websites</em></figcaption></figure></div> <h4 class="wp-block-heading" id="Reconstructing-Scammer-Operation">Reconstructing the Scammers’ Operation</h4> <p>Based on the assessed <em><a href="#modus-operandi">modus operandi</a></em>, we see strong indications of a large and complex scam operation using a vast array of techniques and scam methods. Their techniques utilize several key tools essential to their campaigns’ success.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img decoding="async" width="822" height="781" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.01-CryptoCore_components.drawio.png" alt="" class="wp-image-8764" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.01-CryptoCore_components.drawio.png 822w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.01-CryptoCore_components.drawio-300x285.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.01-CryptoCore_components.drawio-768x730.png 768w" sizes="(max-width: 822px) 100vw, 822px" /><figcaption class="wp-element-caption"><em>CryptoCore components</em></figcaption></figure></div> <p>The first step is to attract the largest audience and potential victims. To do this, the group identifies significant events that will be widely publicized and accompanied by live broadcasts. The second step is creating a deepfake video mimicking official event video and abusing the events via embedded QR codes that lead to fraudulent websites. <em><a href="#technical-analysis">Technical analysis</a></em> proves these scam websites are generated using the same patterns and framework.</p> <p>Once the fake videos and websites are ready, the attackers distribute them using compromised accounts from popular platforms, especially YouTube. Therefore, another crucial part of the operation is procuring these compromised accounts because accounts with many subscribers increase the probability of attracting victims. In addition, fake comments also supplement the distribution of the abused event. Finally, the successful campaign results in collecting cryptocurrency wallets with fraudulently obtained crypto coins.</p> <h6 class="wp-block-heading">Search Engines</h6> <p>We have figured out how victims are led to fake videos or hijacked accounts; it is a crucial part of the scammers’ operation because it is primarily designed to be multiplatform. The initial phase is observed mainly on desktop platforms, while the landing page is directed towards smart devices via QR codes.</p> <p>Most victims reach the fraudulent videos by searching for keywords related to the exploited events in popular search engines, such as “<code>spacex starship launch 4</code>“, “<code>starship flight test</code>“, and “<code>start starship</code>“. Another direct access point is searching for keywords directly on YouTube, such as “<code>eclipse 2024 totality</code>“, “<code>integrated flight test four</code>“, and “<code>spaceship</code>“. In addition to direct searches, we have observed fake or misused comments on various forums and posts on platforms X, Facebook, and Twitch. See examples below.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/02.02-rotter.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8709","imgStyles":null,"targetWidth":1303,"targetHeight":1237,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img decoding="async" width="1024" height="972" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.02-rotter-1024x972.png" alt="" class="wp-image-8709" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.02-rotter-1024x972.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.02-rotter-300x285.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.02-rotter-768x729.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.02-rotter.png 1303w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Links to the scam videos from different social networks</em></figcaption></figure></div> <h4 class="wp-block-heading" id="cryptoproject-operations">CryptoProject in Scammer Operations</h4> <p>We have named the scammer group after the framework used to generate the landing pages – CryptoCore. However, the campaigns might be the result of collaboration between several independent cybercriminal groups, possibly through subcontracting.</p> <p>Landing pages are created using a framework advertised on various hacker forums under the brand CryptoProject. The developers offer deployment on personal domains for approximately $100 and even showcase examples of the giveaway campaigns that we have been monitoring, as illustrated in the images below. Orders for specific pages can be placed via their dedicated Telegram bot.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad-1024x683.png" alt="" class="wp-image-8828" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad-1024x683.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad-300x200.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad-768x513.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad-736x491.png 736w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/02.03-CC-ad.png 1500w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>CryptoProject ad</em></figcaption></figure></div> <p>Interestingly, deepfake videos and even stolen accounts or comments can be procured in a similar way. That means that all the necessary tools are available as a service. This leads to the natural question of whether the whole scam campaign can be procured via a service and the client only needs to supply crypto wallets (basically Scam-as-a-Service), or rather, this is the work of a single group potentially subcontracting parts of its campaign.</p> <p>Regardless, we can assert with high confidence that landing pages are created using a framework that is available as a service, presumably we could probably extend this assessment even to its parts, such as deepfake videos, hijacked accounts, and fake comments. Further research is needed to reveal more details about other links, especially on the fraudulent crypto wallets, which could rule out one of these options.</p> <h4 class="wp-block-heading" id="crypto-wallet-analysis">Crypto Wallet Analysis</h4> <p>Over a six-month timeframe analysis, we found hundreds of crypto wallets with millions of dollars in turnover. However, it is essential to note that adding up all incoming transactions for each wallet is insufficient to determine the final value because it is necessary to deduct outgoing transactions in BTC from the same wallet. We also recorded large transactions unrelated to any giveaway campaigns, presumably representing transfers between the scammers’ wallets. Nevertheless, the wallets evidently belong to the attackers and not to a middleman. Therefore, the following statistical data on crypto wallets is not exact but provides a basic overview of the approximate range of revenues generated from the group’s illegal activities. </p> <p>In total, we detected 1200 crypto wallets, with the most frequently used currencies being Ethereum, Bitcoin, Tether, and Dogecoin, as shown in the graph below.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="503" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-Distribution-of-crypto-wallets-1024x503.png" alt="" class="wp-image-8714" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-Distribution-of-crypto-wallets-1024x503.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-Distribution-of-crypto-wallets-300x147.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-Distribution-of-crypto-wallets-768x377.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-Distribution-of-crypto-wallets.png 1140w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Distribution of crypto wallets abused by the scammers, including values</em></figcaption></figure></div> <p>These wallets had a turnover of approximately <strong>$5,400,000</strong>. The table below summarizes the transaction details for each wallet. In absolute values, Bitcoin wallets represent the largest share of the total turnover due to Bitcoin’s high value, with Ethereum wallets coming in second. The complete list of collected crypto wallets can be found in the <a href="#ioc-wallets">IoC</a> section below.</p> <figure class="wp-block-table aligncenter"><table><tbody><tr><td><strong>Wallet</strong></td><td class="has-text-align-right" data-align="right"><strong>Value</strong></td></tr><tr><td>BTC</td><td class="has-text-align-right" data-align="right">$ 3,229,752</td></tr><tr><td>ETH</td><td class="has-text-align-right" data-align="right">$ 1,651,163</td></tr><tr><td>DOGE</td><td class="has-text-align-right" data-align="right">$ 238,724</td></tr><tr><td>SOL</td><td class="has-text-align-right" data-align="right">$ 102,294</td></tr><tr><td>XRP</td><td class="has-text-align-right" data-align="right">$ 188,441</td></tr><tr><td></td><td class="has-text-align-right" data-align="right"><strong>$ 5,410,377</strong></td></tr></tbody></table></figure> <h4 class="wp-block-heading" id="hijacked-yt-accounts">Hijacked YouTube Accounts</h4> <p>Since YouTube remains the most popular video-sharing platform with billions of users worldwide, scammers actively exploit its authentication mechanisms. Previous analyses and blog posts have recorded hundreds of suspicious accounts. The most hijacked accounts can be accounted for by two cases, one with 19 million subscribers and another with nearly 12 million <a href="#reference">[4, 10]</a>. During our observations, accounts with 5 million subscribers were not uncommon. Such high subscriber counts allowed scammers to appear in the top 10 search results.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.01.-top-10-accounts-in-search-results.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8716","imgStyles":null,"targetWidth":2414,"targetHeight":1274,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="540" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-1024x540.png" alt="" class="wp-image-8716" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-1024x540.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-300x158.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-768x405.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-1536x811.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.01.-top-10-accounts-in-search-results-2048x1081.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Hijacked accounts are among the top 10 in the search results</em></figcaption></figure></div> <p>While the channels evade YouTube’s detections (and subsequent blocking), they are thematically adjusted to suit the current campaign’s needs. One channel might have channel names like MicroStrategy, Tesla, SpaceX, Ripple, etc. Typically, the background image, channel name, description, and alias (e.g., <code>@RippleXRP24</code>, <code>@MicroStrategys</code>) are changed, often relying on typo-squatting to confuse victims. Attackers also switch the original owner’s videos to private and upload their own content, consequently making the account look as credible as possible, even with verified status and a large subscriber base.</p> <p>It is evident that these are massive attacks on YouTube accounts with high subscriber counts. If scammers are not targeting a specific event, we observe several hijacked accounts daily, usually themed as MicroStrategy or XRP. However, on the day of a significant global event such as the SpaceX launch, the number of active stolen accounts can rise to dozens.</p> <p>Individual accounts are blocked or removed by YouTube for violating rules, but not in most cases. Moreover, many misused accounts can only be parked, and some remain active for the next promising event. Therefore, the parked accounts can be used in multiple CryptoCore campaigns before they are blocked. Victims often report that proving account ownership to YouTube is very difficult. Moreover, accounts can be blocked or permanently deleted, including all content. Given the large number of subscribers, the result is a significant loss for the victims, as they have built their profiles over many years.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="553" height="170" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.02.-removed-channel.png" alt="" class="wp-image-8717" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.02.-removed-channel.png 553w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.02.-removed-channel-300x92.png 300w" sizes="(max-width: 553px) 100vw, 553px" /></figure> <p>As mentioned in <em><a href="#modus-operandi">modus operandi</a></em>, the accounts are stolen through phishing or malware spread via emails. Previous studies have considered that attackers are shifting away from Gmail to other email providers, primarily using <code>email.cz</code>, <code>seznam.cz</code>, <code>post.cz</code>, and <code>aol.com</code> <a href="#reference">[2]</a>. One documented case involved cookie theft, giving the attacker access to the account without needing the username, password, or two-factor authentication <a href="#reference">[11]</a>. In addition, it is also possible that attackers purchase credentials on the dark web.</p> <h6 class="wp-block-heading">Hijacked YouTube Account Statistic</h6> <p>We do not aim to provide a complete statistical analysis of YouTube accounts due to the limited scope of analyzed accounts. However, more than 20% of hijacked accounts in our sample had over a million subscribers. The largest shares, approximately 36%, were accounts with 100K to 500K subscribers. So, the vast majority of stolen accounts have a huge number of followers, especially when we consider that MicroStrategy’s official YouTube account has “only” 39.1K subscribers.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="565" height="534" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.03.-subscribers-of-hijacked-YouTube-accounts.png" alt="" class="wp-image-8718" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.03.-subscribers-of-hijacked-YouTube-accounts.png 565w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.03.-subscribers-of-hijacked-YouTube-accounts-300x284.png 300w" sizes="(max-width: 565px) 100vw, 565px" /><figcaption class="wp-element-caption"><em>Numbers of subscribers of hijacked YouTube accounts</em></figcaption></figure></div> <p>Such high subscriber numbers can be beneficial by boosting search results, resulting in both increased visibility as well as credibility. Regarding topics, most accounts tried to associate themselves with SpaceX events, with the second most popular being MicroStrategy which has been a CryptoCore staple for quite some time. The third significant topic is Ripple. However, we must consider noise in the statistics, as the content may change over time, and a single account can cover multiple topics. To illustrate the scale, the number of viewers for live streams of deepfake videos often reaches into the hundreds of thousands.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="700" height="540" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.04.-most-prevalent-topics.png" alt="" class="wp-image-8719" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.04.-most-prevalent-topics.png 700w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.04.-most-prevalent-topics-300x231.png 300w" sizes="(max-width: 700px) 100vw, 700px" /><figcaption class="wp-element-caption"><em>The most prevalent topics of hijacked YouTube accounts</em></figcaption></figure></div> <h6 class="wp-block-heading" id="hijacked-yt-account">Hijacked YouTube Examples</h6> <p>We witnessed many modifications made to hijacked accounts during this research. The method of manipulation remains consistent, so we will provide one specific example of how the attackers operate and misuse the compromised accounts.</p> <p>The prime example involves an abused YouTube account with many subscribers (1.46M), fortunately with a happy ending. This account was compromised on May 20, 2024, and rebuilt into an “official” MicroStrategy channel, including modification of the background image and description and uploading videos from MicroStrategy’s official website. The victim’s original videos were hidden or selected as private.</p> <p>If someone searched for the keyword “MicroStrategy”, the hijacked account appeared second in the result list. However, the channel’s original name remained in the search list despite being renamed. The video contained a well-known deepfake video with a QR code leading to the very familiar fake page. Interestingly, one of the original posts from the victim’s YouTube channel remained on the Community tab; see the animation below. Additionally, we utilized this error to communicate with the support team, as documented in <a href="#online-chat-case02">Case 2: Suspicious YouTube Channel</a>. Finally, the hijacked account was terminated the next day.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.05.-examples-of-cryptocore-scam.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8726","imgStyles":null,"targetWidth":1542,"targetHeight":1131,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img loading="lazy" decoding="async" width="1542" height="1131" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.05.-examples-of-cryptocore-scam.gif" alt="" class="wp-image-8726" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Examples of CryptoCore scam</em></figcaption></figure></div> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.06.-owner-of-the-account.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8727","imgStyles":null,"targetWidth":1154,"targetHeight":1322,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="894" height="1024" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.06.-owner-of-the-account-894x1024.png" alt="" class="wp-image-8727" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.06.-owner-of-the-account-894x1024.png 894w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.06.-owner-of-the-account-262x300.png 262w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.06.-owner-of-the-account-768x880.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.06.-owner-of-the-account.png 1154w" sizes="(max-width: 894px) 100vw, 894px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>The rightful owner of the account announced the hacking of his YouTube account</em></figcaption></figure></div> <p>In this case, we have also noticed that the victim had other social media platforms where he announced to this audience that his YouTube account had been compromised and used to spread MicroStrategy and Ripple-related spam. This indicates that the account was live long enough after being hijacked to spread multiple campaigns before YouTube took it down.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.07.-recovered-account.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8728","imgStyles":null,"targetWidth":1151,"targetHeight":1038,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img loading="lazy" decoding="async" width="1151" height="1038" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.07.-recovered-account.gif" alt="" class="wp-image-8728" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>The account was recovered after being abused in a scam campaign. Note the lack of content.</em></figcaption></figure></div> <p>After some time, the account was returned to its owner. However, the alias to the hijacked account is still active. So, the link <code>@REWARD.MS2024</code> still directs to the victim’s YouTube account.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.08.-community-tab-of-a-hijacked-account.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8730","imgStyles":null,"targetWidth":1359,"targetHeight":1143,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img loading="lazy" decoding="async" width="1359" height="1143" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.08.-community-tab-of-a-hijacked-account.gif" alt="" class="wp-image-8730" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Community tab of a hijacked account (and later on, recovered)</em></figcaption></figure></div> <p>Since attackers abuse accounts with a large audience and they want to retain access to it for as long as possible, they try to hide their activity to avoid being detected by the rightful owner of the account. Whenever they end a campaign, which usually lasts a few hours, they attempt to restore the account to the previous state. Nevertheless, they are not always diligent in these efforts, and they may miss some details such as channel name or background image.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/04.09.-original-community-posts.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8731","imgStyles":null,"targetWidth":1359,"targetHeight":1143,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img loading="lazy" decoding="async" width="1359" height="1143" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.09.-original-community-posts.gif" alt="" class="wp-image-8731" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>The examples of original community posts on hijacked YouTube account</em></figcaption></figure></div> <p>A common sign of stolen accounts is the community tab, which, despite the masking of the hijacked account, contains posts from the original owners.</p> <h4 class="wp-block-heading" id="video-policy">Video Policy & Providers’ Safeguards</h4> <p>YouTube does define rules and policies for accounts and content visibility, but the effectiveness of its automated scam detection is insufficient. Despite the CryptoCore scam being a longstanding issue known to Google <a href="#reference">[2]</a>, there is no noticeable decrease in scam activities. Instead, major media events (e.g., SpaceX flight tests) are continually exploited with similar patterns that could be automatically detected. Although YouTube has mechanisms to block inappropriate content and accounts, these mechanisms often take more time and effort to respond. YouTube videos and accounts are typically blocked based on user reports, requiring substantial user intervention to trigger the blocking action. Consequently, the hijacked accounts with scam videos were not removed till a few days after the abuse event, as the figure below demonstrates.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/05.01.-YT-blocked-videos.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8734","imgStyles":null,"targetWidth":1307,"targetHeight":1236,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="968" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.01.-YT-blocked-videos-1024x968.png" alt="" class="wp-image-8734" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.01.-YT-blocked-videos-1024x968.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.01.-YT-blocked-videos-300x284.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.01.-YT-blocked-videos-768x726.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.01.-YT-blocked-videos.png 1307w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Blocked scam videos after a few days</em></figcaption></figure></div> <p>Cloudflare sometimes displays warnings about suspicious content, but this is rare and used primarily for long-running domains. Therefore, we see small proactive activity at the infrastructure level of providers, although the landing pages are generated using the same CryptoCore framework with static artifacts that can be easily identified and blocked.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="830" height="331" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.02.-CF-suspected-phishing.png" alt="" class="wp-image-8735" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.02.-CF-suspected-phishing.png 830w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.02.-CF-suspected-phishing-300x120.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.02.-CF-suspected-phishing-768x306.png 768w" sizes="(max-width: 830px) 100vw, 830px" /><figcaption class="wp-element-caption"><em>Cloudflare warning</em></figcaption></figure></div> <h4 class="wp-block-heading" id="abused-events">Abused Events</h4> <p>As described above, the attackers are exploiting various events to attract as many victims as possible. We recorded five significant events during the observed period.</p> <p>At the beginning of January, Michael Saylor, the executive chairman of MicroStrategy, started selling company shares worth $216 million <a href="#reference">[12]</a>. Attackers used this event to flood the internet with fake videos claiming Michael Saylor was giving away $100,000,000. This event was continuously misused throughout 2024.</p> <p>Another significant peak occurred on March 14, 2024, when the SpaceX event during the SpaceX Starship integrated flight test (IFT-3) <a href="#reference">[13]</a> was exploited. This period saw the highest number of detections.</p> <p>In mid-March, a fake campaign ran after Reuters released information about a contract in which SpaceX allegedly built a network of hundreds of spy satellites <a href="#reference">[14]</a>.</p> <p>Another notable peak was on April 8, 2024, during the solar eclipse, when SpaceX’s name was once again abused in a CryptoCore campaign.</p> <p>The last major campaign occurred on June 6, 2024, during the SpaceX Starship integrated flight test (IFT-4) <a href="#reference">[15]</a>. Nearly 50 hijacked YouTube accounts were used during this several-day campaign. During this campaign, we identified 84 crypto wallets with 500 transactions with a total value of <strong>$1.413M</strong>.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/06.01.-spacex-ift4.gif","figureClassNames":"aligncenter size-full","figureStyles":null,"imgClassNames":"wp-image-8736","imgStyles":null,"targetWidth":1413,"targetHeight":670,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-full wp-lightbox-container"><img loading="lazy" decoding="async" width="1413" height="670" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.01.-spacex-ift4.gif" alt="" class="wp-image-8736" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>SpaceX Starship IFT-4 scam video and fraudulent website</em></figcaption></figure></div> <p>Additionally, there are sometimes small campaigns that misuse events of elections or tech companies. The examples below illustrate the landing pages for the WWDC24 Apple developer conference and the “giveaway” of Donald Trump.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/06.02.-apple-wwdc24.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8737","imgStyles":null,"targetWidth":1562,"targetHeight":890,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="583" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24-1024x583.png" alt="" class="wp-image-8737" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24-1024x583.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24-300x171.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24-768x438.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24-1536x875.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.02.-apple-wwdc24.png 1562w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>CryptoCore website abusing the WWDC24 Apple developer conference</em></figcaption></figure></div> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/06.03.-trump-cryptoscam.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8738","imgStyles":null,"targetWidth":1373,"targetHeight":706,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="527" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.03.-trump-cryptoscam-1024x527.png" alt="" class="wp-image-8738" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.03.-trump-cryptoscam-1024x527.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.03.-trump-cryptoscam-300x154.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.03.-trump-cryptoscam-768x395.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.03.-trump-cryptoscam.png 1373w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>CryptoCore website abusing the Donald Trump election</em></figcaption></figure></div> <h4 class="wp-block-heading" id="deepfake-videos">Use of Deepfake Videos</h4> <p>CryptoCore campaigns are complementing YouTube accounts with deepfakes videos. These videos abuse official footage from well-known events, personalities, or companies. For instance, in the case of SpaceX and Elon Musk, we have observed the misuse of videos from events such as the SpaceX All Hands 2024, the Starship Flight Test, and the Starship Update from 2022. For Michael Saylor’s campaigns, the exploited videos feature titles such as “Bitcoin is Digital Energy with Michael Saylor”, “10 Rules for Life with Michael Saylor”, and “The Nature of Energy with Michael Saylor”. Other personalities targeted include Larry Fink (CEO of BlackRock), Vitalik Buterin (programmer and co-founder of Ethereum), and Bradley Garlinghouse (CEO of Ripple Labs).</p> <p>The compilation of deepfake videos below illustrates the <em><a href="#modus-operandi">modus operandi</a></em> and its common theme: a well-known personality talks about a unique chance to double your investment. The videos use fake voices and, in some cases, advanced deepfake techniques like lip-syncing. Typically, these videos are looped every 12 minutes, often preceded by, for example, a countdown for a rocket launch or the start of an online broadcast.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="900" height="506" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.01.-videos-compilation-redacted.gif" alt="" class="wp-image-8812" /><figcaption class="wp-element-caption"><em>Deepfake videos compilation</em></figcaption></figure></div> <p>Furthermore, some videos are pre-recorded and published as live streams. For instance, we have seen fresh accounts hosting a video that is about three hours in length, then marked as private, but later, the same content appeared as a live stream on the same account. Sometimes, we have seen captured live streams with added scam-related elements, such as a specific background or a QR code inside the video stream.</p> <figure class="wp-block-video aligncenter"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/07.03.1.-Vitalik-Buterin.mp4"></video><figcaption class="wp-element-caption"><em>Live stream capturing the insertion of scam artifacts for the Ethereum topic.</em></figcaption></figure> <figure class="wp-block-video aligncenter"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.2.-Blackrock.mp4"></video><figcaption class="wp-element-caption"><em>Live stream capturing the insertion of scam artifacts for the BlackRock topic</em></figcaption></figure> <p>During the last major crypto campaign, we noted advancements in the usage of deepfake technology. The videos now feature detailed shots of personalities with high-quality lip-syncing, which can easily deceive viewers into believing they are watching an official statement. Additionally, they use parts of the original background, such as large screens, to seamlessly display information related to the scam.</p> <figure class="wp-block-video aligncenter"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.3-SpaceX.mp4"></video><figcaption class="wp-element-caption"><em>Live stream of deepfake video capturing ITF-4 with lip-syncing</em></figcaption></figure> <figure class="wp-block-video aligncenter"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.4-MicroStrategy.mp4"></video><figcaption class="wp-element-caption"><em>Live stream of deepfake video capturing Michael Saylor with lip-syncing</em></figcaption></figure> <p>Additionally, the misused personalities have published official statements against these scams but are largely ineffective in stopping them <a href="#reference">[16, 17]</a>.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/08\/07.02.-statement-on-crypto-scam.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8817","imgStyles":null,"targetWidth":1223,"targetHeight":637,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="533" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.02.-statement-on-crypto-scam-1024x533.png" alt="" class="wp-image-8817" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.02.-statement-on-crypto-scam-1024x533.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.02.-statement-on-crypto-scam-300x156.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.02.-statement-on-crypto-scam-768x400.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.02.-statement-on-crypto-scam.png 1223w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Official statement on crypto scam</em></figcaption></figure></div> <h4 class="wp-block-heading">Fraudulent Websites Statistic</h4> <p>The statistics of information extracted from the exposed pages come from a time window spanning from January to June 2024 (6 months). During this period, we detected 340 different domains containing scams generated through the <a href="#cryptoproject-operations">CryptoCore framework</a>. The graphs below show the distribution of headlines used on these fraudulent websites. In summary, the most exploited themes are MicroStrategy, SpaceX, and Tesla.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="898" height="488" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.01.-most-abused-titles.png" alt="" class="wp-image-8760" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.01.-most-abused-titles.png 898w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.01.-most-abused-titles-300x163.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.01.-most-abused-titles-768x417.png 768w" sizes="(max-width: 898px) 100vw, 898px" /><figcaption class="wp-element-caption"><em>The most common titles on fraudulent sites</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="898" height="467" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.02.-most-common-topics.png" alt="" class="wp-image-8761" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.02.-most-common-topics.png 898w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.02.-most-common-topics-300x156.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.02.-most-common-topics-768x399.png 768w" sizes="(max-width: 898px) 100vw, 898px" /><figcaption class="wp-element-caption"><em>The most frequently abused topics</em></figcaption></figure></div> <p>Interestingly, attackers sometimes change their wallets on fraudulent sites. It may happen when the wallets are flagged on some crypto-scam list. The graph below illustrates how wallets have been changed in two domains over time. Therefore, collecting crypto wallet information is an ongoing process that requires regular monitoring of the content on these fraudulent sites.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="607" height="531" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.03.-changed-wallets-over-time.png" alt="" class="wp-image-8755" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.03.-changed-wallets-over-time.png 607w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.03.-changed-wallets-over-time-300x262.png 300w" sizes="(max-width: 607px) 100vw, 607px" /><figcaption class="wp-element-caption"><em>Domains that have changed wallets over time</em></figcaption></figure></div> <h4 class="wp-block-heading" id="technical-analysis">Technical Analysis</h4> <p>We additionally analyzed the fundamental technical aspects of fake websites and the infrastructure built by the framework. The web design of these websites is predominantly built upon obfuscated Java Scripts. It easily facilitates the concealment of crypto wallets, constants, other features, and variables that shape the dynamically generated content. Similarly, the wallets’ QR codes are generated by another obfuscated JavaScript and stored locally in memory.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="895" height="654" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-HTML-code.png" alt="" class="wp-image-8766" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-HTML-code.png 895w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-HTML-code-300x219.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-HTML-code-768x561.png 768w" sizes="(max-width: 895px) 100vw, 895px" /><figcaption class="wp-element-caption"><em>HTML code of the main page</em></figcaption></figure></div> <h6 class="wp-block-heading">Online Transaction Dashboard</h6> <p>Every five seconds, random transaction numbers and wallet addresses are generated to simulate completed transactions and increase the event’s credibility.</p> <p>The wallet definition also includes variables determining how fake online transactions will be randomly generated. A random node is defined for each wallet, containing information about the format for a hash transaction and a recipient wallet, including the prefix and length.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="895" height="855" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-wallet-and-random-transaction-definitions.png" alt="" class="wp-image-8767" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-wallet-and-random-transaction-definitions.png 895w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-wallet-and-random-transaction-definitions-300x287.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-wallet-and-random-transaction-definitions-768x734.png 768w" sizes="(max-width: 895px) 100vw, 895px" /><figcaption class="wp-element-caption"><em>Crypto wallet and random transaction definitions</em></figcaption></figure></div> <p>Therefore, the resulting effect looks professional and legal, but the hashes and wallets are deliberately abbreviated, so they cannot be verified.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/03.-online-transaction-system.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8768","imgStyles":null,"targetWidth":1180,"targetHeight":573,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="497" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-online-transaction-system-1024x497.png" alt="" class="wp-image-8768" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-online-transaction-system-1024x497.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-online-transaction-system-300x146.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-online-transaction-system-768x373.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-online-transaction-system.png 1180w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Fake online transaction system</em></figcaption></figure></div> <h6 class="wp-block-heading">Anti-debug Protection</h6> <p>The JavaScript codes also employ several techniques to prevent detailed inspection of the fraudulent pages. Specific keyboard shortcuts that allow access to implementation details, such as <code>Ctrl+U</code>, <code>Ctrl+S</code>, <code>F12</code>, etc., are disabled, and a user is redirected to<code> /clarity</code> page with the CryptoCore about page.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="571" height="246" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.-crypto-core-redacted.png" alt="" class="wp-image-8807" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.-crypto-core-redacted.png 571w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/04.-crypto-core-redacted-300x129.png 300w" sizes="(max-width: 571px) 100vw, 571px" /><figcaption class="wp-element-caption"><em>CryptoCore about page</em></figcaption></figure></div> <p>Moreover, the pages also intercept and prohibit copy events; copying for wallet via a button is allowed only via JavaScript code. So, when the “copy address” button is clicked, a defined event is sent to the backend. The API event is structured as: <code>api/event?id=<event></code>, where <code><event></code> is defined for each wallet. Finally, the wallet addresses in the JavaScript code are encrypted using a simple Base64 encoding written in reverse order.</p> <h6 class="wp-block-heading">Online Chat</h6> <p>The online chat for communicating with the “support team” is implemented using third-party services such as <code>LiveChat</code>, <code>Tawk.to,</code> and <code>Smartsupp</code>. All three services also offer trial or free versions. On sites launched earlier, we have observed that chats are already often blocked.<br><img loading="lazy" decoding="async" width="850" height="105" class="wp-image-8770" style="width: 850px" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.-live-chat-blocked.png" alt="" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.-live-chat-blocked.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.-live-chat-blocked-300x37.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/05.-live-chat-blocked-768x95.png 768w" sizes="(max-width: 850px) 100vw, 850px" /><br>Still, the chats are always functional and ready to communicate with a potential victim on newly launched sites.</p> <h6 class="wp-block-heading">Web Crawling Protection</h6> <p>Before the desired page is rendered, attackers implement several mechanisms to prevent simple web crawling. The first mechanism involves managing cookies, which are calculated on the client side based on constants sent during the initial contact with the C2 server. The specific code for deriving the cookies is as follows:</p> <p><code>document.cookie = "0x=" + toHex(slowAES.decrypt(c, 2, a, b)) + "; expires=Wed, 01 Jan 2025 22:22:22 GMT; path=/";</code></p> <p>The constants <strong><code>a</code></strong>,<strong> <code>b</code></strong>, and <strong><code>c</code></strong> are defined by the C2 server and are linked to the victim’s IP address. This allows attackers to block selected ISPs better. Additionally, sessions are non-transferable, and if the cookies do not match, the server continually sends a request with the calculation of the current and correct cookies for the given IP address. Hence, if everything matches, the server sends the requested content.</p> <p>The second mechanism involves checking user agents in the HTTP header. If the user agent is on a blocklist (such as <code>wget</code>, <code>curl</code>, etc.), the web server returns a <code>403 Forbidden</code> response. Additionally, there is ISP filtering, which results in a <code>404 Not Found</code> response for blocked ISPs.</p> <h6 class="wp-block-heading">Cloudflare Protection</h6> <p>There was an interesting difference between collected domains and resolved IP addresses. We have collected a total of 340 different domains with suspicious websites but approximately 440 IP addresses. This discrepancy is due to the websites typically hosted behind dynamic reverse proxies. Therefore, we collected many IP addresses.</p> <p>The overwhelming majority (99%) of these proxies (IPs) are provided by Cloudflare, with only 1% observed using Akamai Technologies. The use of reverse proxies makes it very difficult to track and determine the exact location of the web servers. Additionally, reverse proxies complicate automated web crawling by requiring bot verification.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="500" height="579" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.-distribution-of-reverse-proxies.png" alt="" class="wp-image-8784" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.-distribution-of-reverse-proxies.png 500w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/06.-distribution-of-reverse-proxies-259x300.png 259w" sizes="(max-width: 500px) 100vw, 500px" /><figcaption class="wp-element-caption"><em>Used reverse proxies</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="596" height="330" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/07.-cloudflare-protection.png" alt="" class="wp-image-8776" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/07.-cloudflare-protection.png 596w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/07.-cloudflare-protection-300x166.png 300w" sizes="(max-width: 596px) 100vw, 596px" /><figcaption class="wp-element-caption"><em>Cryptoscam website behind Cloudflare protection</em></figcaption></figure></div> <p>However, based on historical data from 2021, when the group did not yet use reverse proxies, we have determined that nearly 70% of the web servers were hosted in Russia and 15% in the Netherlands. These web servers were running on <code>Ubuntu </code>with the <code>nginx </code>web server.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="500" height="503" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.-country-distribution-of-former-web-servers-1.png" alt="" class="wp-image-8781" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.-country-distribution-of-former-web-servers-1.png 500w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.-country-distribution-of-former-web-servers-1-298x300.png 298w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.-country-distribution-of-former-web-servers-1-150x150.png 150w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/08.-country-distribution-of-former-web-servers-1-214x214.png 214w" sizes="(max-width: 500px) 100vw, 500px" /><figcaption class="wp-element-caption"><em>Country distribution of former web servers</em></figcaption></figure></div> <h6 class="wp-block-heading">Tech Support Chat</h6> <p>An integral part of professional websites and large companies is the support chat. In the case of CryptoCore, chat is implemented using third-party plugins. Previous publications have noted that the chat may be connected to a particular form of LLM <a href="#reference">[18]</a>.</p> <p>Several test communications with the purported technical support lead us towards the presumption that there are real people responding to the communication. A few examples of these interactions are shown below. Generally, the support team tries to convince you of their legitimacy. If you inquire about a transaction, you made but did not receive the promised double return, they will ask for the transaction hash or a screenshot. Unsurprisingly, no complaint resulted in a refund.</p> <p><strong>Case 1: Forged Transaction Confirmation</strong></p> <p>We created a fake screenshot showing a transfer of 0.33 BTC but with a current price of only $600. The support team explicitly questioned the current price amount. This indicates that the support team can respond to images and more complex content (such as suspicious BTC price), presumably ruling out simple LLM-based chatbots.</p> <p id="online-chat-case02"><strong>Case 2: Suspicious YouTube Channel</strong></p> <p>In the second case, we confronted the support team that their wallets were listed on the Crypto Scam Tracker. They responded that it was an official event by Michael Saylor, including a verified YouTube account. Our follow-up argument was that the YouTube account contained posts from another (hijacked) user. This apparent discrepancy was explained as a YouTube error, with no connection to them. A detailed story of this YouTube channel can be found in the <a href="#hijacked-yt-account">Hijacked YouTube Examples</a> section.</p> <p><strong>Case 3: No Transactions on Wallets</strong></p> <p>We confronted the support team that their transaction dashboard showed numerous transactions, but we needed help finding a transaction on the blockchain. Their response was rather unconvincing. Additionally, they stated there was no way to verify that our investment would be returned.</p> <p><strong>Case 4: Forged Transaction System Dashboard</strong></p> <p>We again created a fake screenshot showing a BTC transfer and a fake dashboard with the same transaction ID, currency, and amount of BTC. We have asked why we did not receive the payment when the transaction appeared on the dashboard. The brief response claimed the transaction had been paid out and could not be ours.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/09.-support-team-communications.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8779","imgStyles":null,"targetWidth":802,"targetHeight":1760,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="467" height="1024" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications-467x1024.png" alt="" class="wp-image-8779" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications-467x1024.png 467w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications-137x300.png 137w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications-768x1685.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications-700x1536.png 700w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/09.-support-team-communications.png 802w" sizes="(max-width: 467px) 100vw, 467px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Examples of support team communications</em></figcaption></figure></div> <h4 class="wp-block-heading" id="detections">Detections</h4> <p>Detections related to giveaway scams are focused on the fraudulent pages on desktop and smart devices (mobile smart phones). However, scammers encourage victims to use a smart device and scan a QR code to avoid antivirus solutions because more than 50% of smart devices have no protection <a href="#reference">[19]</a>. Our telemetry data shows that the hit ratio for CryptoCore detections on desktop and smart platforms is 2:5, which indicates a rather significant success in redirecting victims to generally less protected platforms.</p> <p>Our telemetry also demonstrates a correlation between the detection hits and events abused by the scam groups. In total, we can identify five significant events in the crypto world that have a demonstrable connection to the CryptoCore detections. The details of the abused events are summarized in the section <a href="#abused-events">Abused Events</a>.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/01.-time-line.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8786","imgStyles":null,"targetWidth":1425,"targetHeight":590,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="424" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-time-line-1024x424.png" alt="" class="wp-image-8786" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-time-line-1024x424.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-time-line-300x124.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-time-line-768x318.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/01.-time-line.png 1425w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Protected users against the CryptoCore giveaway scam</em></figcaption></figure></div> <p>The countries that are the most affected by CryptoCore risk are the United States, the United Kingdom, Brazil, and Germany. There is also a noticeable difference between users of smart devices and desktop computers. On smart devices, we detected the most scams associated with the IFT-3 event, while on desktop devices, the event related to the solar eclipse – seems to have attracted a larger audience.</p> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/02.-smart-devices.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8787","imgStyles":null,"targetWidth":1300,"targetHeight":500,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="394" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-smart-devices-1024x394.png" alt="" class="wp-image-8787" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-smart-devices-1024x394.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-smart-devices-300x115.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-smart-devices-768x295.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/02.-smart-devices.png 1300w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Protected users and abused topics on smart devices</em></figcaption></figure></div> <div class="wp-block-image"><figure data-wp-context="{"uploadedSrc":"https:\/\/decoded.avast.io\/wp-content\/uploads\/sites\/2\/2024\/07\/03.-desktop-computers.png","figureClassNames":"aligncenter size-large","figureStyles":null,"imgClassNames":"wp-image-8788","imgStyles":null,"targetWidth":1300,"targetHeight":500,"scaleAttr":false,"ariaLabel":"Enlarge image","alt":""}" data-wp-interactive="core/image" class="aligncenter size-large wp-lightbox-container"><img loading="lazy" decoding="async" width="1024" height="394" data-wp-init="callbacks.setButtonStyles" data-wp-on-async--click="actions.showLightbox" data-wp-on-async--load="callbacks.setButtonStyles" data-wp-on-async-window--resize="callbacks.setButtonStyles" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-desktop-computers-1024x394.png" alt="" class="wp-image-8788" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-desktop-computers-1024x394.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-desktop-computers-300x115.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-desktop-computers-768x295.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/03.-desktop-computers.png 1300w" sizes="(max-width: 1024px) 100vw, 1024px" /><button class="lightbox-trigger" type="button" aria-haspopup="dialog" aria-label="Enlarge image" data-wp-init="callbacks.initTriggerButton" data-wp-on-async--click="actions.showLightbox" data-wp-style--right="context.imageButtonRight" data-wp-style--top="context.imageButtonTop" > <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="none" viewBox="0 0 12 12"> <path fill="#fff" d="M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z" /> </svg> </button><figcaption class="wp-element-caption"><em>Protected users and abused topics on desktop computers</em></figcaption></figure></div> <h4 class="wp-block-heading" id="conclusion">Conclusion</h4> <p>The giveaway scam campaign spread by the scam group CryptoCore is a sophisticated operation that exploits the popularity of cryptocurrencies and the trust of users in well-known personalities and events. The scammers use deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive victims into sending their cryptocurrencies to the scammers’ wallets.</p> <p>CryptoCore has been operating on a large scale for at least five years. The platforms, e.g., YouTube and Cloudflare, block giveaway scams only sporadically or with significant delays, despite the <em><em><a href="#modus-operandi">modus operandi</a></em></em> remaining unchanged for years. Moreover, we continue to observe several newly hijacked YouTube accounts for each campaign that represent a substantial risk in conjunction with parked accounts from previous campaigns. Additionally, we have documented several cases of hacked accounts where owners had to recover the channels built for many years. Statistics show that nearly 65% of accounts compromised by CryptoCore have over 100k followers, and 20% have over a million subscribers. Therefore, we strongly recommend all YouTube account owners take additional security precautions such as using 2FA and strong passwords, being aware of potential phishing campaigns, regularly checking account activity to detect unauthorized access, ensuring account recovery options (such as another email or phone number), and using reputable antivirus and security software to protect devices from malware that could compromise the accounts.</p> <p>Although we primarily focused on YouTube, we have seen similar scam attacks on other platforms, evidently from the same scam group. Previous studies indicate that the group’s activity is extensive; during our six-month observation, we estimated nearly $5.4 million in stolen crypto coins. Moreover, if attackers exploit the right event, they can gain almost $1.5 million within a few days. However, this suggests the group’s annual profit must be significantly higher.</p> <p>Tracing the whole attack vector is complicated because scammers split the vector across two platforms. For that reason, redirecting victims to smart devices increases the probability that fraudulent sites will not be detected by antivirus software since many people do not protect their smart devices. Consequently, we observe the highest incidence of fake sites just on smart devices. Everything indicates that such attacks will continue, with the group seeking attractive events to exploit until the targeted platforms effectively protect their users and visitors.</p> <p>Note that we named the scam group as the used scam framework CryptoCore; however, based on the analysis CryptoCore-associated campaigns, the giveaway scam is a complex scam project probably delegated to other paid services, often illegal. Moreover, the deepfake videos have continuously improved over the observed year. In terms of directions for future research, further work could analyze the collected crypto wallets.</p> <p>Users must stay informed about these scam risks. As the cryptocurrency landscape evolves, so will the scams that exploit it. Users should always be cautious if an offer seems too good; no one gives anything for free. Users should also be wary of YouTube accounts with many subscribers but suspiciously low activity and inconsistent content. Finally, having a good antivirus program installed on smart devices is essential. Therefore, continuous research and vigilance are necessary to protect potential victims and safely navigate the evolving cryptocurrency scene. Remember, if it sounds too good to be true, it probably is. Stay safe!</p> <p><em>If this type of scam has compromised <a href="#ioc-yt">your accounts</a>, do not hesitate to <a href="mailto:ti@avast.com">contact us</a> and share your information and experiences. By doing so, you help improve protection against attackers and limit the reach of fraudsters.</em></p> <h4 class="wp-block-heading">IoC</h4> <h6 class="wp-block-heading" id="ioc-wallets"><strong>Crypto Scam Wallets</strong></h6> <div class="wp-block-file"><a id="wp-block-file--media-0d9ae82d-f956-4d86-b0f3-f13a762a23df" href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/cc-cryptowallets.xlsx">cc-cryptowallets</a><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/cc-cryptowallets.xlsx" class="wp-block-file__button wp-element-button" download aria-describedby="wp-block-file--media-0d9ae82d-f956-4d86-b0f3-f13a762a23df">Download</a></div> <h6 class="wp-block-heading" id="ioc-yt"><strong>Hijacked YouTube Accounts</strong></h6> <p>The <code>cc-yt-accounts</code> list summarizes the most active YouTube accounts abused in CryptoCore campaigns, and the “Status” column describes each one’s state. It is a snapshot of August 7, 2024.</p> <p>The “active” state indicates that the account contains artifacts typical for hijacking (background image, account name, etc.), but without scam videos. So, we cannot determine whether these accounts are still under the control of bad actors or have been returned to their original owners and have not been rolled back to their original state yet.</p> <div class="wp-block-file"><a id="wp-block-file--media-a3edb374-5c44-4cf4-937e-a667d64d398d" href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/cc-yt-accounts.xlsx">cc-yt-accounts</a><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/cc-yt-accounts.xlsx" class="wp-block-file__button wp-element-button" download aria-describedby="wp-block-file--media-a3edb374-5c44-4cf4-937e-a667d64d398d">Download</a></div> <h4 class="wp-block-heading" id="reference">Reference</h4> <p>[1] <a href="https://www.bbc.com/news/technology-46097853">Twitter: Fake Elon Musk scam spreads after accounts hacked</a><br>[2] <a href="https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware">Phishing campaign targets YouTube creators with cookie theft malware</a><br>[3] <a href="https://therecord.media/scammers-hijack-youtube-channels">Scammers hijack YouTube channels to promote Elon Musk-themed crypto schemes</a><br>[4] <a href="https://arxiv.org/pdf/2405.09757">Give and Take: An End-To-End Investigation of Giveaway Scam Conversion Rates</a><br>[5] <a href="https://www.akamai.com/blog/security-research/crypto-giveaway-scams-are-still-successful#analysis">Technical analysis from one of the scam kits distributed on the dark web</a><br>[6] <a href="https://www.bitdefender.com/blog/hotforsecurity/beware-of-scams-elon-musk-is-not-giving-away-bitcoin-on-twitter">Beware of scams! Elon Musk is not giving away bitcoin on Twitter</a><br>[7] <a href="https://www.bitdefender.com/blog/hotforsecurity/fake-elon-musk-crypto-giveaway-scam-campaigns-run-rampant-on-tiktok">Fake ‘Elon Musk’ Crypto Giveaway Scam Campaigns Run Rampant on TikTok</a><br>[8] <a href="https://www.bleepingcomputer.com/news/security/verified-twitter-accounts-hacked-in-580k-elon-musk-crypto-scam">Verified Twitter accounts hacked in $580k ‘Elon Musk’ crypto scam</a><br>[9] <a href="https://www.wired.com/story/youtube-bitcoin-scam-account-hijacking-google-phishing">How Hackers Hijacked Thousands of High-Profile YouTube Accounts</a><br>[10] <a href="https://www.bitdefender.com/blog/labs/stream-jacking-2-0-deep-fakes-power-account-takeovers-on-youtube-to-maximize-crypto-doubling-scams">Deep fakes power account takeovers on YouTube to maximize crypto-doubling scams</a><br>[11] <a href="https://www.kaspersky.com/blog/youtubers-takeovers/48375">Hacking YouTube channels with stolen cookies</a><br>[12] <a href="https://www.coindesk.com/business/2024/01/03/michael-saylor-commences-plan-to-sell-216m-worth-of-microstrategy-stock-options/?utm_medium=referral&utm_source=rss&utm_campaign=headlines">Michael Saylor Commences Plan to Sell $216M Worth of MicroStrategy Shares</a><br>[13] <a href="https://en.wikipedia.org/wiki/SpaceX_Starship_integrated_flight_test_3">SpaceX Starship integrated flight test 3</a><br>[14] <a href="https://www.reuters.com/technology/space/musks-spacex-is-building-spy-satellite-network-us-intelligence-agency-sources-2024-03-16">Exclusive: Musk’s SpaceX is building spy satellite network for US intelligence agency, sources say</a><br>[15] <a href="https://en.wikipedia.org/wiki/SpaceX_Starship_integrated_flight_test_4">SpaceX Starship integrated flight test 4</a><br>[16] <a href="https://x.com/elonmusk/status/1529484675269414912">X – Elon Musk status</a><br>[17] <a href="https://x.com/saylor/status/1746298365036343477">X – Saylor status</a><br>[18] <a href="https://www.bitdefender.com/blog/labs/a-deep-dive-into-stream-jacking-attacks-on-youtube-and-why-theyre-so-popular">A Deep Dive into Stream-Jacking Attacks on YouTube and Why They’re So Popular</a><br>[19] <a href="https://www.security.org/antivirus/antivirus-consumer-report-annual/#usage">Antivirus in the Age of Evolving Threats: 2024 Antivirus Market Report</a></p><p>The post <a href="https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisticated-cryptocurrency-scam-operations/">CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> <enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/07.03.1.-Vitalik-Buterin.mp4" length="1631950" type="video/mp4" /><enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.2.-Blackrock.mp4" length="3218353" type="video/mp4" /><enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.3-SpaceX.mp4" length="1663599" type="video/mp4" /><enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/08/07.03.4-MicroStrategy.mp4" length="2456588" type="video/mp4" /> </item> <item> <title>Decrypted: DoNex Ransomware and its Predecessors</title> <link>https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-donex-ransomware-and-its-predecessors</link> <dc:creator><![CDATA[Threat Research Team]]></dc:creator> <pubDate>Mon, 08 Jul 2024 07:48:17 +0000</pubDate> <category><![CDATA[PC]]></category> <category><![CDATA[decryptor]]></category> <category><![CDATA[decryptors]]></category> <category><![CDATA[ransomware]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8680</guid> <description><![CDATA[<p>Researchers from Avast have discovered a flaw in the cryptographic schema of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The  cryptographic weakness was made public at Recon 2024 and therefore we have no reason to keep […]</p><p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/">Decrypted: DoNex Ransomware and its Predecessors</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<p>Researchers from Avast have discovered a flaw in the cryptographic schema of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The cryptographic weakness was made public at Recon 2024 and therefore we have no reason to keep this secret anymore.</p> <h2 class="wp-block-heading">DoNex and its Brothers</h2> <p>The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since. Additionally, the TOR site of the ransomware has been down since that point. The following is a brief history of DoNex.</p> <figure class="wp-block-table"><table><tbody><tr><td>Apr 2022</td><td>The first sample of Muse ransomware</td></tr><tr><td>Nov 2022</td><td>Rebrand to fake LockBit 3.0</td></tr><tr><td>May 2023</td><td>Rebrand to DarkRace</td></tr><tr><td>Mar 2024</td><td>Rebrand to DoNex</td></tr></tbody></table></figure> <p>All brands of the DoNex ransomware are supported by the decryptor.</p> <p>DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and the Netherlands based on our telemetry.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-1024x639.png" alt="" class="wp-image-8681" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/map_donex-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">DoNex blocked attacks</figcaption></figure></div> <h2 class="wp-block-heading">Ransomware Encryption Schema</h2> <p>During the ransomware execution, an encryption key is generated by <a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom">CryptGenRandom()</a> function. This key is then used to initialize ChaCha20 symmetric key and subsequently to encrypt files. After a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config.</p> <p>For small files (up to 1 MB), the entire file is encrypted. For files with size greater than 1 MB, intermittent encryption is used – the file is split into blocks and those blocks are encrypted separately.</p> <h2 class="wp-block-heading">Ransomware Configuration</h2> <p>Samples of the DoNex ransomware, and its previous versions, contain XOR-encrypted configuration, which contains settings of whitelisted extensions, whitelisted files, services to kill, and other encryption-related data. The following snippet shows a part of such configuration:</p> <pre class="wp-block-code"><span><code class="hljs language-xml"><span class="hljs-meta"><?xml version='1.0' encoding='UTF-8'?></span><span class="hljs-tag"><<span class="hljs-name">root</span>></span> <span class="hljs-tag"><<span class="hljs-name">white_extens</span>></span> 386;adv;ani;bat;bin;cab;cmd;com;cpl;cur;deskthemepack;diagcab;diagcfg; diagpkg;dll;drv;exe;hlp;icl;icns;ico;ics;idx;lnk;mod;mpa;msc;msp;msstyles; msu;nls;nomedia;ocx;prf;ps1;rom;rtp;scr;shs;spl;sys;theme;themepack;wpx; lock;key;hta;msi;pdb;search-ms <span class="hljs-tag"></<span class="hljs-name">white_extens</span>></span> <span class="hljs-tag"><<span class="hljs-name">white_files</span>></span> bootmgr;autorun.inf;boot.ini;bootfont.bin;bootsect.bak;desktop.ini;iconcache.db; ntldr;ntuser.dat;ntuser.dat.log;ntuser.ini;thumbs.db;GDIPFONTCACHEV1.DAT;d3d9caps.dat <span class="hljs-tag"></<span class="hljs-name">white_files</span>></span> <span class="hljs-tag"><<span class="hljs-name">white_folders</span>></span> $recycle.bin;config.msi;$windows.~bt;$windows.~ws;windows;boot;program files; program files (x86);programdata;system volume information;tor browser;windows.old; intel;msocache;perflogs;x64dbg;public;all users;default;microsoft;appdata <span class="hljs-tag"></<span class="hljs-name">white_folders</span>></span> <span class="hljs-tag"><<span class="hljs-name">kill_keep</span>></span> sql;oracle;mysq;chrome;veeam;firefox;excel;msaccess;onenote;outlook;powerpnt;winword;wuauclt <span class="hljs-tag"></<span class="hljs-name">kill_keep</span>></span> <span class="hljs-tag"><<span class="hljs-name">services</span>></span> vss;sql;svc$;memtas;mepocs;msexchange;sophos;veeam;backup;GxVss;GxBlr;GxFWD;GxCVD;GxCIMgr <span class="hljs-tag"></<span class="hljs-name">services</span>></span> <span class="hljs-tag"><<span class="hljs-name">black_db</span>></span> ldf;mdf <span class="hljs-tag"></<span class="hljs-name">black_db</span>></span> <span class="hljs-tag"><<span class="hljs-name">encryption_thread</span>></span> 30 <span class="hljs-tag"></<span class="hljs-name">encryption_thread</span>></span> ...</code></span></pre> <h2 class="wp-block-heading">How do I know if I have been attacked by DoNex ransomware?</h2> <p>The simplest way to identify that you have been attacked by the DoNex ransomware is the ransom note. Different brands of the DoNex ransomware produce a different ransom note, but every version contains a note. That said, the ransom note layout of the Fake LockBit, DarkRace and DoNex ransomwares are very similar. Below you can see examples of each.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="960" height="558" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-001-ransom-note-muse.png" alt="" class="wp-image-8682" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-001-ransom-note-muse.png 960w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-001-ransom-note-muse-300x174.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-001-ransom-note-muse-768x446.png 768w" sizes="(max-width: 960px) 100vw, 960px" /><figcaption class="wp-element-caption">Screenshot of the Muse ransom note</figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="678" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-002-ransom-note-fake-lockbit-1024x678.png" alt="" class="wp-image-8683" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-002-ransom-note-fake-lockbit-1024x678.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-002-ransom-note-fake-lockbit-300x199.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-002-ransom-note-fake-lockbit-768x509.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-002-ransom-note-fake-lockbit.png 1140w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Screenshot of the Fake LockBit ransom note</figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="679" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-003-ransom-note-dark-race-1024x679.png" alt="" class="wp-image-8684" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-003-ransom-note-dark-race-1024x679.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-003-ransom-note-dark-race-300x199.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-003-ransom-note-dark-race-768x509.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-003-ransom-note-dark-race.png 1139w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Screenshot of the DarkRace ransom note</figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="679" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-004-ransom-note-donex-1024x679.png" alt="" class="wp-image-8685" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-004-ransom-note-donex-1024x679.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-004-ransom-note-donex-300x199.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-004-ransom-note-donex-768x510.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/donex-004-ransom-note-donex.png 1138w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Screenshot of the DoNex ransom note</figcaption></figure></div> <h2 class="wp-block-heading">How to use the DoNex ransomware decryptor</h2> <p>1. Download the decryptor <a href="https://files.avast.com/files/decryptor/avast_decryptor_donex.exe">here</a>.<br>2. Run the executable file, preferably as an administrator. It starts as a wizard, leading you through the configuration of the decryption process.<br>3. On the initial page, we have a link to the license information. Click the Next button when you are ready to start.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="710" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-001-welcome.png" alt="" class="wp-image-8686" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-001-welcome.png 710w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-001-welcome-300x227.png 300w" sizes="(max-width: 710px) 100vw, 710px" /></figure></div> <p>4. On the next page, the user is asked to provide a list of locations (drives, folders, files) that are to be decrypted. By default, it has a list of all local disk drives.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="710" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-002-locations.png" alt="" class="wp-image-8687" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-002-locations.png 710w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-002-locations-300x227.png 300w" sizes="(max-width: 710px) 100vw, 710px" /></figure></div> <p>5. On the following page, you need to supply an example of a file in its original form and then one encrypted by any brand of the DoNex ransomware. Type both names of the files. You can also drag & drop files from Windows Explorer to the wizard page. <strong>It is extremely important to pick a pair of files that are as big as you can find. </strong>The largest file size that is decryptable by the tool equals to the file size of the encrypted file in the pair.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="710" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-003-file-pair.png" alt="" class="wp-image-8688" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-003-file-pair.png 710w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-003-file-pair-300x227.png 300w" sizes="(max-width: 710px) 100vw, 710px" /></figure></div> <p>6. The next page is where the password cracking process takes place. Click Start when you are ready to begin. This process usually only takes a second, but requires a large amount of system memory. This is why we strongly recommend using the 64-bit version of the decryption tool.<br>Once the password is found, you can continue to decrypt all the encrypted files on your PC by clicking Next.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="710" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-004-key-found.png" alt="" class="wp-image-8689" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-004-key-found.png 710w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-004-key-found-300x227.png 300w" sizes="(max-width: 710px) 100vw, 710px" /></figure></div> <p>7. On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend. After clicking Decrypt the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="710" height="537" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-005-final-page.png" alt="" class="wp-image-8690" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-005-final-page.png 710w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/07/decryptor-005-final-page-300x227.png 300w" sizes="(max-width: 710px) 100vw, 710px" /></figure></div> <h2 class="wp-block-heading">Indicators of Compromise (IOCs)</h2> <figure class="wp-block-table"><table><tbody><tr><td>9d5c4544bd06335c2ad2545b0d177218f84b77dd1834b22bf6a4cfe7e1de91fb</td><td>Muse</td></tr><tr><td>04ed1a811b3594f55486a52ab81227089c178f5c73944a3a9665d7052c3b7df9 0ec61a80e61f56f460fc42e5d4f0accec2b04c8db98c28ed4534946214076f2a b9b4766d6b0e63f80d49e969fbd63ae90b0d1e487ef008b55c096bf46395d32e 2e397dcbcc630b492c01af9cb6033edd9c857e2881bead6956e43aefb16b6a21 91745d530a8304742b58890e798448de9fbe4ea0bc057f30ab0beb522b4bb688 2e1fd124f3e9fc238773e49bc971c882464a3686171d18ab2cd6c2859be138d1</td><td>FakeLockBit 3.0</td></tr><tr><td>74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3<br>0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4</td><td>Dark Race</td></tr><tr><td>0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca B32ae94b32bcc5724d706421f915b7f7730c4fb20b04f5ab0ca830dc88dcce4e 6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40</td><td>DoNex</td></tr></tbody></table></figure><p>The post <a href="https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/">Decrypted: DoNex Ransomware and its Predecessors</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>New Diamorphine rootkit variant seen undetected in the wild</title> <link>https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/?utm_source=rss&utm_medium=rss&utm_campaign=new-diamorphine-rootkit-variant-seen-undetected-in-the-wild</link> <dc:creator><![CDATA[David Álvarez]]></dc:creator> <pubDate>Tue, 18 Jun 2024 12:00:00 +0000</pubDate> <category><![CDATA[PC]]></category> <category><![CDATA[analysis]]></category> <category><![CDATA[linux]]></category> <category><![CDATA[malware]]></category> <category><![CDATA[rootkit]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8646</guid> <description><![CDATA[<p>Introduction Code reuse is very frequent in malware, especially for those parts of the sample that are complex to develop or hard to write with an essentially different alternative code. By tracking both source code and object code, we efficiently detect new malware and track the evolution of existing malware in-the-wild.  Diamorphine is a well-known […]</p><p>The post <a href="https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/">New Diamorphine rootkit variant seen undetected in the wild</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<h2 class="wp-block-heading"><strong>Introduction</strong></h2> <p>Code reuse is very frequent in malware, especially for those parts of the sample that are complex to develop or hard to write with an essentially different alternative code. By tracking both source code and object code, we efficiently detect new malware and track the evolution of existing malware in-the-wild. </p> <p><a href="https://github.com/m0nad/Diamorphine" target="_blank" rel="noreferrer noopener"><em>Diamorphine</em></a> is a well-known Linux kernel rootkit that supports different Linux kernel versions (<em>2.6.x</em>, <em>3.x</em>, <em>4.x</em>, <em>5.x</em> and <em>6.x</em>) and processor architectures (<em>x86</em>, <em>x86_64</em> and <em>ARM64</em>). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker <a href="https://github.com/m0nad/Diamorphine/blob/master/diamorphine.h#L8" target="_blank" rel="noreferrer noopener">at compilation time</a>. After that, the threat actor can interact with Diamorphine by sending signals allowing the following operations: hide/unhide arbitrary processes, hide/unhide the kernel module, and elevate privileges to become root. </p> <p>In early March 2024, we found a <a href="https://www.virustotal.com/gui/file/067194bb1a70e9a3d18a6e4252e9a9c881ace13a6a3b741e9f0ec299451c2090" target="_blank" rel="noreferrer noopener">new <em>Diamorphine</em> variant undetected in-the-wild</a>. After obtaining the sample, I examined the .modinfo section and noticed that it fakes the legitimate <a href="https://www.kernelconfig.io/config_netfilter_xtables" target="_blank" rel="noreferrer noopener"><em>x_tables</em> Netfilter module</a> and was compiled for a specific kernel version (Kernel 5.19.17).</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="734" height="227" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_9-54-55.png" alt="" class="wp-image-8656" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_9-54-55.png 734w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_9-54-55-300x93.png 300w" sizes="(max-width: 734px) 100vw, 734px" /></figure> <p>By listing the functions with <a href="https://rada.re/" target="_blank" rel="noreferrer noopener"><em>Radare2</em></a>, we can notice that the sample under analysis consisted of <em>Diamorphine</em> kernel rootkit (i.ex. <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L293" target="_blank" rel="noreferrer noopener"><em>module_hide</em></a>, <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L302" target="_blank" rel="noreferrer noopener"><em>hacked_kill</em></a>, <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L60" target="_blank" rel="noreferrer noopener"><em>get_syscall_table_bf</em></a>, <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L89" target="_blank" rel="noreferrer noopener"><em>find_task</em></a>, <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L100" target="_blank" rel="noreferrer noopener"><em>is_invisible</em></a>, and <a href="https://github.com/m0nad/Diamorphine/blob/2337293fe8e4f862e769dee4989c432811fb802d/diamorphine.c#L286" target="_blank" rel="noreferrer noopener"><em>module_show</em></a>). But we can see also additional functions in the module (<em>a</em>, <em>b</em>, <em>c</em>, <em>d</em>, <em>e</em>, <em>f</em>, and <em>setup</em>) indicating that the sample was weaponized with more payloads. </p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="557" height="307" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_12-23-35.png" alt="" class="wp-image-8657" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_12-23-35.png 557w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_12-23-35-300x165.png 300w" sizes="(max-width: 557px) 100vw, 557px" /></figure> <p>Since <em>Diamorphine</em> is a well-known and open-source Linux kernel rootkit, this blog post is focused on the new features that were implemented:</p> <ul class="wp-block-list"><li>Stop <em>Diamorphine</em> by sending a message to the exposed device: <em>xx_tables</em>.</li> <li>Execute arbitrary operating system commands via magic packets.</li></ul> <h2 class="wp-block-heading"><strong>Inserting the kernel rootkit</strong></h2> <p>To insert this <em>Diamorphine</em> variant, we need a Linux operating system with the kernel version <em>5.19.17</em>. We can find the appropriate Linux distro by using <a href="https://rada.re/" target="_blank" rel="noreferrer noopener">Radare2</a> too. Based on the compiler, we can see that <a href="https://releases.ubuntu.com/22.04.4" target="_blank" rel="noreferrer noopener"><em>Ubuntu 22.04</em></a> is a good candidate for this. </p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="417" height="34" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-1.png" alt="" class="wp-image-8648" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-1.png 417w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-1-300x24.png 300w" sizes="(max-width: 417px) 100vw, 417px" /></figure> <p>In fact, I found a person on Internet who used <a href="https://github.com/josedonizetti/tracee-demos/blob/main/rootkit/Dockerfile#L1C6-L1C18" target="_blank" rel="noreferrer noopener">Ubuntu Jammy</a> for this, and the <a href="https://github.com/josedonizetti/tracee-demos/blob/main/rootkit/Diamorphine/diamorphine.mod.c#L29" target="_blank" rel="noreferrer noopener">version of the symbols</a> of this specific <em>Diamorphine</em> source code partially matches the version of the symbols of the new <em>Diamorphine</em> variant that we found in VirusTotal (i.ex. <em>module_layout</em> don’t matches the version, but <em>unregister_kprobe</em> matches it). </p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="160" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2-1024x160.png" alt="" class="wp-image-8649" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2-1024x160.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2-300x47.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2-768x120.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2.png 1117w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>Therefore, the kernel rootkit can be inserted in an <em>Ubuntu Jammy</em> distro having the appropriate version of the symbols (see the <a href="https://www.kernel.org/doc/html/latest/kbuild/modules.html" target="_blank" rel="noreferrer noopener"><em>Module</em>.<em>symvers</em></a> file of the kernel where the <em>Diamorphine</em> variant will be inserted into).</p> <h2 class="wp-block-heading"><strong>XX_Tables: The device that the rootkit creates for user mode to kernel mode communication</strong></h2> <p>Impersonating the <a href="https://www.kernelconfig.io/config_netfilter_xtables" target="_blank" rel="noreferrer noopener"><em>X_Tables</em> module of Netfiler</a> is a clever idea because, this way, registering <em>Netfilter</em> hooks doesn’t raise suspicions, since interacting with <em>Netfilter</em> is an expected behaviour. </p> <p>At the <em>init_module</em> function, the rootkit creates a device named <em>xx_tables</em> for communicating user mode space with the kernel mode rootkit.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="596" height="393" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-13-8.png" alt="" class="wp-image-8660" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-13-8.png 596w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-13-8-300x198.png 300w" sizes="(max-width: 596px) 100vw, 596px" /></figure> <p>Following the <a href="https://en.wikipedia.org/wiki/Everything_is_a_file" target="_blank" rel="noreferrer noopener">everything is a file</a> idea, the <a href="https://archive.kernel.org/oldlinux/htmldocs/kernel-api/API-cdev-init.html" target="_blank" rel="noreferrer noopener">character device structure initialization function</a> receives the <a href="https://elixir.bootlin.com/linux/v5.19.17/source/include/linux/fs.h#L1964" target="_blank" rel="noreferrer noopener"><em>file operations structure</em></a> exposing the operations implemented and handled by the <em>xx_tables</em> device. The “<em>g</em>” function that appears in the <a href="https://www.oreilly.com/library/view/linux-device-drivers/0596000081/ch03s03.html" target="_blank" rel="noreferrer noopener"><em>file_operations</em></a> structure is responsible for handling the <em>dev_write</em> operation.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="254" height="66" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-15-57.png" alt="" class="wp-image-8661" /></figure> <h2 class="wp-block-heading"><strong>Handling the dev_write operation: The “g” function.</strong></h2> <p>We can see that the function reads the commands from user mode space via <em>xx_tables</em> device. The memory is copied from the device using the API <em>_copy_from_user</em>.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="589" height="637" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-20-28.png" alt="" class="wp-image-8671" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-20-28.png 589w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-20-28-277x300.png 277w" sizes="(max-width: 589px) 100vw, 589px" /></figure> <p>For safety reasons, the rootkit checks that the data sent from user mode space is not empty. Such data structure contains two fields: The length of the data, and a pointer to the data itself.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="206" height="37" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-13_14-6-2.png" alt="" class="wp-image-8663" /></figure> <p>Finally, if the input sent from user mode space is the string “<em>exit</em>“, it calls to the <em>exit_</em> function of the rootkit which restores the system, frees the resources and unloads the kernel module from memory.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="398" height="482" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-21-23.png" alt="" class="wp-image-8672" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-21-23.png 398w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-21-23-248x300.png 248w" sizes="(max-width: 398px) 100vw, 398px" /></figure> <h2 class="wp-block-heading"><strong>The exit_ function</strong></h2> <p>The <em>exit_</em> function properly restores the system and unloads the rootkit from the kernel memory. It performs the following actions:</p> <ol class="wp-block-list"><li>It destroys the device created by the rootkit.</li> <li>It destroys the <a href="https://www.kernel.org/doc/html/latest/driver-api/infrastructure.html?highlight=class_create#c.__class_create" target="_blank" rel="noreferrer noopener"><em>struct class</em></a> that was used for creating the device.</li> <li>Deletes the <a href="https://linux-kernel-labs.github.io/refs/heads/master/labs/device_drivers.html" target="_blank" rel="noreferrer noopener"><em>cdev</em> (character device)</a> that was created.</li> <li>Unregisters the <a href="https://www.oreilly.com/library/view/linux-device-drivers/0596000081/ch03s02.html" target="_blank" rel="noreferrer noopener"><em>chrdev_region</em></a>.</li> <li>Unregisters the <a href="https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks" target="_blank" rel="noreferrer noopener">Netfilter hooks</a> implementing the “<em>magic packets</em>“.</li> <li>Finally, it replaces the pointers with the original functions in the <em>system_calls</em> table.</li></ol> <h2 class="wp-block-heading"><strong>The magic packets</strong></h2> <p>The new <em>Diamorphine</em> rootkit implements “<em>magic packets</em>” supporting both: IPv4 and IPv6. Since the <a href="https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail&s%5B%5D=nfproto&s%5B%5D=inet#address_families" target="_blank" rel="noreferrer noopener">Protocol Family</a> is set to <a href="https://elixir.bootlin.com/linux/latest/C/ident/NFPROTO_INET" target="_blank" rel="noreferrer noopener"><em>NFPROTO_INET</em></a>).</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="105" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-57-39-1024x105.png" alt="" class="wp-image-8665" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-57-39-1024x105.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-57-39-300x31.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-57-39-768x79.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-57-39.png 1194w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>The <em>netfilter_hook_function</em> relies in nested calls to <em>a</em>, <em>b</em>, <em>c</em>, <em>d</em>, <em>e</em> and <em>f</em>, functions for handling the <em>magic packets.</em> The <em>magic packet</em> requirements include containing the values “<em>whitehat</em>” and “<em>2023_mn</em>” encrypted with the XOR key: <em>0x64</em>.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="640" height="506" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-42-24.png" alt="" class="wp-image-8666" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-42-24.png 640w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-42-24-300x237.png 300w" sizes="(max-width: 640px) 100vw, 640px" /></figure> <p>If the packet fits the requirements the arbitrary command is extracted from it and executed into the infected computer.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="363" height="409" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-16_11-25-39.png" alt="" class="wp-image-8667" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-16_11-25-39.png 363w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-16_11-25-39-266x300.png 266w" sizes="(max-width: 363px) 100vw, 363px" /></figure> <h2 class="wp-block-heading"><strong>The hooks in the syscalls table</strong></h2> <p><a href="https://github.com/m0nad/Diamorphine/blob/master/diamorphine.c#L411" target="_blank" rel="noreferrer noopener">This</a> is the original <em>Diamorphine</em> rootkit implementation of the syscalls hooking:</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="592" height="144" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-32-12.png" alt="" class="wp-image-8668" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-32-12.png 592w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_14-32-12-300x73.png 300w" sizes="(max-width: 592px) 100vw, 592px" /></figure> <p>Even if the code is exactly the same in the new Diamorphine variant, it is important to highlight that it is configured to hide the files and folders containing the string: “…”.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="778" height="84" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-41-10.png" alt="" class="wp-image-8670" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-41-10.png 778w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-41-10-300x32.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-3-7_10-41-10-768x83.png 768w" sizes="(max-width: 778px) 100vw, 778px" /></figure> <h2 class="wp-block-heading"><strong>Conclusions</strong></h2> <p>We frequently discover new Linux kernel rootkits implementing <em>magic packets</em> that are undetected in-the-wild (i.ex. <a href="https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" target="_blank" rel="noreferrer noopener"><em>Syslogk</em></a>, <a href="https://www.virustotal.com/gui/file/D6E74832BBABCA012BC0C3A8A5F1A87CB4B5D241E2A88B75CB01CB0E076B8C98" target="_blank" rel="noreferrer noopener"><em>AntiUnhide</em></a>, <a href="https://www.virustotal.com/gui/file/2d4353232fb36aed5440fdc5b763bfa273f9cd3c9dbf392aaed1e3ba66bb429c/detection/f-2d4353232fb36aed5440fdc5b763bfa273f9cd3c9dbf392aaed1e3ba66bb429c-1691657203" target="_blank" rel="noreferrer noopener"><em>Chicken</em></a>, etc.) and will continue collaborating and working together for providing the highest level of protection to our customers.</p> <figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="300" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_17-18-43-1024x300.png" alt="" class="wp-image-8669" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_17-18-43-1024x300.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_17-18-43-300x88.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_17-18-43-768x225.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/06/image-2024-4-15_17-18-43.png 1291w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>In this new in-the-wild version of <em>Diamorphine</em>, the threat actors added the device functionality allowing to unload the rootkit kernel module from memory and the <em>magic packets</em> functionality enabling the arbitrary commands execution in the infected system.</p> <h2 class="wp-block-heading"><strong>How to prevent infection and stay safe online</strong></h2> <ul class="wp-block-list"><li>Keep your systems up to date.</li> <li>Be sure that your Internet connection is safe to use (i.ex. <a href="https://www.avast.com/secureline-vpn" target="_blank" rel="noreferrer noopener">Virtual Private Network</a>).</li> <li>Avoid downloading/executing files from untrusted sources.</li> <li>Exercise the <em>Principle of Least Privilege</em> (PoLP). In the case of Linux, please, do not execute actions making use of the <em>root</em> account if it is not strictly necessary.</li> <li>Use a strong cyber safety solution such as Norton, Avast, Avira or AVG to make sure you are protected against these types of malwares.</li></ul> <h2 class="wp-block-heading"><strong>New Diamorphine variant</strong></h2> <p>067194bb1a70e9a3d18a6e4252e9a9c881ace13a6a3b741e9f0ec299451c2090</p> <h2 class="wp-block-heading">IoC repository</h2> <p>The Diamorphine Linux kernel rootkit IoCs, the Yara hunting rule and the VirusTotal query are in our <a href="https://github.com/avast/ioc/tree/master/Diamorphine" target="_blank" rel="noreferrer noopener">IoC repository</a>.</p><p>The post <a href="https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/">New Diamorphine rootkit variant seen undetected in the wild</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>Avast Q1/2024 Threat Report</title> <link>https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/?utm_source=rss&utm_medium=rss&utm_campaign=avast-q1-2024-threat-report</link> <dc:creator><![CDATA[Threat Research Team]]></dc:creator> <pubDate>Tue, 14 May 2024 07:00:00 +0000</pubDate> <category><![CDATA[Mobile]]></category> <category><![CDATA[PC]]></category> <category><![CDATA[Reports]]></category> <category><![CDATA[desktop]]></category> <category><![CDATA[malware]]></category> <category><![CDATA[mobile]]></category> <category><![CDATA[report]]></category> <category><![CDATA[risk]]></category> <category><![CDATA[threats]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8565</guid> <description><![CDATA[<p>Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT Campaign</p><p>The post <a href="https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/">Avast Q1/2024 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<h2 class="wp-block-heading"><strong>Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT Campaign</strong></h2> <h2 class="wp-block-heading">Foreword</h2> <p>We’re pleased to present the latest edition of our report for the first quarter of 2024, which has been nothing short of eventful. Here are some highlights.</p> <p>Not all heroes wear capes. Just a few weeks ago, developer <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank" rel="noreferrer noopener">Andres Freund disrupted</a> a covert threat operation that had been running for over two years. The threat actors, who managed to insert a backdoor into the widely used open-source compression library XZ/liblzma, were stopped just in time by Andres. While the identity of the threat actors remains unknown, the potential ramifications of their actions could have been catastrophic – they were almost able to gain access to any Linux machine running an infected distribution. This incident has raised important questions about the security of open-source code and its integration into critical systems and applications.</p> <p>Social engineering attacks continue to be the largest threat across platforms and continue to increase their share of threats. In the mobile device landscape, more than 90% of all threats blocked in the last quarter originated from scams and similar threat types. This trend is mirrored on desktop platforms, with 87% of threats falling into the same categories. Scams, in particular, have seen a significant surge (61% on mobile and 23% on desktop), fueled by malvertising and the proliferation of malicious push notifications. The risk of falling victim to these attacks has nearly doubled in certain regions, such as Ukraine, highlighting the global reach and impact of these malicious activities. Moreover, scam authors are deploying increasingly sophisticated tactics, including the use of deepfake technology, AI-manipulated audio synchronization, and the hijacking of popular YouTube channels to disseminate fraudulent content, amplifying the potential for financial harm.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="667" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-667x1024.png" alt="" class="wp-image-8566" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-667x1024.png 667w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-196x300.png 196w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-768x1178.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-1001x1536.png 1001w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x-1335x2048.png 1335w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_2x.png 1584w" sizes="(max-width: 667px) 100vw, 667px" /></figure></div> <p>Dating scams also continue to surge, particularly in North America and Europe, with Central Europe emerging as a hotspot for such activity. Phishing remains a persistent threat, steadily increasing over the past six quarters. Prevalent phishing campaigns are detailed further in this report.</p> <p>On the desktop front, we’ve uncovered a sophisticated APT campaign orchestrated by the Lazarus Group, targeting individuals in Asia with deceptive job offers. Furthermore, we discovered and reported to Microsoft an in-the-wild exploit within a Windows driver, subsequently utilized by a sophisticated rootkit in this campaign. Additionally, botnet activity has been a cause for concern – with notable updates observed in the Twizt botnet which now includes brute-forcing capabilities for Server Message Block (SMB) protocol credentials – and the expansion of the malicious DDosia project. Interestingly, the DDosia project faced frequent downtimes due to countermeasures taken by unidentified individuals. Furthermore, we successfully assisted Ukrainian CERT with the remediation of the DirtyMoe botnet.</p> <p>The prevalence of Malware-as-a-Service (MaaS) stealers, exemplified by DarkGate and Luma, remains a significant threat. These malicious actors capitalize on every opportunity to deploy social engineering tactics to distribute malware.</p> <p>Ransomware incidents also experienced a slight uptick in Q1/2024, notably marked by the LockBit ransomware making headlines for its initial takedown by law enforcement units, only to resurface shortly after. Furthermore, our researchers identified a new ransomware strain named HomuWitch and promptly responded by developing decryption tools to assist affected individuals. This effort supplements our previous creation, the Rhysida decryption tool, which continues to aid victims of Rhysida in recovering their files.</p> <p>In the realm of remote access trojans (RATs), law enforcement units have successfully executed operations against notorious threats like the Warzone RAT, resulting in several arrests. This decisive action has already yielded tangible results, as evidenced by our telemetry data.</p> <p>On the mobile front, we’ve witnessed several intriguing developments, including the resurgence of adware on the PlayStore, the emergence of MoqHao, a banker strain capable of auto-starting on victim devices, and the proliferation of GoldPickaxe, which attempts to steal facial recognition biometrics for fraudulent activities. Additionally, state-sponsored spyware continues to pose a threat to citizens.</p> <p>Thank you for your continued trust in Avast. Stay safe and secure.</p> <p class="has-text-align-right"><em>Jakub Křoustek, Malware Research Director</em></p> <h2 class="wp-block-heading">Methodology</h2> <p>This report is structured into two main sections: <em>Desktop-related threats</em>, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and <em>Mobile-related threats</em>, where we describe the attacks focusing on Android and iOS operating systems.</p> <p>We use the term “<em>risk ratio”</em> in this report to denote the severity of specific threats. This is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.</p> <p>A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified time frame.</p> <h2 class="wp-block-heading">Featured Story: YouTube – the New Battleground for Phishing, Malvertising, and Cryptoscams </h2> <p>YouTube, with its 2.5 billion users, has become a trusted and significant target for malvertising. The combination of automated advertising systems and user-generated content provides a gateway for cybercriminals to bypass conventional security measures, making YouTube a potent channel for deploying phishing and malware. Notable threats on the platform include credential stealers like Lumma and Redline, phishing and scam landing pages, and malicious software disguised as legitimate software or updates. Additionally, YouTube serves as a conduit to Traffic Distribution Systems (TDS), directing users to malicious sites and supporting scams ranging from fake giveaways to investment schemes.</p> <p>Our web scanning endpoints actively block thousands of HTTP requests, daily, that are redirected from YouTube as our users view content. This activity reflects a worrying trend: </p> <ul class="wp-block-list"><li><strong>4 millions</strong> unique users were protected against threats on YouTube in 2023 </li> <li><strong>Approx 500k unique</strong> users per month protected in Q1/2024</li></ul> <figure class="wp-block-image size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="536" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-Webshield_Telemetry-1024x536.png" alt="" class="wp-image-8567" style="width:766px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-Webshield_Telemetry-1024x536.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-Webshield_Telemetry-300x157.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-Webshield_Telemetry-768x402.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-Webshield_Telemetry.png 1092w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure> <p>The rise of DeepFake videos in YouTube poses significant risks by realistically mimicking people or events, misleading viewers, and spreading disinformation. In Q1 we observed multiple compromised YouTube accounts with more than 50 million subscribers hijacked to spread Cryptoscam Deefake videos (more about this topic is described below in the Scam section). </p> <p>Threat actors frequently utilize automated uploads and Search Engine Optimization (SEO) poisoning to enhance the visibility of harmful content. Additionally, fake comments are rampant, deceiving viewers, promoting dangerous links, and exploiting YouTube’s algorithms and user engagement to disseminate cyber threats.</p> <p>There are numbers of ways in which YouTube can be exploited to disseminate threats. Observed basic Tactics and Procedures (TTP) on YouTube include:</p> <ol class="wp-block-list"><li>Phishing Campaigns Targeting Creators: Attackers send personalized emails to YouTube creators proposing fraudulent collaboration opportunities. Once trust is established, they send links to malware under the guise of software needed for collaboration, often leading to cookie theft or account compromise. </li> <li>Compromised Video Descriptions: Attackers upload videos with descriptions containing malicious links, masquerading as legitimate software downloads related to gaming, productivity tools, or even antivirus programs, tricking users into downloading malware</li> <li>Channel Hijacking for Spreading Threats: By gaining control of YouTube channels through phishing or malware, attackers repurpose these channels to promote various types of threats, such as cryptocurrency scams, often involving fake giveaways that require an initial deposit from viewers.</li> <li>Exploitation of Software Brands and Legitimate-Looking Domains: Attackers create websites that mimic reputable companies and offer illegitimate downloadable software, exploiting users’ trust.</li> <li>Social Engineering via Video Content: Attackers post tutorial videos or offers for cracked software, guiding users to download malware disguised as helpful tools. This tactic takes advantage of users seeking free access to otherwise paid services or software, leveraging YouTube’s search and recommendation algorithms to target potential victims.</li></ol> <figure class="wp-block-video aligncenter"><video controls src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-CC-MichaelSaylor-scam.mp4"></video><figcaption class="wp-element-caption"><em>Michael Saylor, co-founder of MicroStrategy, in deep fake crypto scam video</em></figcaption></figure> <p class="has-text-align-right"><em>David Jursa<em>, Malware Researcher</em></em><br><em>Luis Corrons</em>, <em>Security Evangelist</em></p> <h2 class="wp-block-heading">Desktop-Related Threats</h2> <h3 class="wp-block-heading">Advanced Persistent Threats (APTs): Lazarus Group in the Spotlight</h3> <p><em>An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected.</em></p> <p>We discovered a Lazarus Group campaign targeting specific individuals in Asia with misleading job offers. The precise intent of the campaign remains unknown, but the selective nature of these attacks indicates a focused interest in individuals possessing technical expertise. We suspect that these technically skilled individuals might have connections to companies involved in the gambling or betting industry, aligning with Lazarus Group’s financial motivations.</p> <p>We believe the Lazarus Group used fabricated job offers to gain access to the personal computers of these victims who also used these devices for work purposes. It is likely that, a few days after the initial compromise, the attackers realized the victims had access to their company networks. Consequently, Lazarus employed sophisticated rootkit technologies to evade security measures and some security vendors.</p> <p>This approach reflects the Lazarus Group’s historical tactics of exploiting vulnerable drivers and employing advanced rootkit techniques to disrupt security systems and maintain persistent access.</p> <p>In this specific instance, Lazarus exploited a vulnerability in the standard Windows driver, appid.sys (CVE-2024-21338), to neutralize security software. Further details on this vulnerability can be found in our related <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">blog post</a>.</p> <p>The complexity of these attack chains suggests that Lazarus devoted substantial resources to their planning and execution. Before executing the attack, Lazarus carefully prepared by deploying fileless malware and encrypting their tools directly onto the hard drives, as detailed in the <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/" target="_blank" rel="noreferrer noopener">blog post</a> and as we recently <a href="https://www.blackhat.com/asia-24/briefings/schedule/index.html%22%20%5Cl%20%22from-byovd-to-a--day-unveiling-advanced-exploits-in-cyber-recruiting-scams-37786" target="_blank" rel="noreferrer noopener">presented at Black Hat Asia 2024 conference</a>.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="521" height="374" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/CC_communication.drawio.png" alt="" class="wp-image-8569" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/CC_communication.drawio.png 521w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/CC_communication.drawio-300x215.png 300w" sizes="(max-width: 521px) 100vw, 521px" /><figcaption class="wp-element-caption"><em>Communication of the Lazarus Group’s toolkit with C&C servers</em></figcaption></figure></div> <p>The careful and highly targeted choice of victims suggests that establishing some level of trust or connection was likely necessary before initiating the malware. The deployment of such a sophisticated arsenal, coupled with the exploit, highlights significant strategic foresight and resource commitment.</p> <p class="has-text-align-right"><em>Luigino Camastra, Malware Researcher</em><br><em>Igor Morgenstern, Malware Researcher</em></p> <h3 class="wp-block-heading">Bots (With a Twist)</h3> <p><em>Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.</em></p> <p>To start on a lighter note, the biggest news in the botnet landscape was an unfortunate article in Swiss media outlet Aarguaer Zeitung which claimed a large-scale DDoS attack of millions of toothbrushes running Java. While the thought of a web-connected toothbrush running Java (which were also allegedly DDosing some random Swiss webpage) is really scary, it has been soon rectified as an inaccurate report and there was no such army of Pro-Russian toothbrushes, as the initial report suggested.</p> <p>Now, unfortunately, onto the more serious note. On the geopolitical side of the threat landscape, Ukrainian state-owned enterprises have been significantly hit with DirtMoe. Due to our <a href="https://decoded.avast.io/tag/dirtymoe/" target="_blank" rel="noreferrer noopener">extensive research on DirtMoe</a>, CERT-UA reached out to us to assist them with the remediation. Based on the experience from this successful remediation, an <a href="https://cert.gov.ua/article/6277422" target="_blank" rel="noreferrer noopener">advisory on DirtyMoe</a> was published by CERT-UA.</p> <p>Twizt botnet has received a new module in its update providing functionality that fuels its sextortion campaign. This module relies on the common strategy of extorting the user with fake and sensitive information that was allegedly recovered from their device or account. In the case of the former, the threat actor usually refers to a device infected with RAT, in the case of the latter, the message usually contains a fake sender header and a password to give the impression that the user’s mail account has been hacked. Nevertheless, all the sent information is fabricated, and the password was quite likely taken from one of the leaked password databases that are circulating the dark web.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="692" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-sextortion-1024x692.png" alt="" class="wp-image-8570" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-sextortion-1024x692.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-sextortion-300x203.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-sextortion-768x519.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-sextortion.png 1206w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Sextortion email referencing infected device</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1018" height="875" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-sextortion.png" alt="" class="wp-image-8571" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-sextortion.png 1018w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-sextortion-300x258.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-sextortion-768x660.png 768w" sizes="(max-width: 1018px) 100vw, 1018px" /><figcaption class="wp-element-caption"><em>Sextortion email containing a password and a reference to RAT</em></figcaption></figure></div> <p>Last year, Twizt started bruteforcing Virtual Network Computing (VNC) credentials. At the beginning of the year, they switched to brute-forcing SMB credentials, instead. Twizt contains a hard-coded list of username/password pairs that are tried against a randomly generated target. Successful authentications are then reported to its command-and-control (C&C) server.</p> <p>Our usual story on DDosia has a very surprising twist this quarter. Presumably, someone was actively targeting the DDosia C&C infrastructure, repeatedly causing outages in the proxy servers fronting real C&C servers. This resulted in rapid infrastructure changes in this outer layer, with every new proxy C&C having an approximate lifetime of 2 days before being unavailable again. Due to the absence of a client update mechanism in case of C&C outage, this forced the project owners to produce new clients every few days. Later, they started distributing new clients exclusively via private messages, presumably to reduce information exposure.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="640" height="622" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-botnet-ddosia-tld.png" alt="" class="wp-image-8572" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-botnet-ddosia-tld.png 640w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-botnet-ddosia-tld-300x292.png 300w" sizes="(max-width: 640px) 100vw, 640px" /><figcaption class="wp-element-caption"><em>Breakdown of top-level domains targeted by DDosia</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="498" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-botnet-ddosia-telegram-attacks-1024x498.png" alt="" class="wp-image-8573" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-botnet-ddosia-telegram-attacks-1024x498.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-botnet-ddosia-telegram-attacks-300x146.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-botnet-ddosia-telegram-attacks-768x373.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-botnet-ddosia-telegram-attacks.png 1189w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Targets published on DDosia’s Telegram group</em></figcaption></figure></div> <p>The requirement to manually update DDosia’s binary with each update along with frequent C&C outages resulted in a significant decrease in the impact of their attacks. This has prompted a heated backlash on the project’s Telegram channel where “patriotic activists” started complaining that these issues are seriously impacting their cash-flow. </p> <p>This was particularly notable around February 19 when eight proxy C&Cs were shut down for five days. Even after this date, they were not able to return to their previous efficacy. The only peak during Q1/2024 is an attack at the end of March when DDosia targeted services associated with the Luxembourg government. While the number of successful targets seems to be rather high, it targeted infrastructure that was hosted on only 3 IP addresses with many subdomains. These turbulent changes were crowned by a move to a different Telegram group called “DDoSia Project” on March 7 with the original group being removed. While, up to that date, the original group was growing, ending with approximately 20,000 members, the new group started up with only around 12,000 members and soon continued in this downward trend.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="491" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-botnet-ddosia-members-1024x491.png" alt="" class="wp-image-8574" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-botnet-ddosia-members-1024x491.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-botnet-ddosia-members-300x144.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-botnet-ddosia-members-768x368.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-botnet-ddosia-members.png 1152w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>DDosia Telegram group members</em></figcaption></figure></div> <p>While in the previous quarter DDosia was mostly focusing on banks, during the first quarter of 2024 DDosia focused mostly on various industry consortia, courts, press agencies, CERTs, and transport and logistic companies. The underlying logic stayed mostly the same – finding targets within countries that went against Russian interests.</p> <p>As for the trends in the whole botnet landscape, many of the prevalent strains have stagnated. Still, we’ve seen several bigger shifts in their prevalence, including increased activity of BetaBot (13%). On the other hand, most of the other strains seem to be in decline with the following strains seeing the biggest drops: Pikabot (-48%), Tofsee (-31%), MyKings (-21%), and Dridex (-21%).</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8575" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_bot_malware_bot_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of bots in Q4/2023 and Q1/2024</em></figcaption></figure></div> <p class="has-text-align-right"><em>Adolf Středa, Malware Researcher</em></p> <h3 class="wp-block-heading">Coinminers Continue to Decline</h3> <p><em>Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our </em><a href="https://support.avast.com/en-eu/article/Threat-Lab-cryptomining-behavior-guideline/" target="_blank" rel="noreferrer noopener"><em>guidelines</em></a><em>.</em></p> <p>In the previous quarter, we observed a continued decline in the prevalence of coinminers. This downward trend persisted into Q1/2024, where the risk ratio decreased by a substantial 28%. This decrease was influenced by a slight reduction in the coinminer malware share of XMRig, which had surged in the previous quarter. However, nearly all other major coinminers actually increased in activity, thereby expanding their share.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8576" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_map_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for coinminers in Q1/2024</em></figcaption></figure></div> <p>After the surge in the USA and Turkey the previous quarter, the situation calmed down a bit and we observed 39% decrease in risk ratio both countries. According to our data, more significant declines happened in India (22%), Egypt (19%), and Pakistan (13%). In total, the biggest risk of getting infected by a coinminers is still in Madagascar (2.18% risk ratio), Turkey (1.47%), Pakistan (1.35%), and Egypt (1.14%).</p> <p>In the graph below, we can observe a steady decline in coinmining activities.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8577" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_daily_hits_normalized_2024_q1_malware_coinminer_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Daily risk ratio in our user base regarding coinminers in Q1/2024</em></figcaption></figure></div> <p>XMRig, the long-time most popular coinminer, decreased in coinminer malware share by 6% this quarter. Yet, it still holds 60% of the total share. All other major coinminers saw an increase in their activity, including web miners (5% increase), CoinBitMiner (24%), FakeKMSminer (37%), among others. On the other hand, SilentCryptoMiner lost 58% share this quarter.</p> <p>The most common coinminers with their malware share in Q1/2024 were:</p> <ul class="wp-block-list"><li>XMRig (59.53%)</li> <li>Web miners (20.20%)</li> <li>CoinBitMiner (2.67%)</li> <li>FakeKMSminer (2.03%)</li> <li>NeoScrypt (1.75%)</li> <li>CoinHelper (1.05%)</li> <li>VMiner (0.86%)</li> <li>SilentCryptoMiner (0.84%)</li></ul> <p class="has-text-align-right"><em>Jan Rubín, Malware Researcher</em></p> <h3 class="wp-block-heading">Information Stealers are Still Dominated by AgentTesla</h3> <p><em>Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents.</em></p> <p>AgentTesla, traditionally the most prevalent information stealer we protect our users against, continued to attack users by leveraging email campaigns. <a href="https://twitter.com/AvastThreatLabs/status/1762082961837477891" target="_blank" rel="noreferrer noopener">One such campaign</a> targeted Czechia, spreading the stealer via malicious attachments.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="683" height="644" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_AgentTesla_mail.png" alt="" class="wp-image-8578" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_AgentTesla_mail.png 683w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_AgentTesla_mail-300x283.png 300w" sizes="(max-width: 683px) 100vw, 683px" /><figcaption class="wp-element-caption"><em>Email containing AgentTesla in attachments (</em><a href="https://twitter.com/AvastThreatLabs/status/1762082961837477891" target="_blank" rel="noreferrer noopener"><em>AvastThreatLabs</em></a><em>)</em></figcaption></figure></div> <p><a href="https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/" target="_blank" rel="noreferrer noopener">TimbreStealer</a>, targeting almost explicitly users in Mexico, is a newcomer in the information stealers landscape. The malware is quite advanced and multi-modular, containing techniques like Heaven’s gate, among many others. It also introduces many tricks for preventing execution in sandboxes and proper debugging.</p> <p>Malware-as-a-Service (MaaS) stealers continue to thrive, finding new distribution methods whenever possible. For example, DarkGate was <a href="https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response" target="_blank" rel="noreferrer noopener">observed</a> to be spread via Microsoft Teams, using phishing. Furthermore, from the more technical perspective, DarkGate <a href="https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html" target="_blank" rel="noreferrer noopener">was exploiting</a> Microsoft Windows SmartScreen (CVE-2024-21412).</p> <p>We have also observed a DarkGate campaign distributed via <a href="https://twitter.com/AvastThreatLabs/status/1758461792844443650" target="_blank" rel="noreferrer noopener">malicious PDF files</a>, abusing crypto exchange and the WebDAV server. The malware delivery was done using an InternetShortcut link (.URL file), downloading the content from an opendir.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="575" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-1024x575.png" alt="" class="wp-image-8579" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-1024x575.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-300x168.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-768x431.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-540x304.png 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-344x194.png 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate-1128x635.png 1128w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_PDF_DarkGate.png 1434w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>PDF leading to DarkGate deployment (</em><a href="https://twitter.com/AvastThreatLabs/status/1758461792844443650" target="_blank" rel="noreferrer noopener"><em>AvastThreatLabs</em></a><em>)</em></figcaption></figure></div> <p>On the other hand, Lumma Stealer, which is yet another MaaS stealer, continues to spread via <a href="https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube" target="_blank" rel="noreferrer noopener">cracked software propagated on YouTube</a>, using fake tutorials to mislead victims. This further emphasizes that such strains – and their creators – never miss an opportunity to leverage social engineering to distribute malware.</p> <p>With regards to macOS, AtomicStealer, also known as AMOS, saw a consistent rise in occurrences on this platform during Q1/2024. This typically obfuscated malware is known for stealing passwords, cryptocurrency wallets, and cookies. It often infiltrates systems via counterfeit applications or through Google Ads poisoning. The existence of multiple generations of this threat suggests that it is likely to persist in the future, which is further underlined by its <a href="https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version" target="_blank" rel="noreferrer noopener">new version</a> that was carried by a malvertising campaign in the beginning of the year.</p> <p>In terms of Linux, Python information stealers were the more prevalent strains of this type with well-known malware families like Spidey, Creal, Wasp or PirateStealer. Additionally, in this quarter we uncovered a new malware strain identified as <a href="https://www.virustotal.com/gui/file/1168e97ccf61600536e93e9c371ee7671bae4198d4bf566550328b241ec52e89" target="_blank" rel="noreferrer noopener">PassSniff/Putin</a> and written in C++ that, instead of stealing the passwords from disk, steals the passwords by sniffing the HTTP traffic using both, generic rules and specific rules targeting popular services and applications.</p> <h4 class="wp-block-heading">Statistics</h4> <p>Overall, the global risk ratio decreased by 8% in Q1/2024 for information stealers. However, many popular stealers further increased their reach, including AgentTesla, Stealc, Fareit, and ViperSoftX.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8580" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_daily_hits_normalized_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Daily risk ratio in our user base regarding information stealers in Q1/2024</em></figcaption></figure></div> <p>Each of the countries where we observe the risk ratio with regards to information stealers and where we have more significant userbase thankfully experienced a decrease in activity compared to the previous quarter:</p> <ul class="wp-block-list"><li>Turkey (2.29%) with 23% Q/Q decrease</li> <li>Pakistan (2.05%) with 11% Q/Q decrease</li> <li>Egypt (1.78%) with 10% Q/Q decrease</li></ul> <p>On the other hand, we also measured increases in activity in Mexico and Czechia, following the aforementioned TimbreStealer and AgentTesla campaigns, were the risk ratio increased by 25% and 14%, respectively.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8581" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4_map_2024_q1_malware_infostealer_31_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for information stealers in Q1/2024</em></figcaption></figure></div> <p>AgentTesla, the most prevalent information stealer according to our data, has increased its malware share by 17%. Its campaigns primarily target Central Europe and both North and South America. As a result, it now holds a significant 30.31% of the malware share. Notably, almost every bigger information stealer experienced an increase in activity, including Fareit (34% increase), Stealc (33%), ViperSoftX (28%), and Azorult (14%). FormBook’s share decreased by 32%, as well as Lokibot’s by 50%, balancing the scales of the overall activity of information stealers.</p> <p>The most common information stealers with their malware shares in Q1/2024 were:</p> <ul class="wp-block-list"><li>AgentTesla (30.31%)</li> <li>Fareit (7.55%)</li> <li>FormBook (6.92%)</li> <li>RedLine (4.37%)</li> <li>Stealc (2.81%)</li> <li>ViperSoftX (2.28%)</li> <li>Azorult (1.93%)</li> <li>ClipBanker (1.72%)</li> <li>Raccoon (1.56%)</li> <li>Lokibot (1.41%)</li> <li>Rhadamanthys (1.36%)</li></ul> <p class="has-text-align-right"><em>Jan Rubín, Malware Researcher<br>David Álvarez, Malware Analyst</em></p> <h3 class="wp-block-heading">Ransomware: Fighting it Back</h3> <p><em>Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, “ransom”, hence the term ransomware.</em></p> <h4 class="wp-block-heading"><strong>The LockBit Story</strong></h4> <p>In the <a href="https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/" target="_blank" rel="noreferrer noopener">previous threat report</a>, we discussed new ransomware attacks. One of the top ransomware strains (or gangs, if you wish) is LockBit, which continues its encryption and extortion attacks with an undiminished intensity.</p> <p>Because of the notoriety of LockBit, their – albeit brief – takedown in Q1/2024 was watched closely by the public. On February 19, <a href="https://www.youtube.com/watch?v=-jKykhKKMZw" target="_blank" rel="noreferrer noopener">operation Cronos was announced</a>, which was a joint operation between law enforcement agencies in 10 countries. As a part of this operation, the FBI successfully breached the LockBit infrastructure, <a href="https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group" target="_blank" rel="noreferrer noopener">secured about 1000 private encryption keys</a> and released a public decryptor. The following is the timeline surrounding the initiative:</p> <ul class="wp-block-list"><li><strong>Feb 19</strong>: Operation Cronos was unveiled. LockBit leak site was replaced by a landing page from the associated law enforcement agencies:<br></li></ul> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="693" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site1-1024x693.jpg" alt="" class="wp-image-8582" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site1-1024x693.jpg 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site1-300x203.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site1-768x520.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site1.jpg 1535w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div> <ul class="wp-block-list"><li>The main panel was replaced with a version augmented by the authorities, outing the criminality of ransomware operators:</li></ul> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="744" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2-1024x744.png" alt="" class="wp-image-8583" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2-1024x744.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2-300x218.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2-768x558.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2-1536x1116.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site2.png 1752w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div> <ul class="wp-block-list"><li><strong>Feb 20</strong>: <a href="https://www.bleepingcomputer.com/news/security/police-arrest-lockbit-ransomware-members-release-decryptor-in-global-crackdown/" target="_blank" rel="noreferrer noopener">Two LockBit operators (Poland and Ukraine) were arrested</a>, and a few other individuals were indicted for their involvement in LockBit operations</li> <li>LockBit <a href="https://twitter.com/azalsecurity/status/1759740340209172548" target="_blank" rel="noreferrer noopener">informed all their affiliates</a> about the breach</li> <li>For four days, there was no information about new victims of the LockBit ransomware</li> <li><strong>Feb 24</strong>: A long message from LockBit was <a href="https://twitter.com/DarkWebInformer/status/1761505849908887567" target="_blank" rel="noreferrer noopener">published by DarkWebInformer</a>. This message explained what happened and questioned the law enforcement agencies’ success. The author of the message explains that some of <em>his</em> servers were running an outdated version of PHP and hence were vulnerable to <a href="https://www.cvedetails.com/cve/CVE-2023-3824/" target="_blank" rel="noreferrer noopener">CVE-2023-3824</a>.</li> <li><strong>Feb 25</strong>: The LockBit leak site was restored, with the FBI now shown as one of the victims. Additionally, the information about leaked data from <a href="https://fultoncountyga.gov/" target="_blank" rel="noreferrer noopener">Fulton County</a> was re-uploaded. Note that the Fulton County Government was <a href="https://twitter.com/FalconFeedsio/status/1757676052988699111" target="_blank" rel="noreferrer noopener">allegedly attacked by LockBit</a> on Feb 14 and the leaked data was mentioned in LockBit’s message as the reason that the FBI stopped the operation instead of silently watching the servers and exfiltrating LockBit’s data increasingly, as their criminal activities continued.<br></li></ul> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="497" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site3-1024x497.png" alt="" class="wp-image-8584" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site3-1024x497.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site3-300x146.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site3-768x373.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-lockbit-site3.png 1365w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div> <ul class="wp-block-list"><li><strong>Feb 26</strong>: LockBit operators restored their cyber-attacks and <a href="https://twitter.com/FalconFeedsio/status/1762090791168823330" target="_blank" rel="noreferrer noopener">re-started attacking multiple companies daily</a>. No, this is not a story with a happy conclusion (so far).</li></ul> <p>A tool for decrypting LockBit-encrypted data using one of 1000 seized encryption keys is. The importance of these encryption keys has been questioned by the LockBit operator himself, saying (quote) “<em>Note that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransoms</em>” (end quote). Users attacked by LockBit ransomware may use the tool to verify if their data can be decrypted using one of the keys that were seized during the Cronos operation.</p> <p>Another LockBit-related incident happened at the beginning of 2024, which demonstrates some of the ransomware operators’ modus operandi. After LockBitSupp gained access to an unspecified company, encrypted their data, and received ransom payout, he that provided access to the network.</p> <p>This little incident shows what ransomware operators do to penetrate a company:</p> <ol class="wp-block-list"><li>Ransomware operator “buys an access” which means obtaining information about a company, its vulnerabilities and how to breach its network.</li> <li>Then the operator maps the company network and eventually deploys the ransomware.</li> <li>When the attacked company pays the ransom, the “access seller” gets paid for the access.</li></ol> <h4 class="wp-block-heading"><strong>Ransomware Decryptors</strong></h4> <p>As a part of the ongoing battle against ransomware, Avast released two ransomware decryptors: HomuWitch and Rhysida.</p> <h5 class="wp-block-heading"><strong>HomuWitch</strong></h5> <p>HomuWitch is a ransomware that stayed under the radar since July 2023, because it targets end users with smaller ransom demands (25 – 75 USD). Searching for pirated software is the most common infection vector – instead of the desired software, users may download SmokeLoader backdoor, which later installs malicious dropper for the ransomware payload.</p> <p>Unlike most ransomware strains that perform file encryption, HomuWitch also adds compression, so the encrypted files are smaller than their originals. When executed, HomuWitch searches local drives and user folders (Pictures, Downloads, Documents). All files of interest (.pdf, .doc, .docx, .ppt, .pptx, .xls, .py, .rar, .zip, .7z, .txt, .mp4, .JPG, .PNG, .HEIC, .csv) are encrypted and renamed to the <strong>.homuencrypted</strong> extension:</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="775" height="430" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-homuwitch-files.png" alt="" class="wp-image-8585" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-homuwitch-files.png 775w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-homuwitch-files-300x166.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware-Q1-homuwitch-files-768x426.png 768w" sizes="(max-width: 775px) 100vw, 775px" /></figure></div> <p><a href="https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/" target="_blank" rel="noreferrer noopener">While analyzing this ransomware</a>, we found a vulnerability that allows affected users to recover their files for free. We released free decryptor that is available on <a href="https://files.avast.com/files/decryptor/avast_decryptor_homuwitch.exe" target="_blank" rel="noreferrer noopener">our website</a>.</p> <h5 class="wp-block-heading"><strong>Rhysida</strong></h5> <p>Rhysida is another ransomware strain defeated by the free decryption tool. This ransomware has been active since May 2023 and focuses on the enterprise sector. During summer, we discovered that this ransomware strain is decryptable without having the private RSA key, so we have been helping people who were attacked by the Rhysida ransomware.</p> <p>In February 2024, Korean researchers also <a href="https://thehackernews.com/2024/02/rhysida-ransomware-cracked-free.html" target="_blank" rel="noreferrer noopener">discovered that vulnerability</a> and released their <a href="https://seed.kisa.or.kr/kisa/Board/166/detailView.do" target="_blank" rel="noreferrer noopener">decryption tool</a> publicly. It is always unfortunate to publish detailed information about the details of a vulnerability – we would like to ask fellow malware researchers not to do so and focus more on helping people affected by ransomware attacks.</p> <p>Now that the details of the vulnerability are public, we also released a free decryption tool that is available both on <a href="https://decoded.avast.io/threatresearch/decrypted-rhysida-ransomware/" target="_blank" rel="noreferrer noopener">our website</a> and as part of the <a href="https://www.nomoreransom.org/en/decryption-tools.html" target="_blank" rel="noreferrer noopener">NoMoreRansom project</a>.</p> <h4 class="wp-block-heading"><strong>Statistics</strong></h4> <p>The most prevalent ransomware strains that we block in our userbase are listed below. As opposed to more popular threats like LockBit, Akira or BlackCat, you rarely read about those strains in media because – instead of attacking a large company and demanding millions of USD as ransom – these strains focus on either individual users or small businesses, and they demand ransoms that are in the thousands of dollars range.</p> <ul class="wp-block-list"><li>WannaCry (21% of ransomware share)</li> <li>Enigma (12%)</li> <li>STOP (12%)</li> <li>Mallox (aka TargetCompany) (3%)</li> <li>DarkSide (2%)</li> <li>Cryptonite (1%)</li></ul> <p>The overall ransomware risk ratio in our user base is showing an increase when compared to the previous quarter. The situation started escalating in March 2024:</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-1024x404.png" alt="" class="wp-image-8586" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_daily_hits-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure></div> <p>The ransomware risk ratio per country is depicted on the following map. We have noticed a significant increase in Bulgaria, Japan, Czechia, and Hungary where the risk ratio more than doubled Q/Q.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-1024x639.png" alt="" class="wp-image-8587" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/ransomware_risk_ratio_world_map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for ransomware in Q1/2024</em></figcaption></figure></div> <p class="has-text-align-right"><em>Ladislav Zezula, Malware Researche</em>r<br><em>Jakub Křoustek, Malware Research Director</em></p> <h3 class="wp-block-heading">Remote Access Trojans (RATs): The End of Warzone</h3> <p><em>A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone.</em></p> <p>Similarly to Q1/2023 and the Netwire takedown, this year also begins with a takedown action against one of the major players in the RAT scene – the Warzone RAT was <a href="https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales" target="_blank" rel="noreferrer noopener">taken down</a> at the beginning of February. According to our data, the effect was immediately visible as a sudden drop in the number of detected attacks by Warzone. Besides this takedown, it was a rather slow start to the year with only a few notable events in the RAT sphere.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8588" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1_daily_hits_normalized_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Daily risk ratio in our user base regarding RATs in Q4/2023 and Q1/2024</em></figcaption></figure></div> <p>Compared to Q4/2023, the global risk ratio in the first quarter of 2024 is following a downward trend. There are several reasons for this decline. The big players Remcos, njRAT, and AsyncRat seem to have eased off a little and the number of attacks in Q1/2024 was lower than what we typically see. The takedown action against Warzone might have caused some RAT operators to halt or pause their activities. While we see increased activity of less prevalent malware strains, this isn’t enough to compensate the overall attack numbers.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8589" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2_map_2024_q1_malware_-_rat_malware_rat_31_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for RATs in Q1/2024</em></figcaption></figure></div> <p>The top 3 countries and RATs have not changed. We still see the highest risk ratio in Afghanistan, Iraq and Yemen, with HWorm and njRAT as the most active threats there.</p> <p>The biggest increase in risk ratio was observed in Canada (+69%) due to increased activity of XWorm in February. This led to XWorm increasing its malware share by 378% which makes it the most prevalent RAT in Canada. The second highest share is in New Zealand (+33%) followed by Switzerland (+14%). Remcos was the dominant force in both countries. Despite this rise of risk ratio, Switzerland is still among the safest countries regarding RAT attacks.</p> <p>The most prevalent remote access trojan strains in our userbase are as follows:</p> <ul class="wp-block-list"><li>HWorm</li> <li>Remcos</li> <li>njRAT</li> <li>AsyncRat</li> <li>QuasarRAT</li> <li>Warzone</li> <li>FlawedAmmyy</li> <li>XWorm</li> <li>NanoCore</li> <li>DarkComet</li></ul> <p>Although the overall number of detected attacks by Remcos slightly dropped, it is still very active. We recently <a href="https://twitter.com/AvastThreatLabs/status/1752427947045093657" target="_blank" rel="noreferrer noopener">warned</a> about a campaign targeting most of Eastern Europe; this campaign was created in the Russian language and used a common lure “Invoice payment confirmation”.</p> <p>We already mentioned XWorm in relation to Canada, however it also managed to increase its presence in most parts of the world. We also see XWorm frequently releasing new versions.</p> <p>On February 7, an international operation targeted the Warzone RAT resulting in the seizure of four domains, including the primary site “warzone.ws”, and server infrastructure. One suspect was arrested in Malta and another in Nigeria. The FBI led the operation with assistance from <a href="https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled" target="_blank" rel="noreferrer noopener">Europol</a>, the <a href="https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales" target="_blank" rel="noreferrer noopener">U.S. Department of Justice</a>, and local law enforcement agencies. The suspects are accused of selling and advertising the RAT, providing support, and unauthorized damage to protected computers.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="577" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-1024x577.png" alt="" class="wp-image-8590" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-1024x577.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-300x169.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-768x433.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-540x304.png 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-344x194.png 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws-1128x635.png 1128w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3_warzone_ws.png 1452w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Domain warzone.ws taken down by the authorities</em></figcaption></figure></div> <p><a href="https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon" target="_blank" rel="noreferrer noopener">FortiGuard Labs</a> also uncovered a phishing campaign spreading a new RAT, VCURMS. The campaign uses a downloader with payloads stored on public services like AWS and GitHub. There are two known payloads – the new VCURMS and STRRAT. STRRAT is also a remote access trojan which appeared in 2020. The interesting part of VCURMS is its unusual command and control channel. It communicates using emails with a Proton Mail address. Like STRRAT, VCURMS is also coded in Java. Another notable feature is its infostealer module which looks similar to RudeStealer.</p> <p><a href="https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer-rat-combo-polluting-pypi/" target="_blank" rel="noreferrer noopener">Phylum</a> and <a href="https://blog.sonatype.com/top-8-malicious-attacks-recently-found-on-pypi" target="_blank" rel="noreferrer noopener">Sonatype</a> discovered another supply chain attack in Q1/2024. Both teams found malicious packages in PyPI. These packages deploy a RAT that can also steal information from infected machines. Phylum named this threat “poweRAT”, because it relies on PowerShell in the early stages. Both reports mention the following packages as affected: pyrologin, easytimestamp, discorder, discord-dev, style.py and pythonstyles. Sonatype <a href="https://hackernoon.com/how-rat-mutants-in-python-steal-data-and-evade-detection" target="_blank" rel="noreferrer noopener">followed up</a> on this story, adding several more packages to the list and showing how this threat has evolved. Communication with the C&C server happens via a Cloudflare Tunnel created from the infected machine, which means the malware does not need to modify any firewall settings. The features of RAT and information-stealing components are common on their own – however, when they combine, they create quite a dangerous threat. Phylum refers to it as a “RAT on steroids” and Sonatype as “RAT mutant”.</p> <p class="has-text-align-right"><em>Ondřej Mokoš, Malware Researcher</em></p> <h3 class="wp-block-heading">Vulnerabilities and Exploits: An Actively Exploited Admin-to-Kernel Zero-Day</h3> <p><em>Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine.</em></p> <p>In the February Patch Tuesday update, Microsoft patched <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a>, a zero-day admin-to-kernel vulnerability <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">discovered</a> by Avast researchers. This zero-day was initially exploited in the wild by the Lazarus Group, who used it to enable an updated version of their FudModule data-only rootkit. This marked a significant improvement in capabilities, as previous versions of the FudModule rootkit were enabled by targeting known vulnerable drivers for BYOVD (Bring Your Own Vulnerable Driver) attacks. </p> <p>Upgrading from BYOVD techniques to a zero-day in a built-in driver made the entire attack significantly stealthier, however, this wasn’t the only upgrade. Lazarus also revamped the rootkit functionality, targeting registry callbacks, object callbacks, process/thread/image callbacks, file system minifilters, Windows Filtering Platform, Event Tracing for Windows, and image verification callbacks. Additionally, the threat actors implemented a noteworthy handle table entry manipulation technique, attempting to suspend critical processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. For a deeper understanding of this attack, we recommend reading our two technical <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">blog</a> <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/" target="_blank" rel="noreferrer noopener">posts</a> or watching our Black Hat Asia 2024 <a href="https://www.blackhat.com/asia-24/briefings/schedule/index.html" target="_blank" rel="noreferrer noopener">talk</a>.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="779" height="704" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/vulnerabilities_fudmodule.png" alt="" class="wp-image-8591" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/vulnerabilities_fudmodule.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/vulnerabilities_fudmodule-300x271.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/vulnerabilities_fudmodule-768x694.png 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption class="wp-element-caption"><em>The decompiled “main” function of the FudModule rootkit, executing the exploit and all the individual rootkit techniques.</em></figcaption></figure></div> <p>In other news, the open-source world was shocked by the <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank" rel="noreferrer noopener">discovery</a> of a backdoor in the xz/liblzma compression library. This backdoor was discovered by software engineer Andres Freund, who <a href="https://x.com/AndresFreundTec/status/1774190743776866374" target="_blank" rel="noreferrer noopener">noticed</a> that failing ssh logins were consuming suspicious amounts of CPU, and did the world a huge favor by deciding to investigate the root cause. The attacker(s) went by the name Jia Tan (their exact affiliation/motivation remain unclear) and demonstrated a remarkable level of patience, slowly building up trust by contributing to the open-source project for over two years. Eventually, they decided to strike and – over a number of commits – introduced the backdoor, the ultimate goal of which was to allow remote SSH logins to those with the possession of the right private key <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094" target="_blank" rel="noreferrer noopener">(CVE-2024-3094</a>). </p> <p>Fortunately, the backdoor was discovered relatively early, so the attackers didn’t have enough time to get the malicious code merged into major Linux distributions like Debian or Red Hat. This was a close call, however, which should be very alarming, as this could have easily been one of the biggest security incidents that we have seen in recent years. While open-source code is often regarded as more trustworthy than its closed-source counterpart, this attack demonstrates that it comes with its own challenges. Many critical open-source projects are maintained with little funding by overworked volunteers, which might unfortunately make them vulnerable to similar attacks.</p> <p>Another interesting discovery was related to hyperlinks in Outlook. While Outlook would, under usual circumstances, not follow “file://” protocol links to remote resources, Haifei Li of Check Point Research <a href="https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/" target="_blank" rel="noreferrer noopener">discovered</a> that just adding an extra exclamation mark (“!”) followed by some arbitrary characters might change this behavior completely. This vulnerability was assigned <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413" target="_blank" rel="noreferrer noopener">CVE-2024-21413</a> and dubbed MonikerLink, as the exclamation mark essentially turns the link into a <a href="https://learn.microsoft.com/en-us/windows/win32/api/objbase/nf-objbase-mkparsedisplayname" target="_blank" rel="noreferrer noopener">composite moniker</a>. When a user received an email and clicked on such a link, the remote file would be fetched and possibly parsed in the background. </p> <p>Interestingly, the impact of this is twofold. First, following the link to load a resource from a remote SMB server represents <a href="https://github.com/Greenwolf/ntlm_theft" target="_blank" rel="noreferrer noopener">yet another way</a> to <a href="https://www.scip.ch/en/?labs.20220421" target="_blank" rel="noreferrer noopener">force NTLM authentication</a>, allowing the remote server to capture NTLMv2 hashes. Second, an attacker might use this to trigger some vulnerable code, as the fetched resource might be opened in the background, attempting to look up the item moniker (the string appended after the exclamation mark). For instance, the Check Point blog demonstrated this on an RTF file, which would get opened in Microsoft Word outside protected view, representing a very sneaky 1-click vector to deliver an RTF exploit.</p> <p class="has-text-align-right"><em>Jan Vojtěšek</em>, Malware Researcher</p> <h2 class="wp-block-heading">Web Threats</h2> <p>The significance of web threats can be well seen not only in the numerical statistics but also in the creativity of the scammers themselves. We see scammers trying to take advantage of different trends in different groups. These cybercriminals are using the latest technology in the field of AI, or they are not afraid to invest in their fraudulent practices to improve the sophistication of their scams through other methods. </p> <p>Last quarter, we reported that scams, together with phishing and malvertising, accounted for more than 75% of all threats blocked by Avast throughout the year. This quarter we have blocked over 80% for the same type of threats. This indicates a rather interesting – and very scam-ridden – start to the year.</p> <h3 class="wp-block-heading">Scams Everywhere, Including Video</h3> <p><em>A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below.</em></p> <p>In our Q4/2023 report, we pointed out that scam activity is increasing significantly. At that time, we saw that one of the main reasons was the high rate of malvertising campaigns. This trend has continued in Q1/2024, with the activity level from the previous peak. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8592" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_scam_malware_scam_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Daily risk ratio of scam in Q4/2023 and Q1/2024</em></figcaption></figure></div> <p>Our data again shows that sites offer deals and then sending push-notifications are contributing significantly to this trend. With this in mind, we again urge everyone to always consider from which website you want to allow to send you notifications. Also remember that scammers try to disguise these offers of sending notifications as, for example, video players or as adult confirmations.</p> <p>If you, unfortunately, allow access to malicious notifications, you may encounter the situation shown below. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="562" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif-1024x562.png" alt="" class="wp-image-8593" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif-1024x562.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif-300x165.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif-768x421.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif-1536x843.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/push_notif.png 1686w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of scam push-notifications</em></figcaption></figure></div> <p>The increasing use of malvertising and push-notifications by scammers only confirms our predictions for 2024, when we repeatedly warned that this is a global threat with huge risk potential, especially on mobile phones.</p> <p>If we look at activity in specific countries, we see that Ukraine exhibited the most significant surge in risk ratio, with a concerning 97% increase (the overall risk ratio for first quarter is set at 16.51%). </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="550" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116-1024x550.png" alt="" class="wp-image-8594" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116-1024x550.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116-300x161.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116-768x413.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116-1536x826.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-122116.png 1637w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of scam targeting Ukraine users</em></figcaption></figure></div> <p>Similarly, Kazakhstan and Uzbekistan displayed significant jumps in their risk ratios, +89% and +56% respectively, marking these countries as emerging hotspots for scam-related threats with overall risk ratios of 14.24% and 12.45%.</p> <p>If we look further, we see interesting data for India, which also saw an increase in scam threats The current risk ratio for India is 17.26% with a quarter-over-quarter risk ratio increase of +24%.</p> <p>We identified the highest scam risk ratio Georgia and Serbia in Q1/2024, with more than 30% risk ratio. In the absolute numbers, the majority of scam-targeted users were in France, Brazil, and the US.</p> <h4 class="wp-block-heading">Scam Delivery via Video</h4> <p>In Q1/2024 we continued to witness scam authors heavily using videos as lures in their scams. Whether video made from stock footage or an elaborate deep fake video, scammers are using all video varieties in their threats. One of the most widespread techniques involved exploiting famous individuals and significant media events to attract large audiences. As a result, scammers have devised enticing schemes that capitalize on the familiarity of well-known personalities and important world events.</p> <p>An increasingly common feature of these campaigns is the use of deep fake videos, created by hijacking official videos from events and using AI to manipulate audio synchronization. These videos seamlessly blend altered audio with existing visuals, making it harder for the untrained eye to tell they’re anything but authentic. Moreover, scammers insert QR codes, leading to well-designed web pages, that promise exclusive opportunities, luring victims into further engagement.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-1024x576.gif" alt="" class="wp-image-8595" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-1024x576.gif 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-300x169.gif 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-768x432.gif 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-1536x864.gif 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-540x304.gif 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-344x194.gif 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/01-cryptocore-videos-1128x635.gif 1128w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Deep fake videos abusing official videos</em></figcaption></figure></div> <p>Cryptocurrency scams of this type are particularly increasing. Once an individual moves from the video lure to the fraudulent website, they are presented with different scenarios for obtaining “beneficial” cryptocurrencies. Victims are fooled into believing that participating in these schemes will bring considerable profits. The scammers consistently promise victims the same profit margin, and victims receive the impression that – by sending any amount of cryptocurrency to specific wallets – they will receive double the amount in return. The websites even implement fake online wallet monitoring, imitating legitimate transaction activity. Additionally, these deceptive sites typically include images of well-known personalities and logos associated with authentic cryptocurrency-related companies, adding an air of legitimacy.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="704" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-cyprocore-webs-1024x704.gif" alt="" class="wp-image-8596" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-cyprocore-webs-1024x704.gif 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-cyprocore-webs-300x206.gif 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-cyprocore-webs-768x528.gif 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-cyprocore-webs-1536x1056.gif 1536w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Fraudulent websites of the scammer group</em></figcaption></figure></div> <p>In Q1/2024, we observed several other incidents of abuse against famous individuals like <a href="https://www.microstrategy.com/investor-relations/executive-team/michael-saylor" target="_blank" rel="noreferrer noopener">Michael J. Saylor</a>, <a href="https://en.wikipedia.org/wiki/Vitalik_Buterin" target="_blank" rel="noreferrer noopener">Vitalik Buterin</a>, <a href="https://twitter.com/bgarlinghouse" target="_blank" rel="noreferrer noopener">Brad Garlinghouse</a>, and <a href="https://www.blackrock.com/corporate/about-us/leadership/larry-fink" target="_blank" rel="noreferrer noopener">Larry Fink</a>.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-1024x576.gif" alt="" class="wp-image-8597" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-1024x576.gif 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-300x169.gif 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-768x432.gif 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-540x304.gif 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-344x194.gif 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/04-blackrock-ceo-1128x635.gif 1128w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Fake Larry Fink, CEO BlackRock</em></figcaption></figure></div> <p>However, the most significant cryptocurrency scam incident of the quarter was the misuse of the Starship Integrated Flight Test 3 (IFT-3). The attackers used the official SpaceX All Hands meeting video to deceive viewers and get them to visit the fraudulent websites. Moreover, the attackers have hijacked several YouTube channels, which have tens of millions of subscribers, to increase the probability of displaying a fake video in the list of recommended videos.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="576" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-1024x576.gif" alt="" class="wp-image-8598" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-1024x576.gif 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-300x169.gif 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-768x432.gif 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-540x304.gif 540w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-344x194.gif 344w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/03-musk-videos-1128x635.gif 1128w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Deep fake videos abusing SpaceX events</em></figcaption></figure></div> <p>The preliminary analysis indicates that specific attackers’ wallets associated with these scams’ campaigns have cashflows reaching tens of thousands of dollars.</p> <p>The risk ratio of this financial scam was stable in Q1/2024, but we recorded a significant peak on March 14, 2024, related to the IFT-3 event.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-1024x404.png" alt="" class="wp-image-8599" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/05-daily_hits_2024_q1-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Risk ratio of the crypt giveaway scam in Q1/2024</em></figcaption></figure></div> <p>In terms of country distribution, the leading countries affected by the scammer group are the United States, the United Kingdom, and Germany.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="513" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/06-country_hits_2024_q1-1024x513.png" alt="" class="wp-image-8600" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/06-country_hits_2024_q1-1024x513.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/06-country_hits_2024_q1-300x150.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/06-country_hits_2024_q1-768x385.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/06-country_hits_2024_q1.png 1149w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Country distribution of the crypt giveaway scam threat</em></figcaption></figure></div> <h3 class="wp-block-heading">Dating Scams Skyrocketing</h3> <p><em>Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal of obtaining money or enough personal information to commit identity theft.</em></p> <p>The last quarter of last year was very interesting for dating scams, with several large campaigns witnessed through our data. In Q1/2024, we saw a significant increase since the middle of February. </p> <p>What is interesting is the high activity especially in Central Europe, with countries like Hungary, Slovakia, Denmark, Austria or the Czech Republic being the most affected.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8601" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Activity of Dating scam in Q1/2024</em></figcaption></figure></div> <p>Once again, these threats are strongly supported by advertising campaigns. We often see that the sources of these advertising campaigns are sites with adult content. On such pages, the owners often try to get as much commission as possible by trying to fit advertising on their sites with almost every interaction on the page. The user is often overwhelmed with pop-ups or new window redirects, usually to dating scam sites.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="528" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941-1024x528.png" alt="" class="wp-image-8603" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941-1024x528.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941-300x155.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941-768x396.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941-1536x792.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-18-151941.png 1566w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of prevalent dating scam example from Poland</em></figcaption></figure></div> <p>As you can see on the map, Hungary leads with the highest risk ratio rate at 5.06%. Following closely are Slovakia and Luxembourg, with risk ratios of 4.72% and 4.57% respectively.</p> <p>Germany and Austria also show significant exposure to dating scams, with risk ratio rates of 4.27% and 4.10% and lastly, Czechia, with a risk ratio of 3.94%, rounds out the list.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8604" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_datingscam_malware_datingscam_31_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for Dating scam in Q1/2024</em></figcaption></figure></div> <h3 class="wp-block-heading">Tech Support Scams (TSS): Steady Increase of Attacks </h3> <p><em>Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services.</em></p> <p>Throughout 2023, we observed a continual drop in activity related to tech support scams. In the first quarter of this year, we can say that this trend not only ended but quite the contrary – we observed an increase in tech scam activity over the quarter.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8606" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"> <em>Daily risk ratio of Technical Support Scam in Q4/2023 and Q1/2024</em> </figcaption></figure></div> <p>As seen on the chart above, the activity of this threat has reached the level of the beginning of Q4/2023.</p> <p>Looking at the data of the full quarter, a clear increase trend is visible.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-1024x404.png" alt="" class="wp-image-8605" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31_2-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em> Detail of Technical Support Scam risk ratio in Q1/2024</em></figcaption></figure></div> <p>Switzerland experienced the most dramatic surge, with a 177% increase in TSS activity—the highest observed this quarter. Austria also saw a significant rise, with a 101% increase. Germany’s increase, though lower, was still notable at 65%. Additionally, Japan, traditionally a hotspot for TSS, reported a significant increase of 153%.</p> <p>These escalating figures, especially notable in Europe’s wealthier nations, highlight a growing trend in cybersecurity threats in these regions.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8607" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_tss_q124_clean_final_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for Technical Support Scam in Q1/2024</em></figcaption></figure></div> <h3 class="wp-block-heading">Refund and Invoice Scams: iCloud Data Deletion Scam</h3> <p><em>Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud.</em></p> <p>One of the refund and invoice scams that caught our attention in Q1/2024 targeted a top-tier service, serving as a gateway to other less valuable ones, in our assessment. The targeted account was iCloud, accompanied by a TinyURL link to a payment gateway that extracts user information, including sensitive details. iCloud is undoubtedly one of the most vital accounts to protect by enabling multi-factor authentication in order to prevent malicious actors from stealing sensitive information. According to <a href="https://9to5google.com/2022/02/08/google-account-2sv/" target="_blank" rel="noreferrer noopener">9to5 Google</a>, enabling multi-factor authentication for Google users led to a 50% decrease in compromised accounts.</p> <p>We will delve into the campaign itself which begins with a malicious email, which may evoke early 90’s nostalgia because the attackers’ Comic Sans font choice. The aim of the email is to visually intimidate, highlighting the issue at hand: your beloved photos will be deleted unless you proceed to the fake payment gateway. As always, the loading bar creates a sense of urgency, while a missed payment statement compounds the pressure. A big red button labeled “FULL” completes the sense of urgency, signaling that immediate action is required.</p> <p>The email seemingly contains additional product and technical information to make it look authentic, all of which is fabricated. These include product IDs, expiration dates, and buttons for more storage. The only legitimate piece of the email is the unauthorized use of the actual iCloud logo. The subject of the email is also intriguing: we’re seeing that more cybercriminals aim to catch your attention with email subject lines using emoticons, as you see in the email sample below.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="692" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/q_report_refund-692x1024.jpeg" alt="" class="wp-image-8608" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/q_report_refund-692x1024.jpeg 692w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/q_report_refund-203x300.jpeg 203w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/q_report_refund-768x1136.jpeg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/q_report_refund.jpeg 836w" sizes="(max-width: 692px) 100vw, 692px" /><figcaption class="wp-element-caption"><em>Example of iCloud-themed email scam used in Q1/2024</em></figcaption></figure></div> <p>In terms of global prevalence, we can see that the English-speaking world is the most affected, along with the European Union. The countries that experienced the biggest spike in the last quarter are Belgium, up by 29%, the United Kingdom, up by 13%, and Luxembourg, up by 10%. On the other side of the spectrum, we have Australia, which experienced the largest drop, down by 29%, the United States, down by 15%, and Canada, down by 5%.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8609" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for Refund and Invoice scam in Q1/2024</em></figcaption></figure></div> <p>The graph showing risk ratio over time exhibits less volatility compared to the previous period. In Q1/2024, the risk did not significantly change over time and rose slightly by the end of the quarter. We can observe that the threat is still widely spread around the globe, and we anticipate seeing even more of these attacks in the future.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8610" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Daily risk ratio of Refund and Invoice scam in Q4/2023 and Q1/2024</em></figcaption></figure></div> <h3 class="wp-block-heading">Phishing: Reaching New Hights</h3> <p><em>Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information.</em></p> <p>And now we come to the final, and most classic, category under web threats: Phishing. Like nearly all web threats, this category saw an increase in activity in Q1/2024, continuing the increase trend that we’ve witnessed over the last four quarter. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8611" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Risk ratio of Phishing during the last 12 months</em></figcaption></figure></div> <p>We’ve also observed that attackers are continuing to make heavy use of file sharing via InterPlanetary File System (IPFS) infrastructure – to spread their phishing content.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="508" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-125116-1024x508.png" alt="" class="wp-image-8612" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-125116-1024x508.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-125116-300x149.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-125116-768x381.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-125116.png 1438w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Example of prevalent phishing hosted on IPFS infrastructure</em></figcaption></figure></div> <p>Our statistics show that the most frequently targeted brand on IPFS is Microsoft, which currently accounts for up to 20% of blocked attacks. At the same time, we see that these threats were most visible at the end of Q1/2024.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-1024x404.png" alt="" class="wp-image-8613" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/daily_hits_normalized_2024_q1_ipfs_2024-01-01—2024-03-31-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Activity of IPFS based domains for Q1/2024</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1024x639.png" alt="" class="wp-image-8614" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/map_2024_q1_malware_-_phishing_malware_phishing_31_2024-01-01—2024-03-31-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for phishing in Q1/2024</em></figcaption></figure></div> <p>One of the most interesting phishing campaigns for this quarter was the wave of Russian-language phishing PDFs targeting bank users. </p> <p>Based on the content of the PDF, this campaign was developed to target the customers of Tinkoff Bank, and from the data we can see that the most hits are registered in Latvia.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="644" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image49-1024x644.png" alt="" class="wp-image-8635" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image49-1024x644.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image49-300x189.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image49-768x483.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image49.png 1203w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Phishing email template</em></figcaption></figure></div> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="454" height="631" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image50-e1715601681278.png" alt="" class="wp-image-8636" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image50-e1715601681278.png 454w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image50-e1715601681278-216x300.png 216w" sizes="(max-width: 454px) 100vw, 454px" /><figcaption class="wp-element-caption"><em>One of designs of phishing PDF</em></figcaption></figure></div> <p>This campaign generated hundreds of PDF samples, with different names, while the appearance mostly stayed the same. All extracted URLs pointed to the same domain.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="531" height="203" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/extracted-URLs-from-PDFs.png" alt="" class="wp-image-8615" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/extracted-URLs-from-PDFs.png 531w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/extracted-URLs-from-PDFs-300x115.png 300w" sizes="(max-width: 531px) 100vw, 531px" /><figcaption class="wp-element-caption"><em>Extracted malicious URLs</em></figcaption></figure></div> <p>The main domain to which the URL is redirected is xsph[.]ru. This domain acts as a hub for many other types of malware. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="338" height="325" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image52.png" alt="" class="wp-image-8637" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image52.png 338w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/image52-300x288.png 300w" sizes="(max-width: 338px) 100vw, 338px" /><figcaption class="wp-element-caption"><em>Captcha for verification</em></figcaption></figure></div> <p>A command-and-control server, such as one hosted at “the-packaging-experts[.]co.uk” could be accessed by malicious programs by abusing this event. This then redirects to “http://a0942143[.]xsph[.]ru/tin/cabinet/capcha/” and checks CAPTCHA to verify that the user is human, then potentially receives instructions or downloading additional payloads. Threat actors frequently employ this strategy to avoid being discovered by security solutions, using a genuine website as a front for criminal activity.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="729" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-153601-1024x729.png" alt="" class="wp-image-8616" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-153601-1024x729.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-153601-300x214.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-153601-768x547.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/Snimek-obrazovky-2024-04-19-153601.png 1152w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Illustration of the malware relationship linked to xsph[.]ru</em></figcaption></figure></div> <p class="has-text-align-right"><em>Alexej Savčin, Malware Analyst<br>Martin Chlumecký, Malware Analyst<br>Matěj Krčma, Malware Analyst<br>Prabhakaran Ravichandhiran, Malware Analyst</em></p> <h2 class="wp-block-heading">Mobile-Related Threats</h2> <p>The first quarter of 2024 brings with it several interesting developments within the mobile threat landscape. Adware has once again snuck into the PlayStore, this time in the form of a Minecraft clone game app. Meanwhile, MoqHao, a revived strain of banker, obtained the ability to auto-start on victims’ devices once installed, displaying phishing messages on the target device. We also saw GoldPickaxe target both Android and iOS users in Vietnam and Thailand, attempting to steal facial recognition biometrics that are then used in fraudulent payments.</p> <p>State sponsored spyware was also brought back into focus with governments investigating the scope of its use on citizens, while Apple highlighted its threat notifications sent to victims of these sophisticated spywares. </p> <p>Fake romance lures were also found, this time by VajraSpy, to entice victims into installing a spyware in India and Pakistan with the intent of extracting data and spying on their devices.</p> <p>Finally, SpyLoans continue to spread on and off the PlayStore, enticing users with promises of quick cash but instead targeting them and their contacts with harassment and blackmail.</p> <h3 class="wp-block-heading">Web Threat Data within the Mobile Landscape</h3> <p>Over the last few quarters, we’ve started to include web threat data in our mobile threat telemetry. Scams are again at the top of the threat list in the mobile sphere, with a 61% increase in risk ratio compared to last quarter. This is followed by phishing and malvertising, both seeing a 19% increase in risk ratio. The increased prevalence of web threats has significantly reduced the risk ratio of traditional on-device malware such as adware, droppers and others.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="336" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile-1024x336.png" alt="" class="wp-image-8617" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile-1024x336.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile-300x98.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile-768x252.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile-1536x504.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/24Q1-Avast-Threat-Labs-infographic_mobile.png 1584w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Graphs showing the most prevalent threats in the mobile sphere in Q1/2024</em></figcaption></figure></div> <p>Most blocked attacks on mobile devices in Q1/2024 were web-based, mirroring the previous quarter. Users are much more likely to encounter phishing websites, scams, malvertising and other web threats than ever before. These threats can come in a variety of formats such as private messages, SMS, and emails but also redirects on less reputable sites, unwanted pop ups and through other avenues.</p> <p>In contrast to these types of mobile scams, traditional on-device malware requires a more complex infection vector where the user must also install the malware. For proper functionality of most mobile malware, permissions need to be granted by the user first, which again lowers the chances of malicious activity being triggered.</p> <p>Hence, blocking web-threat based attacks is beneficial for the security of mobile devices, as malware actors often use them as an entry point to get the payload onto the mobile device of their victims.</p> <h3 class="wp-block-heading">Adware Sneaks into the PlayStore Again</h3> <p><em>Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few.</em></p> <p>Adware stays on top this quarter as the most prevalent on-device malware threat facing mobile users. Continuing to bring in fraudulent advertising revenue at the expense of the user experience of its victims, it again makes its way into the PlayStore to increase its global spread. We also observe third party stores distributing older adware families that are no longer present on the PlayStore.</p> <p>HiddenAds are the most common type of adware this quarter, often hiding their icons once installed on victims’ devices or performing hidden actions in the background with the intent of gathering fraudulent ad views, unbeknownst to the victim. FakeAdBlockers and Mobidash are close behind, often masking as re-packed games that bring with them full screen out of context ads or spam notifications that bother their victims. These continue to spread through third party apps stores and malvertising on less reputable sites that redirect users to download these types of adware.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="618" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Minecraft-adware-clones-on-PS-1024x618.png" alt="" class="wp-image-8618" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Minecraft-adware-clones-on-PS-1024x618.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Minecraft-adware-clones-on-PS-300x181.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Minecraft-adware-clones-on-PS-768x463.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Minecraft-adware-clones-on-PS.png 1341w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Minecraft clone game apps that display hidden advertisements, raking in fraudulent ad revenue</em></figcaption></figure></div> <p>Of note this quarter is the resurgence of a previously discovered adware discussed in the <a href="https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report" target="_blank" rel="noreferrer noopener">Q2/2023 report,</a> again appearing in the PlayStore with altered versions of the original adware. These Minecraft clone apps draw in millions of downloads due to the popularity of the original game, then proceed to exploit advertising SDKs to display adverts in the background, raking in ad revenue. This fraudulent activity impacts the advertising ecosystem on mobile devices and contributes to data and battery drainage on the victim’s device.</p> <p>We see a significant decrease in risk ratio this quarter in mobile adware. SocialBar has mostly subsided in comparison to last quarter, accounting for the lower numbers. Alongside this, HiddenAds, FakeAdBlockers, and Mobidash have all experienced a drop in risk ratio this quarter.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-1024x404.png" alt="" class="wp-image-8619" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-Adware-Q-comparison-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of mobile adware in Q4/2023 and Q1/2024</em></figcaption></figure></div> <p>Brazil, India and Argentina have the most protected users this quarter, as was the case last quarter. Egypt, Philippines and Oman have the highest risk ratios, meaning users are most likely to encounter adware in these countries, according to our telemetry.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-1024x639.png" alt="" class="wp-image-8620" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Adware-Q1-23-risk-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile adware in Q1/2024</em></figcaption></figure></div> <h3 class="wp-block-heading">New Auto-Starting Bankers Threaten Mobile Users</h3> <p><em>Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information.</em></p> <p>Mobile bankers expanded their feature set in Q1/2024 with an unexpected evolution: the ability to auto-start after installation without the need for user input, as exemplified by MoqHao banker. Elsewhere, bankers are digging for gold with the new GoldPickaxe strain that targets both Android and iOS users, attempting to steal facial recognition data for further fraudulent use while emptying bank accounts. Finally, the GreenBean banker was used to redirect crypto payments by changing wallet addresses in victim’s messages. In our telemetry, we see Cerberus/Alien and BankBot with the most protected users, while RewardSteal banker makes a big splash coming in third, mainly targeting India.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="442" height="416" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-MoqHao-Chrome-default-SMS.jpg" alt="" class="wp-image-8621" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-MoqHao-Chrome-default-SMS.jpg 442w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-MoqHao-Chrome-default-SMS-300x282.jpg 300w" sizes="(max-width: 442px) 100vw, 442px" /><figcaption class="wp-element-caption"><em>Disguised as the Chrome browser and using Unicode characters to evade detection, MoqHao requests access to SMS messages</em></figcaption></figure></div> <p>We see another comeback with upgrades, as the <a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-evolution-new-variants-start-automatically-right-after-installation/" target="_blank" rel="noreferrer noopener">MoqHao banker</a> introduces the ability to auto execute after installation through using Android’s inbuilt Contact Provider service. By having this as the first activity in the app manifest with special metadata, it is executed as soon as the app is installed, enabling it to trigger malicious services before it is run for the first time by the user. Once installed and running, MoqHao starts to display phishing messages attempting to trick the user into providing their banking details. It also harvests contact details and SMS messages and sends these away to a C&C server. Interestingly, while the banker has preset country specific phishing messages, it can also dynamically load messages from Pinterest profile descriptions specifically setup for this purpose, a very odd way of delivering tailored messages to its victims. The banker has been distributed through fake phishing SMS messages, often pretending to be a delivery service and mostly targeting users in Japan, South Korea, Germany, France, and India.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="266" height="498" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-GoldPickaxe-TestFlight-iOS.jpg" alt="" class="wp-image-8622" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-GoldPickaxe-TestFlight-iOS.jpg 266w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-GoldPickaxe-TestFlight-iOS-160x300.jpg 160w" sizes="(max-width: 266px) 100vw, 266px" /><figcaption class="wp-element-caption"><em>GoldPickaxe using the guise of Thai Digital Pensions within TestFlight to trick users into installing the banker on iOS</em></figcaption></figure></div> <p><a href="https://www.group-ib.com/blog/goldfactory-ios-trojan/" target="_blank" rel="noreferrer noopener">GoldPickaxe</a>, a banker targeting both Android and iOS, has emerged and is targeting victims in Thailand and Vietnam. Likely from the same threat actors behind GoldDigger, a <a href="https://decoded.avast.io/threatresearch/avast-q3-2023-threat-report/" target="_blank" rel="noreferrer noopener">previously discussed</a> banker, this new strain focuses on extracting personal information and can even harvest facial recognition data for fraudulent access to victim’s bank accounts. This is likely in response to both the <a href="https://www.bot.or.th/en/news-and-media/news/news-20230309.html" target="_blank" rel="noreferrer noopener">Bank of Thailand</a> and the <a href="https://tuoitrenews.vn/news/business/20231015/vietnam-central-bank-plans-to-require-face-authentication-for-money-transfer-in-2024/76166.html" target="_blank" rel="noreferrer noopener">State Bank of Vietnam</a> issuing statements advising or mandating the use of facial biometric verification for payments in the coming months. </p> <p>On iOS, the threat actors initially used TestFlight, a beta testing tool within the iOS ecosystem, to distribute the iOS malware. Once Apple took down the offending banker apps, they switched to using Mobile Device Management (MDM) profiles, sending download links to victims. If the victim downloaded and installed the MDM profile, the banker would gain complete control over the device. After the complex infection process is complete, GoldPickaxe can extract photos, SMS messages and even request to capture the victim’s ID card and face. These are then used to initiate fraudulent bank payments, with <a href="https://plo.vn/mat-3-ty-vi-quet-camara-nhan-dien-khuon-mat-tren-phan-mem-dich-vu-cong-gia-mao-post775178.html" target="_blank" rel="noreferrer noopener">reports of victims</a> losing significant sums of money after being asked to do facial recognition scans by GoldPickaxe.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="522" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker-1024x522.png" alt="" class="wp-image-8623" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker-1024x522.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker-300x153.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker-768x391.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker-1536x782.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-Fake-Crypto-site-distributing-banker.png 1716w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Fake crypto website used to distribute the GreenBean banker malware</em></figcaption></figure></div> <p>A new banker called <a href="https://cyble.com/blog/greenbean-latest-android-banking-trojan-leveraging-simple-realtime-server-srs-for-cc-communication/" target="_blank" rel="noreferrer noopener">GreenBean</a> has been spotted spreading through a fake cryptocurrency website. Targeting users in China and Vietnam, the banker focuses on cryptocurrency wallets and payment platforms as well as traditional banking platforms. It uses the Accessibility service to gather sensitive information, login details, photos and saved wallet passwords, then sends these away to its C&C. GreenBean is also able to dynamically detect and change crypto wallet addresses it detects within messaging applications such as WeChat, redirecting a payment to its own wallet address, stealing money from victims. Additionally, the banker can stream video from the infected device, keeping an eye on its victims and potentially gaining access to sensitive information.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-1024x404.png" alt="" class="wp-image-8624" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-Q-comparison-Bankers-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of mobile bankers in Q4/2023-Q1/2024</em></figcaption></figure></div> <p>Breaking the trend of decline from previous quarters, bankers mostly maintain their prevalence this quarter. It is likely that the introduction of various new strains this quarter has contributed to their steadying numbers. We also observed the return of SMS and messaging applications as infection vectors, used by strains such as FluBot in the past.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-1024x639.png" alt="" class="wp-image-8625" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Bankers-risk-ratio-map-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile bankers in Q1/2024</em></figcaption></figure></div> <p>Turkey has the highest risk ratio for bankers in Q1/2024. We also witnessed a notable rise in risk ratio in India, where the RewardSteal banker is gaining ground. It appears the focus this quarter has shifted towards Asia, with countries such South Korea, Japan, Thailand and Vietnam being the targets of several new strains of bankers.</p> <h3 class="wp-block-heading">State Sponsored Spyware Continues to Be a Sophisticated Threat </h3> <p><em>Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits.</em></p> <p>Mirroring last quarter, Spymax is the most prevalent strain of spyware this quarter, followed by RealRAT, SexInfoSteal, and malicious WAMods. We also saw a few new spyware entries this quarter alongside the return of updated existing strains. Of note are official Apple threat notifications sent to affected users with iOS devices, alerting them when they have been targeted by state sponsored sophisticated spyware attacks. We see VajraSpy spreading in the PlayStore, targeting victims in Pakistan with the ability to steal sensitive data. DogeRAT, a repurposed RainbowRAT clone, makes another entrance on Github with updated and paid features. Finally, SpyLoans continue their blackmailing streak on and off the PlayStore, threatening users worldwide.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="618" height="401" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Apple-Threat-notification.jpg" alt="" class="wp-image-8626" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Apple-Threat-notification.jpg 618w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/1.-Apple-Threat-notification-300x195.jpg 300w" sizes="(max-width: 618px) 100vw, 618px" /><figcaption class="wp-element-caption"><em>A sample Threat notification from Apple, alerting the user that they have been targeted by mercenary spyware</em></figcaption></figure></div> <p>News of state sponsored spyware has been doing the rounds for at least a decade now, with examples such as the infamous NSO Group Pegasus dating back to 2016, discussed in the <a href="https://decoded.avast.io/threatresearch/avast-q321-threat-report/" target="_blank" rel="noreferrer noopener">Q3/2021 report</a>. Since 2021, Apple has started <a href="https://support.apple.com/en-in/102174" target="_blank" rel="noreferrer noopener">issuing threat notifications</a> to potential victims, alerting them if they have been targeted by what Apple believes to be state sponsored or mercenary spyware. These attacks are often highly sophisticated, sometimes using multiple zero-day exploits to break into iOS devices without user interaction, with the intent of spying on their victims and extracting personal information such as SMS messages, contacts and photos. There has been more focus on the use of such spyware by governments, with Poland recently launching a probe into the use of Pegasus by the government, which <a href="https://notesfrompoland.com/2024/04/16/almost-600-people-targeted-with-pegasus-spyware-under-former-polish-government/" target="_blank" rel="noreferrer noopener">allegedly targeted close to 600</a> individuals in Poland. Due to the high cost of such attacks, the attackers are targeting only individuals of interest, NGOs, etc. Users should take extra precautions, such as enabling Lockdown mode on iOS devices and keeping their device up to date with latest security updates.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="576" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae-576x1024.jpg" alt="" class="wp-image-8627" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae-576x1024.jpg 576w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae-169x300.jpg 169w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae-768x1365.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae-864x1536.jpg 864w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/2.-VarjaSpy-LoveBae.jpg 1080w" sizes="(max-width: 576px) 100vw, 576px" /><figcaption class="wp-element-caption"><em>VajraSpy pretending to be a dating app, sent to the victim through a romance lure</em></figcaption></figure></div> <p><a href="https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/" target="_blank" rel="noreferrer noopener">VajraSpy</a>, an upgraded spyware seen in previous years, has made it onto the PlayStore, targeting users in India and Pakistan. Masquerading as messaging and dating apps, victims were likely approached under the guise of a romantic encounter, where threat actors encouraged victims to download the spyware apps to continue their interaction. It appears there were three distinct versions of the malware, two of which were messaging applications with the ability to extract SMS messages, WhatsApp conversations and photos, the more advanced version even able to record audio and video, log keystrokes, and listen in on phone calls. The third version disguised itself as a news app and didn’t request any dangerous permissions. Despite this, it was able to steal contacts and various documents and files from external storage.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="843" height="563" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-DogeRAT-features-listed-on-GitHub.jpg" alt="" class="wp-image-8628" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-DogeRAT-features-listed-on-GitHub.jpg 843w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-DogeRAT-features-listed-on-GitHub-300x200.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-DogeRAT-features-listed-on-GitHub-768x513.jpg 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/3.-DogeRAT-features-listed-on-GitHub-736x491.jpg 736w" sizes="(max-width: 843px) 100vw, 843px" /><figcaption class="wp-element-caption"><em>DogeRAT’s list of paid features on Github with ambitious promises such as “undetectable by antivirus”</em></figcaption></figure></div> <p>Github is again being used for distribution of potential malware in this case DogeRAT. This update appears to be a repurposed version of RainbowRAT, and even features a paid version that promises to be undetectable by antivirus in addition to having the ability to extract all photos on a device, screenshot the victim’s screen and provide a keylogger to track inputs. While dangerous, open repositories such as this one offer an interesting insight into the operation of various threat actors. Normally, threat groups try to hide their activity to evade detection and remain under the radar for as long as possible to avoid takedowns and antivirus detection.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="866" height="137" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-SpyLoan-review.jpg" alt="" class="wp-image-8629" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-SpyLoan-review.jpg 866w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-SpyLoan-review-300x47.jpg 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/4.-SpyLoan-review-768x121.jpg 768w" sizes="(max-width: 866px) 100vw, 866px" /><figcaption class="wp-element-caption"><em>Review of a SpyLoan application on the PlayStore, citing the abusive use of contacts and data theft which is used to coerce victims</em></figcaption></figure></div> <p>SpyLoans continue to reign on the PlayStore, targeting victims in need of quick cash with promises of easy payments, low interest rates and hassle-free setup. Numerous apps have been taken down from the PlayStore, as discussed in previous quarters, but new ones keep popping up. The actors behind these apps have also taken to using third party app stores or even direct messaging to entice victims into downloading their malware. Once installed, the SpyLoans generally harvest contacts, photos and SMS messages under the guise of a credit check. This data is then used to harass and blackmail victims, in some cases even threating violence. Users are advised to stick to official banks when in need of a loan, to avoid SpyLoan apps. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="404" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-1024x404.png" alt="" class="wp-image-8630" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-1024x404.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-300x118.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-768x303.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-1536x606.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/5.-Q-comparison-Spyware-2048x808.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio of mobile spyware in Q4/2023 and Q1/2024</em></figcaption></figure></div> <p>The risk ratio for mobile spyware has remained steady compared to Q4/2023, with a very slight decrease in prevalence of spyware in our telemetry. The continued spread of SpyLoans may have contributed to this.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="639" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-1024x639.png" alt="" class="wp-image-8631" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-1024x639.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-300x187.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-768x479.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-1536x958.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/6.-Risk-ratio-map-spyware-2048x1278.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Global risk ratio for mobile spyware in Q1/2024</em></figcaption></figure></div> <p>Yemen has the highest risk ratio this quarter, followed by Turkey, Egypt and Pakistan. We saw VajraSpy mainly focus on Pakistan this quarter, where we do see an increase in risk ratio. Brazil and the US have the highest number of protected users.</p> <p class="has-text-align-right"><em>Jakub Vávra, Malware Analyst</em></p> <div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex"><div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"><h6 class="wp-block-heading">Malware researchers</h6> <p>Adolf Středa <br>Alexej Savčin <br>David Álvarez<br>David Jursa <br>Igor Morgenstern <br>Jakub Křoustek <br>Jakub Vávra <br>Jan Rubín <br>Jan Vojtěšek <br>Ladislav Zezula <br>Luigino Camastra <br>Luis Corrons <br>Martin Chlumecký <br>Matěj Krčma <br>Michal Salát <br>Ondřej Mokoš <br>Prabhakaran Ravichandhiran<br>Vladimír Žalud</p></div> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"><h6 class="wp-block-heading">Data analysts</h6> <p>Pavol Plaskoň<br>Filip Husák<br>Lukáš Zobal</p></div> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"><h6 class="wp-block-heading">Communications</h6> <p>Brittany Posey<br>Nyrmah Reina Terreforte</p></div></div><p>The post <a href="https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/">Avast Q1/2024 Threat Report</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> <enclosure url="https://decoded.avast.io/wp-content/uploads/sites/2/2024/05/02-CC-MichaelSaylor-scam.mp4" length="2185591" type="video/mp4" /> </item> <item> <title>GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</title> <link>https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/?utm_source=rss&utm_medium=rss&utm_campaign=guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining</link> <dc:creator><![CDATA[Jan Rubín and Milánek]]></dc:creator> <pubDate>Tue, 23 Apr 2024 09:00:00 +0000</pubDate> <category><![CDATA[PC]]></category> <category><![CDATA[antivirus]]></category> <category><![CDATA[backdoor]]></category> <category><![CDATA[cryptomining]]></category> <category><![CDATA[Kimsuky]]></category> <category><![CDATA[malware]]></category> <category><![CDATA[mitm]]></category> <category><![CDATA[xmrig]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8115</guid> <description><![CDATA[<p>Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.</p><p>The post <a href="https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/">GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<h2 class="wp-block-heading">Key Points</h2> <ul class="wp-block-list"><li>Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers</li> <li>Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved</li> <li>The campaign was orchestrated by a threat actor with possible ties to Kimsuky</li> <li>Two different types of backdoors have been discovered, targeting large corporate networks</li> <li>The final payload distributed by GuptiMiner was also XMRig</li></ul> <h2 class="wp-block-heading">Introduction</h2> <p>We’ve been tracking a curious one here. Firstly, GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.</p> <p>The main objective of GuptiMiner is to distribute backdoors within big corporate networks. We’ve encountered two different variants of these backdoors: The first is an enhanced build of PuTTY Link, providing SMB scanning of the local network and enabling lateral movement over the network to potentially vulnerable Windows 7 and Windows Server 2008 systems on the network. The second backdoor is multi-modular, accepting commands from the attacker to install more modules as well as focusing on scanning for stored private keys and cryptowallets on the local system.</p> <p>Interestingly, GuptiMiner also distributes XMRig on the infected devices, which is a bit unexpected for such a thought-through operation.</p> <p>The actors behind GuptiMiner have been capitalizing on an insecurity within an update mechanism of Indian antivirus vendor eScan to distribute the malware by performing a man-in-the-middle attack. We disclosed this security vulnerability to both eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved.</p> <p>GuptiMiner is a long-standing malware, with traces of it dating back to 2018 though it is likely that it is even older. We have also found that GuptiMiner has possible ties to Kimsuky, a notorious North Korean APT group, by observing similarities between Kimsuky keylogger and parts of the GuptiMiner operation.<br>In this analysis, we will cover the GuptiMiner’s features and its evolution over time. We will also denote in which samples the particular features are contained or introduced to support the overall comprehension in the vast range of IoCs.</p> <p>It is also important to note that since the users rarely install more than one AV on their machine, we may have limited visibility into GuptiMiner’s activity and its overall scope. Because of this, we might be looking only at the tip of the iceberg and the true scope of the entire operation may still be subject to discovery.</p> <h2 class="wp-block-heading">Infection Chain</h2> <p>To illustrate the complexity of the whole infection, we’ve provided a flow chart containing all parts of the chain. Note that some of the used filenames and/or workflows can slightly vary depending on the specific version of GuptiMiner, but the flowchart below illustrates the overall process.</p> <p>The whole process starts with eScan requesting an update from the update server where an unknown MitM intercepts the download and swaps the update package with a malicious one. Then, eScan unpacks and loads the package and a DLL is sideloaded by eScan clean binaries. This DLL enables the rest of the chain, following with multiple shellcodes and intermediary PE loaders.</p> <p>Resulted GuptiMiner consists of using XMRig on the infected machine as well as introducing backdoors which are activated when deployed in large corporate networks.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58.png"><img loading="lazy" decoding="async" width="579" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-579x1024.png" alt="" class="wp-image-8511" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-579x1024.png 579w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-170x300.png 170w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-768x1358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-868x1536.png 868w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58-1158x2048.png 1158w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-58.png 2024w" sizes="(max-width: 579px) 100vw, 579px" /></a><figcaption class="wp-element-caption"><em>GuptiMiner’s infection chain</em></figcaption></figure></div> <h2 class="wp-block-heading">Evolution and Timelines</h2> <p>GuptiMiner has been active since at least 2018. Over the years, the developers behind it have improved the malware significantly, bringing new features to the table. We will describe the specific features in detail in respective subsections.</p> <p>With that said, we also wanted to illustrate the significant IoCs in a timeline representation, how they changed over time – focusing on mutexes, PDBs, and used domains. These timelines were created based on scanning for the IoCs over a large sample dataset, taking the first and last compilation timestamps of the samples, then forming the intervals. Note that the scanned dataset is larger than listed IoCs in the <a href="#ioc">IoC section</a>. For more detailed list of IoCs, please visit our <a href="https://github.com/avast/ioc/tree/master/GuptiMiner" target="_blank" rel="noreferrer noopener">GitHub</a>.</p> <h3 class="wp-block-heading" id="domains-in-time">Domains in Time</h3> <p>In general, GuptiMiner uses the following types of domains during its operations: </p> <ul class="wp-block-list"><li><code>Malicious DNS</code> – GuptiMiner hosts their own DNS servers for serving true destination domain addresses of C&C servers via DNS TXT responses </li> <li><code>Requested domains</code> – Domains for which the malware queries the DNS servers for </li> <li><code>PNG download</code> – Servers for downloading payloads in the form of PNG files. These PNG files are valid images (a logo of T-Mobile) that contain appended shellcodes at their end </li> <li><code>Config mining pool</code> – GuptiMiner contains two different configurations of mining pools. One is hardcoded directly in the XMRig config which is denoted in this group </li> <li><code>Modified mining pool</code> – GuptiMiner has the ability to modify the pre-defined mining pools which is denoted in this group </li> <li><code>Final C&C</code> – Domains that are used in the last backdoor stage of GuptiMiner, providing additional malware capabilities in the backdoored systems </li> <li><code>Other</code> – Domains serving different purposes, e.g., used in scripts </li></ul> <p>Note that as the malware connects to the malicious DNS servers directly, the DNS protocol is completely separated from the DNS network. Thus, no legitimate DNS server will ever see the traffic from this malware. The DNS protocol is used here as a functional equivalent of telnet. Because of this, this technique is not a DNS spoofing since spoofing traditionally happens on the DNS network. </p> <p>Furthermore, the fact that the servers for which GuptiMiner asks for in the <code>Requested domain</code> category actually exist is purely a coincidence, or rather a network obfuscation to confuse network monitoring tools and analysts.</p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2.png"><img loading="lazy" decoding="async" width="750" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-750x1024.png" alt="" class="wp-image-8395" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-750x1024.png 750w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-220x300.png 220w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-768x1049.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2-1125x1536.png 1125w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-2.png 1262w" sizes="(max-width: 750px) 100vw, 750px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating GuptiMiner’s usage of domains in time</em></figcaption></figure></div> <p>From this timeline, it is apparent that authors behind GuptiMiner realize the correct setup of their DNS servers is crucial for the whole chain to work properly. Because of this, we can observe the biggest rotation and shorter timeframes are present in the <code>Malicious DNS</code> group. </p> <p>Furthermore, since domains in the <code>Requested domain</code> group are irrelevant (at least from the technical viewpoint), we can notice that the authors are reusing the same domain names for longer periods of time. </p> <h3 class="wp-block-heading" id="mutexes-in-time">Mutexes in Time </h3> <p>Mutexes help ensure correct execution flow of a software and malware authors often use these named objects for the same purpose. Since 2018, GuptiMiner has changed its mutexes multiple times. Most significantly, we can notice a change since 2021 where the authors changed the mutexes to reflect the compilation/distribution dates of their new versions. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3.png"><img loading="lazy" decoding="async" width="975" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-975x1024.png" alt="" class="wp-image-8398" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-975x1024.png 975w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-286x300.png 286w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3-768x807.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-3.png 1270w" sizes="(max-width: 975px) 100vw, 975px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating GuptiMiner’s usage of mutexes in time</em></figcaption></figure></div> <p>An attentive reader can likely observe two takeaways: The first is the apparent outliers in usage of <code>MIVOD_6</code>, <code>SLDV15</code>, <code>SLDV13</code>, and <code>Global\Wed Jun 2 09:43:03 2021</code>. According to our data, these mutexes were truly reused multiple times in different builds, creating larger timeframes than expected. </p> <p>Another point is the re-introduction of <code>PROCESS_</code> mutex near the end of last year. At this time, the authors reintroduced the mutex with the string in UTF-16 encoding, which we noted separately.</p> <h3 class="wp-block-heading">PDBs in Time </h3> <p>With regard to debugging symbols, the authors of GuptiMiner left multiple PDB paths in their binaries. Most of the time, they contain strings like <code>MainWork</code>, <code>Projects</code>, etc. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4.png"><img loading="lazy" decoding="async" width="1024" height="340" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1024x340.png" alt="" class="wp-image-8400" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1024x340.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-300x100.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-768x255.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-1536x510.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-4-2048x680.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Timeline illustrating PDBs contained in GuptiMiner in time</em></figcaption></figure></div> <h2 class="wp-block-heading" id="installation-process">Stage 0 – Installation Process </h2> <h3 class="wp-block-heading">Intercepting the Updates</h3> <p>Everyone should update their software, right? Usually, the individual either downloads the new version manually from the official vendor’s site, or – preferably – the software itself performs the update automatically without much thought or action from the user. But what happens when someone is able to hijack this automatic process? </p> <p>Our investigation started as we began to observe some of our users were receiving unusual responses from otherwise legitimate requests, for example on: </p> <p><code>http://update3[.]mwti[.]net/pub/update/updll3.dlz</code></p> <p>This is truly a legitimate URL to download the <code>updll3.dlz</code> file which is, under normal circumstances, a legitimate archive containing the update of the eScan antivirus. However, we started seeing suspicious behavior on some of our clients, originating exactly from URLs like this. </p> <p>What we uncovered was that the actors behind GuptiMiner were performing man-in-the-middle (MitM) to download an infected installer on the victim’s PC, instead of the update. Unfortunately, we currently don’t have information on how the MitM was performed. We assume that some kind of pre-infection had to be present on the victim’s device or their network, causing the MitM. </p> <h3 class="wp-block-heading">Update Package</h3> <p><code><em>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3</em><br><em>(version.dll, 2018-04-19 09:47:41 UTC)</em></code></p> <p>Throughout the analysis, we will try to describe not just the flow of the infection chain, malware techniques, and functionalities of the stages, but we will also focus on different versions, describing how the malware authors developed and changed GuptiMiner over time.</p> <p>The first GuptiMiner sample that we were able to find was compiled on Tuesday, 2018-04-19 09:47:41 and it was uploaded to VirusTotal the day after from India, followed by an upload from Germany:<br><code>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3</code></p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png"><img loading="lazy" decoding="async" width="561" height="226" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png" alt="" class="wp-image-8403" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5.png 561w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-5-300x121.png 300w" sizes="(max-width: 561px) 100vw, 561px" /></a></figure></div> <p>This file was named <code>C:\Program Files\eScan\VERSION.DLL</code> which points out the target audience is truly eScan users and it comes from an update package downloaded by the AV. </p> <p>Even though this version lacked several features present in the newer samples, the installation process is still the same, as follows: </p> <ol class="wp-block-list" start="1"><li>The eScan updater triggers the update </li> <li>The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) </li> <li>A malicious package <code>updll62.dlz</code> is downloaded and unpacked by eScan updater </li> <li>The contents of the package contain a malicious DLL (usually called <code>version.dll</code>) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart </li> <li>If a mutex is not present in the system (depends on the version, e.g. <code>Mutex_ONLY_ME_V1</code>), the malware searches for <code>services.exe</code> process and injects its next stage into the first one it can find </li> <li>Cleanup is performed, removing the update package </li></ol> <p>The malicious DLL contains additional functions which are not present in the clean one. Thankfully the names are very verbose, so no analysis was required for most of them. The list of the functions can be seen below.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png"><img loading="lazy" decoding="async" width="519" height="510" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png" alt="" class="wp-image-8405" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6.png 519w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-6-300x295.png 300w" sizes="(max-width: 519px) 100vw, 519px" /></a><figcaption class="wp-element-caption"><em>Additional exported functions</em></figcaption></figure></div> <p>Some functions, however, are unique. For example, the function <code>X64Call</code> provides Heaven’s gate, i.e., it is a helper function for running x64 code inside a 32-bit process on a 64-bit system. The malware needs this to be able to run the injected shellcode depending on the OS version and thus the bitness of the <code>services.exe</code> process. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png"><img loading="lazy" decoding="async" width="668" height="1192" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png" alt="" class="wp-image-8419" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14.png 668w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14-168x300.png 168w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-14-574x1024.png 574w" sizes="(max-width: 668px) 100vw, 668px" /></a><figcaption class="wp-element-caption"><em>Heaven’s gate to run the shellcode in x64 environment when required</em></figcaption></figure></div> <p>To keep the original eScan functionality intact, the malicious <code>version.dll</code> also needs to handle the original legacy <code>version.dll</code> functionality. This is done by forwarding all the exported functions from the original DLL. When a call of the legacy DLL function is identified, GuptiMiner resolves the original function and calls it afterwards. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png"><img loading="lazy" decoding="async" width="518" height="228" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png" alt="" class="wp-image-8408" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8.png 518w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-8-300x132.png 300w" sizes="(max-width: 518px) 100vw, 518px" /></a><figcaption class="wp-element-caption"><em>Resolving function that ensures all the original <code>version.dll</code> exports are available</em></figcaption></figure></div> <h3 class="wp-block-heading">Injected Shellcode in services.exe </h3> <p>After the shellcode is injected into <code>services.exe</code>, it serves as a loader of the next stage. This is done by reading an embedded PE file in a plaintext form. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png"><img loading="lazy" decoding="async" width="550" height="287" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png" alt="" class="wp-image-8409" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9.png 550w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-9-300x157.png 300w" sizes="(max-width: 550px) 100vw, 550px" /></a><figcaption class="wp-element-caption"><em>Embedded PE file loaded by the shellcode</em></figcaption></figure></div> <p>This PE file is loaded by standard means, but additionally, the shellcode also destroys the PE’s DOS header and runs it by calling its entry point, as well as it removes the embedded PE from the original location memory altogether. </p> <h4 class="wp-block-heading">Command Line Manipulation </h4> <p>Across the entire GuptiMiner infection chain, every shellcode which is loading and injecting PE files also manipulates the command line of the current process. This is done by manipulating the result of <code>GetCommandLineA/W</code> which changes the resulted command line displayed for example in Task Manager. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png"><img loading="lazy" decoding="async" width="1127" height="581" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png" alt="" class="wp-image-8412" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11.png 1127w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-300x155.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-1024x528.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-11-768x396.png 768w" sizes="(max-width: 1127px) 100vw, 1127px" /></a><figcaption class="wp-element-caption"><em>Command line manipulation function</em></figcaption></figure></div> <p>After inspecting this functionality, we believe it either doesn’t work as the authors intended or we don’t understand its usage. Long story short, the command line is changed in such a way that everything before the first <code>--parameter</code> is skipped, and this parameter is then appended to the process name. </p> <p>To illustrate this, we could take a command:<br><code>notepad.exe param1 --XX param2</code><br>which will be transformed into:<br><code>notepad.exeXX param2</code> </p> <p>However, we <strong>have not seen</strong> a usage like <code>power --shell.exe param1 param2</code> that would result into:<br><code>powershell.exe param1 param2</code><br>nor have we seen any concealment of parameters (like usernames and passwords for XMRig), a type of behavior we would anticipate when encountering something like this. In either case, this functionality is obfuscating the command line appearance, which is worth mentioning. An interested reader can play around with the functionality at the awesome godbolt.org <a href="https://godbolt.org/#z:OYLghAFBqd5QCxAYwPYBMCmBRdBLAF1QCcAaPECAMzwBtMA7AQwFtMQByARg9KtQYEAysib0QXACx8BBAKoBnTAAUAHpwAMvAFYTStJg1DIApACYAQuYukl9ZATwDKjdAGFUtAK4sGIM6SuADJ4DJgAcj4ARpjEIJIAzKQADqgKhE4MHt6%2B/ilpGQIhYZEsMXGJtpj2jgJCBEzEBNk%2BfgF2mA6Z9Y0ExRHRsfFJCg1NLbntY32hA2VDiQCUtqhexMjsHOYJocjeWADUJgluo8ShwAB0CMfYJhoAgtu7%2B5hHJ2wsJACe17f3TzMOwYey8h2OpwI%2BFQfwSd0eANCBAOBxYhjwyS8BgImAA%2BoZ0nhcWgWGiGOhcbRZhBkAhGgcAFQkskUqlhRYAkwAdisjxRSIOeGOFgOAHpRUcAKwWYgKZLWMwaG6SgAiUplUWSAFozAAOZUqgH8wQHGiygi4uVMDb4qg44i45LEVAbBQKXHMNjCsUSkzS2XyyxmSQG9XETU6kN%2Bw18wUms2jXHoJgKG4JEXisNyhX66NhiOKg1Go4I2PFhMW5Op95qjTC8t4c2W5LWvFMO2xR3O13uz1vY61%2Bux/jEA4QQU1g519MHZmGVmzP0WIWq73Wax4A4css84sozNarV7wVUMcHMBgCtJlMII5mABs5nvs9QpPnlMX0pXaoHA/PHC1MAODvR8HxfN9yQ/MIl03awDi4PNfwSNUgMA4DtweFEsNNRtEyrW8/yFdNjzwU9xwvK8rRtdt7S7F1MDdD1WH7B8n3AlkoMwGDEOQv8gP/EC2KZV8OLZN4Lz4rYzDMIDjxRbk3AU89L1wi0qLbDsHSdejGL7QSwLnSCxO41Ua0kgSnzYwyF2gr8Di1eCeMNZD/3MGTgMssDhIgmz%2B14lzZOk/iMOw7leUw7CcKbdTbVo7SeyYthJyI8LQq5GMIu5DL%2BTI5Sr3wo4uUUoq8tU5tW1izt4oY3tmK3Y9iEwAg1gYeCgiCIcIs%2BL4ADdMAgY8n2szil0oltqM0uiEr7aNSEGh9huM6V8pvO8RTMWaSPsqLEximiqu7GrEreBz7w5YjY0a5riFarh2s6rLOUeAU0VCCAkVIWc6WIBkGQwsLj1pelkBYdAlycu8zAYVAcRbdBLkwVQ3hbYhWAULh7K1AANLGDhRtGNslNwGDczrsKdJEqAG6TzElBQ3M%2BkH0HO1KsLJDEsSYHF8QYQliRE98xJpUGWePCnBCptzD1uO86b9YmGdnEWHtLJ50o4ZZaE4SVeD8DgtFIVBOEUyw4IUVZ1hYhIeFIAhNA15YAGsQASBJLldj3Pa9%2B99E4SRdftw3OF4BQQA0W37eWOBYCQElkjoWJyEoOOE7iYAuASAIaFoe1Q4gKJA6iUJGm%2BTgbaL5hiG%2BAB5KJtE6O3uF4ZlGAIauGFoUv9d4LAoi8YA3DEWhQ6b0gsDJYBxG7sfGwbvA%2BpHg3Ec6LwcUDpFqkDqkolRquPCwQOCHOFgy41vgDGABQADU8EwAB3avkkYU%2BZEEEQxHYKRX/kJQ1ED3QuD6EMMYdclh9B4CiKHSAyxUDJFqLzTgWpq5mF4KgPqxBzhYCgRAZYHQujOAgK4CYfhAHBFmKUcoehUjpHgcQqhBR4H9AoUMQBeD4E9HGJ4Voeg2HdGmEwwYcRWHTDocI3oAj5hCNwRbDYEhNbawDtPI2wFVC6nvFqe8kgDjAGQMgeCbszBjlwIQEgd5raLF4I3LQiwnYuzdl7BxHsfZaw4P7UgesDbKJDmHCO3co4wEQCAVYBBMQECTjSV88d6DEHCMxTgqj1GaO0bo/RlwUGBHwEQTBeh%2BBv1EOIL%2BuSf4qHUNPABpA76o2SKfeRHAdbuMDso6uq9QkHFQKeBJGitE6L0RnNJY4PAsCibEMxXALG%2BOsbY127tHEON9q4xRnjg62B8VYh28z0keNQcstZNjSDoPSM4SQQA%3D" target="_blank" rel="noreferrer noopener">here</a>. </p> <h3 class="wp-block-heading" id="code-virtualization">Code Virtualization </h3> <p><code><em>7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6</em><br><em>(version.dll, 2018-06-12 03:30:01)</em> </code></p> <p>Another version with a mutex <code>ONLY_ME_V3</code> introduced a code virtualization. This can be observed by an additional section in the PE file called <code>.v_lizer</code>. This section was also renamed a few times in later builds.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png"><img loading="lazy" decoding="async" width="1232" height="322" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png" alt="" class="wp-image-8423" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16.png 1232w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-300x78.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-1024x268.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-16-768x201.png 768w" sizes="(max-width: 1232px) 100vw, 1232px" /></a><figcaption class="wp-element-caption"><em>A new section with the virtualized code is called <code>.v_lizer</code></em></figcaption></figure></div> <p>Thankfully the obfuscation is rather weak, provided the shellcode as well as the embedded PE file are still in the plaintext form. </p> <p>Furthermore, the authors started to distinguish between the <code>version.dll</code> stage and the PE file loaded by the shellcode by additional mutex. Previously, both stages used the shared mutex <code>ONLY_ME_Vx</code>, now the sideloading uses <code>MTX_V101</code> as a mutex.</p> <h2 class="wp-block-heading" id="installation-improvements">Stage 0.9 – Installation Improvements</h2> <p><code><em>3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c</em><br><em>(2021-03-28 14:41:07 UTC)</em> </code></p> <p>The installation process has undergone multiple improvements over time, and, since it is rather different compared to older variants, we decided to describe it separately as an intermediary Stage 0.9. With these improvements, the authors introduced a usage of scheduled tasks, WMI events, two differently loaded next stages (<a href="#png-loader">Stage 1 – PNG loader</a>), turning off Windows Defender, and installing crafted certificates to Windows. </p> <p>There are also multiple files dropped at this stage, enabling further sideloading by the malware. These files are clean and serve exclusively for sideloading purposes. The malicious DLLs that are being sideloaded, are two PNG loaders (Stage 1): </p> <ul class="wp-block-list"><li><code>de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739 *atiadlxx.dll</code> </li> <li><code>e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee *BrLogAPI.dll</code> </li></ul> <h3 class="wp-block-heading">WMI Events </h3> <p><code><em>de48abe380bd84b5dc940743ad6727d0372f602a8871a4a0ae2a53b15e1b1739</em><br><em>(atiadlxx.dll, 2021-03-28 14:30:11 UTC)</em> </code></p> <p>At this stage, WMI events are used for loading the first of the PNG loaders. This loader is extracted to a path:<br><code>C:\PROGRAMDATA\AMD\CNext\atiadlxx.dll</code> </p> <p>Along with it, additional clean files are dropped, and they are used for sideloading, in either of these locations (can be both): <br><code>C:\ProgramData\AMD\CNext\slsnotif.exe <br>C:\ProgramData\AMD\CNext\msvcr120.dll</code><br>or<br><code>C:\Program Files (x86)\AMD\CNext\CCCSlim\slsnotify.exe<br>C:\Program Files (x86)\AMD\CNext\CCCSlim\msvcr120.dll </code></p> <p>The clean file <code>slsnotify.exe</code> is then registered via WMI event in such a way that it is executed when these conditions are met:</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png"><img loading="lazy" decoding="async" width="850" height="192" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png" alt="" class="wp-image-8424" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17-300x68.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-17-768x173.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>WMI conditions to trigger sideloading</em></figcaption></figure></div> <p>In other words, the sideloading is performed on a workday in either January, July, or November. The numbers represented by <code>%d</code> are randomly selected values. The two possibilities for the hour are exactly two hours apart and fall within the range of 11–16 or 13–18 (inclusive). This conditioning further underlines the longevity of GuptiMiner operations.</p> <h3 class="wp-block-heading">Scheduled Tasks</h3> <p><code><em>e0dd8af1b70f47374b0714e3b368e20dbcfa45c6fe8f4a2e72314f4cd3ef16ee</em><br><em>(BrLogAPI.dll, 2021-03-28 14:10:27 UTC)</em></code></p> <p>Similarly to the WMI events, GuptiMiner also drops a clean binary for sideloading at this location:<br><code>C:\ProgramData\Brother\Brmfl14c\BrRemPnP.exe</code> </p> <p>The malicious PNG loader is then placed in one (or both) of these locations:<br><code>C:\Program Files (x86)\Brother\Brmfl14c\BrLogAPI.dll<br>C:\Program Files\Brother\Brmfl14c\BrLogAPI.dll </code></p> <p>The scheduled task is created by invoking a Task Scheduler. The scheduled task has these characteristics: </p> <ul class="wp-block-list"><li>It is created and named as <code>C:\Windows\System32\Tasks\Microsoft\Windows\Brother\Brmfl14c</code> </li> <li>Executes: <code>C:\ProgramData\Brother\Brmfl14c\BrRemPnP.exe</code> </li> <li>The execution is done under a folder containing the to-be-sideloaded DLL, e.g.: <code>C:\Program Files (x86)\Brother\Brmfl14c\</code> </li> <li>The execution is performed with every boot (<code>TASK_TRIGGER_BOOT</code>) with <code>SYSTEM</code> privileges </li></ul> <h3 class="wp-block-heading">Deploy During Shutdown</h3> <p><em><code>3515113e7127dc41fb34c447f35c143f1b33fd70913034742e44ee7a9dc5cc4c<br>(2021-03-28 14:41:07 UTC)</code></em></p> <p>Let’s now look at how all these files, clean and malicious, are being deployed. One of GuptiMiner’s tricks is that it drops the final payload, containing PNG loader stage, only during the system shutdown process. Thus, this happens at the time other applications are shutting down and potentially not protecting the user anymore.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png"><img loading="lazy" decoding="async" width="754" height="732" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png" alt="" class="wp-image-8426" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19.png 754w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-19-300x291.png 300w" sizes="(max-width: 754px) 100vw, 754px" /></a><figcaption class="wp-element-caption"><em>The main flow of the Stage 0.9 variant – drops final payload during system shutdown</em></figcaption></figure></div> <p>From the code above, we can observe that only when the <code>SM_SHUTTINGDOWN</code> metric is non-zero, meaning the current session is shutting down, as well as all the supporting clean files were dropped successfully, the final payload DLL is dropped as well. </p> <p>An engaged reader could also notice in the code above that the first function that is being called disables Windows Defender. This is done by standard means of modifying registry keys. Only if the Defender is disabled can the malware proceed with the malicious actions. </p> <h3 class="wp-block-heading">Adding Certificates to Windows</h3> <p>Most of the time, GuptiMiner uses self-signed binaries for their malicious activities. However, this time around, the attackers went a step further. In this case, both of the dropped PNG loader DLLs are signed with a custom trusted root anchor certification authority. This means that the signature is inherently untrusted since the attackers’ certification authority cannot be trusted by common verification processes in Windows. </p> <p>However, during the malware installation, GuptiMiner also adds a root certificate to Windows’ certificate store making this certification authority trusted. Thus, when such a signed file is executed, it is understood as correctly signed. This is done by using <code>CertCreateCertificateContext</code>, <code>CertOpenStore</code>, and <code>CertAddCertificateContextToStore</code> API functions.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png"><img loading="lazy" decoding="async" width="920" height="501" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png" alt="" class="wp-image-8428" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21.png 920w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21-300x163.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-21-768x418.png 768w" sizes="(max-width: 920px) 100vw, 920px" /></a><figcaption class="wp-element-caption"><em>Function which adds GuptiMiner’s root certificate to Windows</em></figcaption></figure></div> <p>The certificate is present in a plaintext form directly in the GuptiMiner binary file.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png"><img loading="lazy" decoding="async" width="806" height="331" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png" alt="" class="wp-image-8429" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22.png 806w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22-300x123.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-22-768x315.png 768w" sizes="(max-width: 806px) 100vw, 806px" /></a><figcaption class="wp-element-caption"><em>A certificate in the plaintext form which is added as root to Windows by the malware</em></figcaption></figure></div> <p>During our research, we found three different certificate issuers used during the GuptiMiner operations: </p> <ul class="wp-block-list"><li><code>GTE Class 3 Certificate Authority </code></li> <li><code>VeriSign Class 3 Code Signing 2010</code> </li> <li><code>DigiCert Assured ID Code Signing CA </code></li></ul> <p>Note that these names are artificial and any resemblance to legitimate certification authorities shall be considered coincidental. </p> <h3 class="wp-block-heading" id="storing-payloads-in-registry">Storing Payloads in Registry </h3> <p><code><em>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049</em><br><em>(upgradeshow.dll, 2023-11-23 16:41:34 UTC)</em> </code></p> <p>At later development stages, authors behind GuptiMiner started to integrate even better persistence of their payloads by storing the payloads in registry keys. Furthermore, the payloads were also encrypted by XOR using a fixed key. This ensures that the payloads look meaningless to the naked eye. </p> <p>We’ve discovered these registry key locations to be utilized for storing the payloads so far: </p> <ul class="wp-block-list"><li><code>SYSTEM\CurrentControlSet\Control\Nls\Sorting\Ids\en-US</code> </li> <li><code>SYSTEM\CurrentControlSet\Control\PnP\Pci\CardList</code> </li> <li><code>SYSTEM\CurrentControlSet\Control\Wdf\DMCF</code> </li> <li><code>SYSTEM\CurrentControlSet\Control\StorVSP\Parsers</code> </li></ul> <h2 class="wp-block-heading" id="png-loader">Stage 1 – PNG Loader </h2> <p><code><em>ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297</em><br><em>(2018-04-19 09:45:25 UTC)</em> </code></p> <p>When the entry point of the PE file is executed by the shellcode from <a href="#installation-process">Stage 0</a>, the malware first creates a scheduled task to attempt to perform cleanup of the initial infection by removing <code>updll62.dlz</code> archive and <code>version.dll</code> library from the system. </p> <p>Furthermore, the PE serves as a dropper for additional stages by contacting an attacker’s malicious DNS server. This is done by sending a DNS request to the attacker’s DNS server, obtaining the TXT record with the response. The TXT response holds an encrypted URL domain of a real C&C server that should be requested for an additional payload. This payload is a valid PNG image file (a T-Mobile logo) which also holds a shellcode appended to its end. The shellcode is afterwards executed by the malware in a separate thread, providing further malware functionality as a next stage.</p> <p>Note that since the DNS server itself is malicious, the requested domain name doesn’t really matter – or, in a more abstract way of thinking about this functionality, it can be rather viewed as a “password” which is passed to the server, deciding whether the DNS server should or shouldn’t provide the desired TXT answer carrying the instructions. </p> <p>As we already mentioned in the <a href="#domains-in-time">Domains timeline section</a>, there are multiple of such “Requested domains” used. In the version referenced here, we can see these two being used: </p> <ul class="wp-block-list"><li><code>ext.peepzo[.]com</code> </li> <li><code>crl.peepzo[.]com</code> </li></ul> <p>and the malicious DNS server address is in this case: </p> <ul class="wp-block-list"><li><code>ns1.peepzo[.]com</code> </li></ul> <p>Here we can see a captured DNS TXT response using Wireshark. Note that <code>Transaction ID = 0x034b</code> was left unchanged during all the years of GuptiMiner operations. We find this interesting because we would expect this could get easily flagged by firewalls or EDRs in the affected network.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png"><img loading="lazy" decoding="async" width="1550" height="732" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png" alt="" class="wp-image-8433" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24.png 1550w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-300x142.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-1024x484.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-768x363.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-24-1536x725.png 1536w" sizes="(max-width: 1550px) 100vw, 1550px" /></a><figcaption class="wp-element-caption"><em>DNS TXT response captured by Wireshark</em></figcaption></figure></div> <p>The requests when the malware is performing the queries is done in random intervals. The initial request for the DNS TXT record is performed in the first 20 minutes after the PNG loader is executed. The consecutive requests, which are done for the malware’s update routine, wait up to 69 hours between attempts. </p> <p>This update mechanism is reflected by creating separate mutexes with the shellcode version number which is denoted by the first two bytes of the decrypted DNS TXT response (see below for the decryption process). This ensures that no shellcode with the same version is run twice on the system. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png"><img loading="lazy" decoding="async" width="770" height="356" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png" alt="" class="wp-image-8435" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25.png 770w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25-300x139.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-25-768x355.png 768w" sizes="(max-width: 770px) 100vw, 770px" /></a><figcaption class="wp-element-caption"><em>Mutex is numbered by the shellcode’s version information</em></figcaption></figure></div> <h3 class="wp-block-heading" id="dns-txt-decryption">DNS TXT Record Decryption</h3> <p>After the DNS TXT record is received, GuptiMiner decodes the content using base64 and decrypts it with a combination of MD5 used as a key derivation function and the RC2 cipher for the decryption. Note that in the later versions of this malware, the authors improved the decryption process by also using checksums and additional decryption keys. </p> <p>For the key derivation function and the decryption process, the authors decided to use standard Windows CryptoAPI functions.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png"><img loading="lazy" decoding="async" width="963" height="318" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png" alt="" class="wp-image-8438" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27.png 963w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27-300x99.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-27-768x254.png 768w" sizes="(max-width: 963px) 100vw, 963px" /></a><figcaption class="wp-element-caption"><em>Typical use of standard Windows CryptoAPI functions</em></figcaption></figure></div> <p>Interestingly, a keen eye can observe an oversight in this initialization process shown above, particularly in the <code>CryptHashData</code> function. The prototype of the <a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-crypthashdata" target="_blank" rel="noreferrer noopener">CryptHashData API function</a> is:</p> <p><code>BOOL CryptHashData(<br> [in] HCRYPTHASH hHash,<br> [in] const BYTE *pbData,<br> [in] DWORD dwDataLen,<br> [in] DWORD dwFlags<br>); </code></p> <p>The second argument of this function is a pointer to an array of bytes of a length of <code>dwDataLen</code>. However, this malware provides the string <code>L"POVO@1"</code> in a Unicode (UTF-16) format, represented by the array of bytes <code>*pbData</code>.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png"><img loading="lazy" decoding="async" width="541" height="45" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png" alt="" class="wp-image-8441" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28.png 541w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-28-300x25.png 300w" sizes="(max-width: 541px) 100vw, 541px" /></a></figure></div> <p>Thus, the first six bytes from this array are only <code>db 'P', 0, 'O', 0, 'V', 0</code> which effectively cuts the key in half and padding it with zeroes. Even though the malware authors changed the decryption key throughout the years, they never fixed this oversight, and it is still present in the latest version of GuptiMiner. </p> <h3 class="wp-block-heading">DNS TXT Record Parsing </h3> <p>At this point, we would like to demonstrate the decrypted TXT record and how to parse it. In this example, while accessing the attacker’s malicious DNS server <code>ns.srnmicro[.]net</code> and the requested domain <code>spf.microsoft[.]com</code>, the server returned this DNS TXT response: </p> <p><code>VUBw2mOgagCILdD3qWwVMQFPUd0dPHO3MS/CwpL2bVESh9OnF/Pgs6mHPLktvph2</code></p> <p>After fully decoding and decrypting this string, we get: </p> <figure class="wp-block-image size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png" alt="" class="wp-image-8443" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-29-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure> <p>This result contains multiple fields and can be interpreted as: </p> <figure class="wp-block-table"><table><tbody><tr><td><strong>Name </strong></td><td><strong>Value </strong></td></tr><tr><td>Version 1 </td><td>1 </td></tr><tr><td>Version 2 </td><td>5 </td></tr><tr><td>Key size </td><td><code>\r</code> (= <code>0xD</code>) </td></tr><tr><td>Key </td><td>Microsoft.com </td></tr><tr><td>C&C URL </td><td>http://www.deanmiller[.]net/m/ </td></tr><tr><td>Checksum </td><td><code>\xde</code></td></tr></tbody></table></figure> <p>The first two bytes, Version 1 and Version 2, form the PNG shellcode version. It is not clear why there are two such versions since Version 2 is actually never used in the program. Only Version 1 is considered whether to perform the update – i.e., whether to download and load the PNG shellcode or not. In either case, we could look at these numbers as a major version and a minor version, and only the major releases serve as a trigger for the update process.</p> <p>The third byte is a key size that denotes how many bytes should be read afterwards, forming the key. Furthermore, no additional delimiter is needed between the key and the URL since the key size is known and the URL follows. Finally, the two-byte checksum can be verified by calculating a sum of all the bytes (modulo <code>0xFF</code>). </p> <p>After the DNS TXT record is decoded and decrypted, the malware downloads the next stage, from the provided URL, in the form of a PNG file. This is done by using standard <code>WinINet</code> Windows API, where the <code>User-Agent</code> is set to contain the bitness of the currently running process.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png"><img loading="lazy" decoding="async" width="869" height="333" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png" alt="" class="wp-image-8446" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30.png 869w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30-300x115.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-30-768x294.png 768w" sizes="(max-width: 869px) 100vw, 869px" /></a><figcaption class="wp-element-caption"><em>The malware communicates the bitness of the running process to the C&C</em></figcaption></figure></div> <p>The C&C server uses the <code>User-Agent</code> information for two things: </p> <ul class="wp-block-list"><li>Provides the next stage (a shellcode) in the correct bitness </li> <li>Filters any HTTP request that doesn’t contain this information as a protection mechanism </li></ul> <h3 class="wp-block-heading" id="parsing-the-png-file">Parsing the PNG File </h3> <p>After the downloaded file is a valid PNG file which also contains a shellcode appended at the end. The image is a T-Mobile logo and has exactly <code>805</code> bytes. These bytes are skipped by the malware and the rest of the file, starting at an offset <code>0x325</code>, is decrypted by RC2 using the key provided in the TXT response (derived using MD5). The reason of using an image as this “prefix” is to further obfuscate the network communication where the payload looks like a legitimate image, likely overlooking the appended malware code. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png"><img loading="lazy" decoding="async" width="549" height="625" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png" alt="" class="wp-image-8447" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31.png 549w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-31-264x300.png 264w" sizes="(max-width: 549px) 100vw, 549px" /></a><figcaption class="wp-element-caption"><em>PNG file containing the shellcode starting at <code>0x325</code></em></figcaption></figure></div> <p>After the shellcode is loaded from the position <code>0x325</code>, it proceeds with loading additional PE loader from memory to unpack next stages using Gzip. </p> <h3 class="wp-block-heading">IP Address Masking</h3> <p><code><em>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a</em><br><em>(2023-11-09 14:19:45 UTC)</em> </code></p> <p>In late 2023, the authors decided to ditch the years-long approach of using DNS TXT records for distributing payloads and they switched to IP address masking instead. </p> <p>This new approach consists of a few steps: </p> <ol class="wp-block-list" start="1"><li>Obtain an IP address of a hardcoded server name registered to the attacker by standard means of using <code>gethostbyname</code> API function </li> <li>For that server, two IP addresses are returned – the first is an IP address which is a masked address, and the second one denotes an available payload version and starts with <code>23.195.</code> as the first two octets </li> <li>If the version is newer than the current one, the masked IP address is de-masked and results in a real C&C IP address </li> <li>The real C&C IP address is used along with a hardcoded constant string (used in a URL path) to download the PNG file containing the shellcode </li></ol> <p>The de-masking process is done by XORing each octet of the IP address by <code>0xA</code>, <code>0xB</code>, <code>0xC</code>, <code>0xD</code>, respectively. The result is then taken, and a hardcoded constant string is added to the URL path. </p> <p>As an example, one such server we observed was <code>www.elimpacific[.]net</code>. It was, at the time, returning: </p> <div class="wp-block-image"><figure class="aligncenter size-full is-resized"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png"><img loading="lazy" decoding="async" width="487" height="197" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png" alt="" class="wp-image-8452" style="width:487px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32.png 487w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-32-300x121.png 300w" sizes="(max-width: 487px) 100vw, 487px" /></a></figure></div> <p>The address <code>23.195.101[.]1</code> denotes a version and if it is greater than the current version, it performs the update by downloading the PNG file with the shellcode. This update is downloaded by requesting a PNG file from the real C&C server whose address is calculated by de-masking the <code>179.38.204[.]38</code> address: </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png" alt="" class="wp-image-8453" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-33-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure></div> <p>The request is then made, along with the calculated IP address <code>185.45.192[.]43</code> and a hardcoded constant <code>elimp</code>. Using a constant like this serves as an additional password, in a sense:<br><code>185.45.192[.]43/elimp/</code> </p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34.png"><img loading="lazy" decoding="async" width="1024" height="235" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-1024x235.png" alt="" class="wp-image-8454" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-1024x235.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-300x69.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34-768x176.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-34.png 1263w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>GuptiMiner is requesting the payload from a real IP address</em></figcaption></figure></div> <p>When the PNG file is downloaded, the rest of the process is the same as usual. </p> <p>We’ve discovered two servers for this functionality so far: </p> <figure class="wp-block-table"><table><tbody><tr><td><strong>Queried server</strong> </td><td><strong>URL path constant</strong> </td></tr><tr><td><code>www.elimpacific[.]net </code></td><td><code>elimp </code></td></tr><tr><td><code>www.espcomp[.]net </code></td><td><code>OpenSans </code></td></tr></tbody></table></figure> <h3 class="wp-block-heading">Anti-VM and Anti-debug Tricks </h3> <p><code><em>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a</em><br><em>(2023-11-09 14:19:45 UTC)</em> </code></p> <p>Along with other updates described above, we also observed an evolution in using anti-VM and anti-debugging tricks. These are done by checking well known disk drivers, registry keys, and running processes. </p> <p>GuptiMiner checks for these disk drivers by enumerating<br><code>HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum</code>: </p> <ul class="wp-block-list"><li><code>vmware </code></li> <li><code>qemu </code></li> <li><code>vbox </code></li> <li><code>virtualhd </code></li></ul> <p>Specifically, the malware also checks the registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Cylance</code> for the presence of Cylance AV. </p> <p>As other anti-VM measures, the malware also checks whether the system has more than 4GB available RAM and at least 4 CPU cores. </p> <p>Last but not least, the malware also checks the presence of these processes by their prefixes: </p> <figure class="wp-block-table"><table><tbody><tr><td><strong>Process name prefix</strong> </td><td><strong>Tool name</strong> </td></tr><tr><td><code>wireshar </code></td><td>Wireshark </td></tr><tr><td><code>windbg. </code></td><td>WinDbg </td></tr><tr><td><code>tcpview </code></td><td>TCPView </td></tr><tr><td><code>360 </code></td><td>360 Total Security </td></tr><tr><td><code>hips </code></td><td>Huorong Internet Security (<code>hipsdaemon.exe</code>) </td></tr><tr><td><code>proce </code></td><td>Process Explorer </td></tr><tr><td><code>procm </code></td><td>Process Monitor </td></tr><tr><td><code>ollydbg </code></td><td>OllyDbg </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Storing Images in Registry</h3> <p><code><em>6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414</em><br><em>(2023-02-22 14:03:04 UTC)</em> </code></p> <p>Similarly to <a href="#storing-payloads-in-registry">Storing Payloads in Registry</a>, in later stages of GuptiMiner, the authors also started to save the downloaded PNG images (containing the shellcodes) into registry as well. Contrary to storing the payloads, the images are not additionally XORed since the shellcodes in them are already encrypted using RC2 (see <a href="#dns-txt-decryption">DNS TXT Record Decryption</a> section for details). </p> <p>We’ve discovered these registry key locations to be utilized for storing the encrypted images containing the shellcodes so far: </p> <ul class="wp-block-list"><li><code>SYSTEM\CurrentControlSet\Control\Arbiters\Class </code></li> <li><code>SYSTEM\CurrentControlSet\Control\CMF\Class </code></li> <li><code>SYSTEM\CurrentControlSet\Control\CMF\CORE </code></li> <li><code>SYSTEM\CurrentControlSet\Control\CMF\DEF </code></li> <li><code>SYSTEM\CurrentControlSet\Control\CMF\Els </code></li> <li><code>SYSTEM\CurrentControlSet\Control\CMF\ASN </code></li> <li><code>SYSTEM\CurrentControlSet\Control\MSDTC\BSR </code></li></ul> <h2 class="wp-block-heading">Stage 2 – Gzip Loader </h2> <p><code><em>357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b</em><br><em>(2019-04-02 07:30:21 UTC)</em> </code></p> <p>This stage is the shortest, the Gzip loader, which is extracted and executed by the shellcode from the PNG file, is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread. </p> <p>This thread additionally loads Stage 3, which we call Puppeteer, that orchestrates the core functionality of the malware – the cryptocurrency mining as well as, when applicable, deploying backdoors on the infected systems. </p> <p>Throughout the GuptiMiner operations, Gzip loader has not been changed with later versions. </p> <h2 class="wp-block-heading">Stage 3 – Puppeteer</h2> <p><code><em>364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65</em><br><em>(2019-03-15 10:07:36 UTC)</em> </code></p> <p>Let’s now look at the biggest Stage 3, the Puppeteer. It pulls its strings everywhere across the infected system, manipulating the GuptiMiner components to do its bidding, hence the name we’ve chosen. It orchestrates further actions and deploys two core components of the malware – an XMRig coinminer and two types of backdoors that target devices present in large corporate networks. Of course, Puppeteer also introduces additional tricks to the arsenal of the whole GuptiMiner operation. </p> <p>This stage also uses one of the many <code>Global\SLDV</code> mutexes which we described in the <a href="#mutexes-in-time">Mutex timeline</a>. For example, this particular sample uses <code>SLDV01</code> as its mutex.</p> <h3 class="wp-block-heading">Puppeteer Setup</h3> <p>Puppeteer performs several steps for a proper setup. Firstly, it adds a new power scheme in Windows so the PC does not go to sleep. If the CPU has only one core (anti-VM) or the mutex already exists, the malware ceases to function by going to infinite sleep. </p> <p>In the next phase, the malware kills all the processes with a name <code>msiexec.exe</code>, <code>cmstp.exe</code>, or <code>credwiz.exe</code>. After that, it creates a separate thread that injects XMRig into a credwiz.exe process freshly created by the malware. The malware also disables Windows Defender by setting its service start status to disabled. </p> <p>For the persistence, Puppeteer chose an interesting approach. Firstly, it creates a scheduled task with the following configuration: </p> <ul class="wp-block-list"><li>A legitimate <code>rundll32.exe</code> file is copied and renamed into <code>C:\ProgramData\Microsoft\Crypto\Escan\dss.exe</code> and this file is executed from the scheduled task </li> <li>The malicious DLL is placed to <code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3</code> and this file is loaded by <code>dss.exe</code> (exported function <code>ValidateFile</code>) </li> <li>The task is executed with every boot (<code>TASK_TRIGGER_BOOT</code>) and <code>TASK_RUNLEVEL_HIGHEST</code> priority </li> <li>The task is named and located at <code>C:\Windows\system32\tasks\Microsoft\windows\autochk\ESUpgrade</code> </li></ul> <p>With that, the malware copies the content of <code>updll3.dll3</code> into memory and deletes the original file from disk. Puppeteer then waits for a system shutdown (similarly to <a href="#installation-improvements">Stage 0.9</a>) by waiting for <code>SM_SHUTTINGDOWN</code> metric to be set to non-zero value, indicating the shutdown. This is checked every 100 milliseconds. Only when the shutdown of the system is initiated, the malware reintroduces the <code>updll3.dll3</code> file back onto disk. </p> <p>Putting the malicious DLL back just before the system restart is really sneaky but also has potentially negative consequences. If the victim’s device encounters a crash, power outage, or any other kind of unexpected shutdown, the file won’t be restored from memory and Puppeteer will stop working from this point. Perhaps this is the reason why authors actually removed this trick in later versions, trading the sophistication for malware’s stability.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png"><img loading="lazy" decoding="async" width="1126" height="1270" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png" alt="" class="wp-image-8456" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36.png 1126w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-266x300.png 266w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-908x1024.png 908w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-36-768x866.png 768w" sizes="(max-width: 1126px) 100vw, 1126px" /></a><figcaption class="wp-element-caption"><em>A code ensuring the correct after-reboot execution</em></figcaption></figure></div> <p>The repetitive loading of <code>updll3.dll3</code>, as seen in the code above, is in fact Puppeteer’s update process. The DLL will ultimately perform steps of requesting a new <a href="#parsing-the-png-file">PNG shellcode</a> from the C&C servers and if it is a new version, the chain will be updated. </p> <h3 class="wp-block-heading">XMRig Deployment </h3> <p>During the setup, Puppeteer created a separate thread for injecting an XMRig coinminer into <code>credwiz.exe</code> process. Before the injection takes place, however, a few preparation steps are performed. </p> <p>The XMRig configuration is present directly in the XMRig binary (standard JSON config) stored in the Puppeteer binary. This configuration can be, however, modified to different values on the fly. In the example below, we can see a dynamic allocation of mining threads depending on the robustness of the infected system’s hardware. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png"><img loading="lazy" decoding="async" width="393" height="141" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png" alt="" class="wp-image-8457" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37.png 393w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-37-300x108.png 300w" sizes="(max-width: 393px) 100vw, 393px" /></a><figcaption class="wp-element-caption"><em>Patching the XMRig configuration on the fly, dynamically assigning mining threads</em></figcaption></figure></div> <p>The injection is standard: the malware creates a new suspended process of <code>credwiz.exe</code> and, if successful, the coinmining is injected and executed by <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code> combo. </p> <p>Puppeteer continuously monitors the system for running process, by default every 5 seconds. If it encounters any of the monitoring tools below, the malware kills any existing mining by taking down the whole <code>credwiz.exe</code> process as well as it applies a progressive sleep, postponing another re-injection attempt by additional 5 hours. </p> <ul class="wp-block-list"><li><code>taskmgr.exe</code> </li> <li><code>autoruns.exe</code> </li> <li><code>wireshark.exe</code> </li> <li><code>wireshark-gtk.exe</code> </li> <li><code>tcpview.exe</code> </li></ul> <p>Furthermore, the malware needs to locate the current <code>updll3.dll3</code> on the system so its latest version can be stored in memory, removed from disk, and dropped just before another system restart. Two approaches are used to achieve this: </p> <ul class="wp-block-list"><li>Reading eScan folder location from <code>HKEY_LOCAL_MACHINE\SOFTWARE\AVC3</code> </li> <li>If one of the checked processes is called <code>download.exe</code>, which is a legitimate eScan binary, it obtains the file location to discover the folder. The output can look like this: <ul class="wp-block-list"><li><code>\Device\HarddiskVolume1\Program Files (x86)\eScan\download.exe</code> </li></ul></li></ul> <p>The check for <code>download.exe</code> serves as an alternative for locating eScan installation folder and the code seems heavily inspired by the example code of <a href="https://learn.microsoft.com/en-us/windows/win32/memory/obtaining-a-file-name-from-a-file-handle" target="_blank" rel="noreferrer noopener">Obtaining a File Name From a File handle</a> on MSDN. </p> <p>Finally, Puppeteer also continuously monitors the CPU usage on the system and tweaks the core allocation in such a way it is not <em>that much</em> resource heavy and stays under the radar. </p> <h3 class="wp-block-heading" id="backdoor-setup">Backdoor Setup</h3> <p><code><em>4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21</em><br><em>(2019-06-29 03:38:24 UTC)</em> </code></p> <p>The backdoor is set up by the previous stage, Puppeteer, by first discovering whether the machine is operating on a Windows Server or not. This is done by checking a DNS Server registry key (DNS Server service is typically running on a Windows Server edition):<br><code>SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server </code></p> <p>After that, the malware runs a command to check and get a number of computers joined in a domain:<br><code>net group “domain computers” /domain</code></p> <p>The data printed by the <code>net group</code> command typically uses 25 characters per domain joined computer plus a newline (<code>CR+LF</code>) per every three computers, which can be illustrated by the example below: </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png"><img loading="lazy" decoding="async" width="502" height="80" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png" alt="" class="wp-image-8460" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png 502w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39-300x48.png 300w" sizes="(max-width: 502px) 100vw, 502px" /></a><figcaption class="wp-element-caption"><em>Example output of net group command</em></figcaption></figure></div> <p>In this version of the backdoor setup, Puppeteer checks whether the number of returned bytes is more than 100. If so, Puppeteer assumes it runs in a network shared with at least five computers and downloads additional payloads from a hardcoded C&C (<code>https://m.airequipment[.]net/gpse/</code>) and executes it using PowerShell command. </p> <p>Note that the threshold for the number of returned bytes was different and significantly higher in later versions of GuptiMiner, as can be seen in a dedicated section discussing <a href="#modular-backdoor">Modular Backdoor</a>, resulting in compromising only those networks which had more than 7000 computers joined in the same domain! </p> <p>If the checks above pass, Puppeteer uses a PowerShell command for downloading and executing the payload and, interestingly, it is run both in the current process as well as injected in <code>explorer.exe</code>. </p> <figure class="wp-block-image size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png" alt="" class="wp-image-8461" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-40-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a></figure> <p>Furthermore, regardless of whether the infected computer is present in a network of a certain size or not, it tries to download additional payload from <code>dl.sneakerhost[.]com/u</code> as well. This payload is yet another PNG file with the appended shellcode. We know this because the code uses the exact same parsing from the specific offset <code>0x325</code> of the PNG file as described in <a href="#png-loader">Stage 1</a>. However, during our analysis, this domain was already taken down and we couldn’t verify what kind of payload was being distributed here. </p> <p>The Puppeteer’s backdoor setup process was improved and tweaked multiple times during its long development. In the upcoming subsections, we will focus on more important changes, mostly those which influence other parts of the malware or present a whole new functionality. </p> <h3 class="wp-block-heading">Later Puppeteer Versions </h3> <p>In later versions, the attackers switched to the datetime mutex paradigm (as illustrated in <a href="#mutexes-in-time">Mutexes in Time</a> section) and also introduced additional process monitoring of more Sysinternals tools like Process explorer, Process monitor, as well as other tools like OllyDbg, WinDbg, and TeamViewer. </p> <h4 class="wp-block-heading">Pool Configuration</h4> <p><code><em>487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd</em><br><em>(2023-11-21 18:05:43 UTC)</em> </code></p> <p>Additionally, the GuptiMiner authors also started to modify pool addresses in XMRig configurations with a new approach. They started using subdomains by “<code>r</code>” and “<code>m</code>” depending on the available physical memory on the infected system. If there is at least 3 GB of RAM available, the malware uses:<br><code>m.domain.tld</code> with <code>auto</code> mode and enabled huge pages.</p> <p>If the available RAM is lesser than 3 GB, it uses:<br><code>r.domain.tld</code> with <code>light</code> mode and disabled huge pages.</p> <p>In order to <strong>not</strong> keep things simple, the authors later also started to use “<code>p</code>” as a subdomain in some versions, without any specific reason for the naming convention (perhaps just to say it is a “pool”). </p> <p>The usage of all such domains in time can be seen in the <a href="#domains-in-time">Domains timeline</a>. </p> <h4 class="wp-block-heading">Variety in Used DLLs </h4> <p>Puppeteer used many different names and locations of DLLs over the years for sideloading or directly loading using scheduled tasks. For example, these might be: </p> <ul class="wp-block-list"><li><code>C:\Program Files (x86)\eScan\updll3.dll3 </code></li> <li><code>C:\Program Files\Common Files\SYSTEM\SysResetErr\SysResetErr.DLL </code></li> <li><code>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellChecking.DLL </code></li> <li><code>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellCheckingHost.DLL </code></li> <li><code>C:\ProgramData\AMD\CNext\atiadlxx.dll </code></li> <li><code>C:\ProgramData\Microsoft\Assistance\LunarG\vulkan-1.dll </code></li> <li><code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll </code></li> <li><code>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3 </code></li> <li><code>C:\ProgramData\Microsoft\Network\Escan\AutoWake.dll </code></li></ul> <h4 class="wp-block-heading">Puppeteer Cleanup </h4> <p><code><em>1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe</em><br><em>(2020-03-09 00:57:11 UTC)</em></code></p> <p>We’ve also seen “cleaner” Puppeteers, meaning they didn’t contain the setup process for backdoors, but they were able to delete the malicious DLLs from the system when a running monitoring tool was detected. </p> <h4 class="wp-block-heading" id="deploy-per-quarter">Deploy Per-Quarter </h4> <p><code><em>1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4</em><br><em>(2021-03-01 10:43:27 UTC)</em> </code></p> <p>In this particular version, the deployment of the backdoor was performed once every 3 months, indicating a per-quarter deployment.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png"><img loading="lazy" decoding="async" width="603" height="93" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png" alt="" class="wp-image-8462" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41.png 603w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-41-300x46.png 300w" sizes="(max-width: 603px) 100vw, 603px" /></a><figcaption class="wp-element-caption"><em>The deployment happens at March, June, September, and December</em></figcaption></figure></div> <h2 class="wp-block-heading">Stage 4 – Backdoor </h2> <p>Since <strong>no one</strong> who puts such an effort into a malware campaign deploys <em>just</em> coinminers on the infected devices, let’s dig deeper into additional sets of GuptiMiner’s functionalities – deploying two types of backdoors on the infected devices.</p> <h3 class="wp-block-heading">PuTTY Backdoor </h3> <p><code><em>07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d</em><br><em>(2021-03-01 10:31:33 UTC)</em></code><br><em><code>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb</code></em></p> <p>One of the backdoors deployed by GuptiMiner is based on a custom build of PuTTY Link (<code>plink</code>). This build contains an enhancement for local SMB network scanning, and it ultimately enables lateral movement over the network to potentially exploit <code>Windows 7</code> and <code>Windows Server 2008</code> machines by tunneling SMB traffic through the victim’s infected device. </p> <h4 class="wp-block-heading">Local SMB Scanning </h4> <p>First, the plink binary is injected into netsh.exe process by Puppeteer with the <a href="#deploy-per-quarter">Deploy per-quarter</a> approach. After a successful injection, the malware discovers local IP ranges by reading the IP tables from the victim’s device, adding those into local and global IP range lists. </p> <p>With that, the malware continues with the local SMB scanning over the obtained IP ranges: <code>xx.yy.zz.1-254</code>. When a device supporting SMB is discovered, it is saved in a dedicated list. The same goes with IPs that don’t support SMB, effectively deny listing them from future actions. This deny list is saved in specific registry subkeys named <code>Sem</code> and <code>Init</code>, in this location:<br><code>HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\CMF\Class</code><br>where <code>Init</code> contains the found IP addresses and <code>Sem</code> contains their total count. </p> <p>There are conditions taking place when such a scan is performed. For example, the scan can happen only when it is a day in the week <code>(!)</code>, per-quarter deployment, and only at times between 12 PM and 18 PM. Here, we denoted by <code>(!)</code> a <em>unique</em> coding artefact in the condition, since checking the day of the week is not necessary (always true). </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png"><img loading="lazy" decoding="async" width="1477" height="217" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png" alt="" class="wp-image-8463" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42.png 1477w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-300x44.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-1024x150.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-42-768x113.png 768w" sizes="(max-width: 1477px) 100vw, 1477px" /></a><figcaption class="wp-element-caption"><em>Questionable conditioning for SMB scanning</em></figcaption></figure></div> <p>Finally, the malware also creates a new registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\RNG\FFFF</code> three hours after a successful scan. This serves as a flag that the scanning should be finished, and no more scanning is needed. </p> <p>An even more interesting datetime-related bug can be seen in a conditioning of <code>RNG\FFFF</code> registry removal. The removal is done to indicate that the malware can perform another SMB scan after a certain period of time. </p> <p>As we can see in the figure below, the malware obtains the write time of the registry key and the current system time by <code>SystemTimeToVariantTime</code> API function and subtracts those. The subtraction result is a floating-point number where the integral part means number of days. </p> <p>Furthermore, the malware uses a constant <code>60*60*60*24=5184000</code> seconds (60 days) in the condition for the registry key removal. However, the condition is comparing <code>VariantTime</code> (days) with seconds. Thus, the backdoor can activate every <code>51.84</code> days instead of the (intended?) 60 days. A true blessing in disguise. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png"><img loading="lazy" decoding="async" width="779" height="416" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png" alt="" class="wp-image-8464" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43-300x160.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-43-768x410.png 768w" sizes="(max-width: 779px) 100vw, 779px" /></a><figcaption class="wp-element-caption"><em>Removal of <code>RNG\FFFF</code> key, deploying the backdoor after <code>51.84</code> days</em></figcaption></figure></div> <h4 class="wp-block-heading">Lateral Movement Over SMB Traffic </h4> <p>After the local SMB scan is finished, the malware checks from the received SMB packet results whether any of the IP addresses that responded are running <code>Windows 7</code> or <code>Windows Server 2008</code>. If any such a system is found on the local network, the malware adds these IP addresses to a list of potential targets. </p> <p>Furthermore, GuptiMiner executes the <code>main()</code> legacy function from plink with artificial parameters. This will create a tunnel on the port <code>445</code> between the attacker’s server <code>gesucht[.]net</code> and the victim’s device. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png"><img loading="lazy" decoding="async" width="612" height="545" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png" alt="" class="wp-image-8466" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45.png 612w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-45-300x267.png 300w" sizes="(max-width: 612px) 100vw, 612px" /></a><figcaption class="wp-element-caption"><em>Parameters used for <code>plink main()</code> function</em></figcaption></figure></div> <p>This tunnel is used for sending SMB traffic through the victim’s device to the IP addresses from the target list, enabling lateral movement over the local network. </p> <p>Note that this version of Puppeteer, deploying this backdoor, is from 2021. We also mentioned that only <code>Windows 7</code> and <code>Windows Server 2008</code> are targeted, which are rather old. We think this might be because the attackers try to deploy an exploit for possible vulnerabilities on these old systems. </p> <p>To orchestrate the SMB communication, the backdoor hand-crafts SMB packets on the fly by modifying <code>TID</code> and <code>UID</code> fields to reflect previous SMB communication. As shown in the decompiled code below, the SMB <code>packet 4</code>, which is crafted and sent by the malware, contains both <code>TID</code> and <code>UID</code> from the responses of the local network device. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png"><img loading="lazy" decoding="async" width="1065" height="572" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png" alt="" class="wp-image-8467" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46.png 1065w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-300x161.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-1024x550.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-46-768x412.png 768w" sizes="(max-width: 1065px) 100vw, 1065px" /></a><figcaption class="wp-element-caption"><em>The backdoor hand-crafts SMB packets on the fly</em></figcaption></figure></div> <p>Here we provide an example how the SMB packets look like in Wireshark when sent by the malware. After the connection is established, the malware tries to login as anonymous and makes requests for <code>\IPC$</code> and a named pipe.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png"><img loading="lazy" decoding="async" width="1007" height="88" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png" alt="" class="wp-image-8468" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47.png 1007w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47-300x26.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-47-768x67.png 768w" sizes="(max-width: 1007px) 100vw, 1007px" /></a><figcaption class="wp-element-caption"><em>SMB traffic captured by Wireshark</em></figcaption></figure></div> <p>Interested reader can find the captured PCAP on our <a href="https://github.com/avast/ioc/blob/master/GuptiMiner/extras/PCAP/smb_backdoor_networking.pcap" target="_blank" rel="noreferrer noopener">GitHub</a>.</p> <h3 class="wp-block-heading" id="modular-backdoor">Modular Backdoor </h3> <p><code><em>f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4</em><br><em>(2023-10-10 15:08:36 UTC)</em> </code></p> <p>Another backdoor that we’ve found during our research being distributed by Puppeteer is a modular backdoor which targets huge corporate networks. It consists of two phases – the malware scans the devices for the existence of locally stored private keys and cryptocurrency wallets, and the second part is an injected modular backdoor, in the form of a shellcode. </p> <h4 class="wp-block-heading">Checks on Private Keys, Wallets, and Corporate Network</h4> <p>This part of the backdoor focuses on scanning for private keys and wallet files on the system. This is done by searching for <code>.pvk</code> and <code>.wallet</code> files in these locations: </p> <ul class="wp-block-list"><li><code>C:\Users\* </code></li> <li><code>D:\* </code></li> <li><code>E:\* </code></li> <li><code>F:\* </code></li> <li><code>G:\* </code></li></ul> <p>If there is such a file found in the system, its path is logged in a newly created file <code>C:\Users\Public\Ca.txt</code>. Interestingly, this file is not processed on its own by the code we have available. We suppose the data will be stolen later when further modules are downloaded by the backdoor. </p> <p>The fact that the scan was performed is marked by creating a registry key:<br><code>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\DECLAG </code></p> <p>If some private keys or wallets were found on the system or the malware is running in a huge corporate environment, the malware proceeds with injecting the backdoor, in a form of a shellcode, into the <code>mmc.exe</code> process. </p> <p>The size of the corporate environment is guessed by the same approach as Puppeteer’s <a href="#backdoor-setup">backdoor setup</a> with the difference in the scale. Here, the malware compares the returned list of computers in the domain with 200,000 characters. To recapitulate, the data printed by the <code>net group</code> command uses 25 characters per domain joined computer plus a newline (<code>CR+LF</code>) per every three computers. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png"><img loading="lazy" decoding="async" width="502" height="80" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png" alt="" class="wp-image-8460" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39.png 502w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-39-300x48.png 300w" sizes="(max-width: 502px) 100vw, 502px" /></a><figcaption class="wp-element-caption"><em>Example output of <code>net group</code> command</em></figcaption></figure></div> <p>This effectively means that the network in which the malware operates must have at least 7781 computers joined in the domain, which is quite a large number.</p> <h4 class="wp-block-heading">Backdoor</h4> <p><code><em>8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34</em> </code></p> <p>This shellcode is a completely different piece of code than what we’ve seen so far across GuptiMiner campaign. It is designed to be multi-modular with the capability of adding more modules into the execution flow. Only a networking communication module, however, is hardcoded and available by default, and its hash is <code>74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549 (<em>2022-12-19 07:31:39 UTC</em>)</code>. </p> <p>After the injection, the backdoor decrypts a hardcoded configuration and a hardcoded networking module using RC4. The RC4 key is also hardcoded and available directly in the shellcode. </p> <p>The configuration contains details about which server to contact, what ports to use, the length of delays that should be set between commands/requests, among others. The domain for communication in this configuration is <code>www.righttrak[.]net:443</code> and an IP address <code>185.248.160[.]141</code>.</p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png"><img loading="lazy" decoding="async" width="642" height="235" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png" alt="" class="wp-image-8471" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50.png 642w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-50-300x110.png 300w" sizes="(max-width: 642px) 100vw, 642px" /></a><figcaption class="wp-element-caption"><em>Decrypted network module configuration</em></figcaption></figure></div> <p>The network module contains seven different commands that the attacker can use for instructing the backdoor about what to do. A complete list of commands accepted by the network module can be found in the table below. Note that each module that can be used by the backdoor contains such a command handler on its own. </p> <figure class="wp-block-table"><table><tbody><tr><td><strong>Command</strong> </td><td><strong>Description</strong> </td></tr><tr><td>3.0 </td><td>Connect </td></tr><tr><td>3.1 </td><td>Read socket </td></tr><tr><td>3.2 </td><td>Write socket </td></tr><tr><td>3.3 </td><td>Close socket </td></tr><tr><td>4 </td><td>Close everything </td></tr><tr><td>6 </td><td>Return 1 </td></tr><tr><td>12 </td><td>Load configuration </td></tr></tbody></table></figure> <p>The modules are stored in an encrypted form in the registry, ensuring their persistence:<br><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCB</code></p> <p>The backdoor also uses an import by hash obfuscation for resolving API functions. The hashing function is a simple algorithm that takes each byte of the exported function name, adds 1 to it, and then multiplies the previously calculated number (<code>calculated_hash</code>, starts with 0) by 131 and adds it to the byte:</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="850" height="72" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52.png" alt="" class="wp-image-8473" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52-300x25.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-52-768x65.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></figure> <p>The server <code>www.righttrak[.]net:443</code> had, at the time, a valid certificate. Note for example the <em>not-at-all-suspicious</em> email address the authors used. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png"><img loading="lazy" decoding="async" width="779" height="933" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png" alt="" class="wp-image-8474" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53-250x300.png 250w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-53-768x920.png 768w" sizes="(max-width: 779px) 100vw, 779px" /></a><figcaption class="wp-element-caption"><em>Certificate on <code>www.righttrak[.]net:443</code> as shown by Censys</em></figcaption></figure></div> <h4 class="wp-block-heading" id="other-infection-vectors-modular-backdoor">Other Infection Vectors of Modular Backdoor</h4> <p><em><code>af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b</code></em></p> <p>During our research, we have also found a 7zip SFX executable containing two files: </p> <ul class="wp-block-list"><li><code>ms00.dat</code> </li> <li><code>notepad.exe</code> </li></ul> <p><code>notepad.exe</code> is a small binary that decrypts <code>ms00.dat</code> file using RC4 with a key <code>V#@!1vw32</code>. The decrypted <code>ms00.dat</code> file is the same Modular Backdoor malware as described above. </p> <p>However, we have not seen this SFX executable being distributed by GuptiMiner. This indicates that this backdoor might be distributed by different infection vectors as well. </p> <h2 class="wp-block-heading">Related and Future Research</h2> <p>We’ve also observed other more or less related samples during our research. </p> <h3 class="wp-block-heading">PowerShell Scripts</h3> <p>Interestingly, we’ve found the C&C domain from the backdoor setup phase (in Puppeteer) in additional scripts as well which were not distributed by traditional GuptiMiner operation as we know it. We think this might be a different kind of attack sharing the GuptiMiner infrastructure, though it might be a different campaign. Formatted PowerShell script can be found below: </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png"><img loading="lazy" decoding="async" width="850" height="720" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png" alt="" class="wp-image-8475" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54.png 850w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54-300x254.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-54-768x651.png 768w" sizes="(max-width: 850px) 100vw, 850px" /></a><figcaption class="wp-element-caption"><em>A PowerShell script targeting eScan (formatted)</em></figcaption></figure></div> <p>In this case, the payload is downloaded and executed from the malicious domain only when an antivirus is installed, and its name has more than 4 letters and starts with <code>eS</code>. One does not have to be a scrabble champion to figure out that the malware authors are targeting the eScan AV once again. The malicious code is also run when the name of the installed AV has less than 5 letters. </p> <p>We’ve found this script being run via a scheduled task with a used command:<br><code>"cmd.exe" /c type "\<domain>\SYSVOL\<domain>\scripts\gpon.inc" | "\<domain>\SYSVOL\<domain>\scripts\powAMD64.dat" -nop - </code><br>where <code>powAMD64.dat</code> is a copy of <code>powershell.exe</code>. The task name and location was <code>C:\Windows\System32\Tasks\ScheduledDefrag </code></p> <h3 class="wp-block-heading">Usage of Stolen Certificates </h3> <p>We have found two stolen certificates used for signing GuptiMiner payloads. Interestingly, one of the used stolen certificates originates in Winnti operations. In this particular sample, the digital signature has a hash: <br><code>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56</code> </p> <p>This certificate is the same as mentioned by <a href="https://securelist.com/winnti-more-than-just-a-game/37029/" target="_blank" rel="noreferrer noopener">Kaspersky</a> more than 10 years ago. However, we’ve also seen this certificate to be used in multiple malware samples than just GuptiMiner, though, indicating a broader leak. </p> <p>A complete list of stolen certificates and their usage can be found in the table below: </p> <figure class="wp-block-table"><table><tbody><tr><td><strong>Stolen certificate SHA1</strong> </td><td><strong>Signed GuptiMiner sample</strong> </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Possible Ties to Kimsuky </h3> <p><code><em>7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d</em><br><em>(2021-03-06 20:13:32 UTC)</em> </code></p> <p>During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign (<code>MainWork</code>):<br><code>F:\!PROTECT\Real\startW-2008\MainWork\Release\MainWork.pdb</code> </p> <p>However, we haven’t seen it distributed by GuptiMiner and, according to our data, it doesn’t belong to the same operation and infection chain. This malware performs stealing activities like capturing every keystroke, harvesting HTML forms from opened browser tabs, noting times of opened programs, etc., and stores them in log files. </p> <p>What is truly interesting, however, is that this information stealer might come from Kimsuky operations. Also known as Black Banshee, among other aliases, Kimsuky is a North Korean state-backed APT group. </p> <p>It contains the similar approach of searching for AhnLab real-time detection window class name <code>49B46336-BA4D-4905-9824-D282F05F6576</code> as mentioned by both <a href="https://asec.ahnlab.com/en/31089/" target="_blank" rel="noreferrer noopener">AhnLab</a> as well as <a href="https://blog.talosintelligence.com/kimsuky-abuses-blogs-delivers-malware/" target="_blank" rel="noreferrer noopener">Cisco Talos Intelligence</a> in their <em>Information-gathering module</em> section. If such a window is found, it will be terminated/hidden from the view of the infected user. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55.png"><img loading="lazy" decoding="async" width="1024" height="410" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-1024x410.png" alt="" class="wp-image-8477" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-1024x410.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-300x120.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55-768x308.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-55.png 1338w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Function that searches and terminates AhnLab’s real-time detection window class</em></figcaption></figure></div> <p>Furthermore, the stealer contains an encrypted payload in resources, having a hash: <code>d5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6c (<em>2021-02-19 19.02.2021 15:00:47 UTC</em>)</code> and it has this PDB path:<br><code>F:\PROTECT\Real\startW-2008\HTTPPro\Release\HTTPPro.pdb</code> </p> <p>This module is decrypted using the standard RC4 algorithm with the key <code>messi.com</code>. The module is used for downloading additional stages. One of the used URLs are:<br><code>http://stwu.mygamesonline[.]org/home/sel.php</code><br><code>http://stwu.mygamesonline[.]org/home/buy.php?filename=%s&key=%s</code> </p> <p>The domain <code>mygamesonline[.]org</code> is commonly used by Kimsuky (with variety of subdomains). </p> <p>The keylogger also downloads next stage called <code>ms12.acm</code>: </p> <div class="wp-block-image"><figure class="aligncenter size-full"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png"><img loading="lazy" decoding="async" width="467" height="169" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png" alt="" class="wp-image-8478" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56.png 467w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-56-300x109.png 300w" sizes="(max-width: 467px) 100vw, 467px" /></a><figcaption class="wp-element-caption"><em>The next stage is downloaded with a name <code>ms12.acm</code></em></figcaption></figure></div> <p>With this, we see a possible pattern with the naming convention and a link to Modular Backdoor. As described in the <a href="#other-infection-vectors-modular-backdoor">Other Infection Vectors</a> section, the 7z SFX archive contains an encrypted file called <code>ms00.dat</code> with which we struggle to ignore the resemblance.</p> <p>Last but not least, another strong indicator for a possible attribution is the fact that the Kimsuky keylogger sample <code>dddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f</code>, which is mentioned in the same blogpost from Talos, contains a section called <code>.vlizer</code>, as seen below: </p> <div class="wp-block-image"><figure class="aligncenter size-large"><a href="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57.png"><img loading="lazy" decoding="async" width="1024" height="269" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-1024x269.png" alt="" class="wp-image-8479" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-1024x269.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-300x79.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57-768x202.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/image-57.png 1277w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><figcaption class="wp-element-caption"><em>Kimsuky keylogger sections</em></figcaption></figure></div> <p>During the GuptiMiner installation process (<a href="#installation-process">Stage 0</a>), we wrote about the threat actors introducing <a href="#code-virtualization">Code Virtualization</a> in 2018. This was done by using a dedicated section called <code>.v_lizer</code>. </p> <h2 class="wp-block-heading">Conclusion </h2> <p>In this analysis, we described our findings regarding a long-standing threat we called GuptiMiner, in detail. This sophisticated operation has been performing MitM attacks targeting an update mechanism of the eScan antivirus vendor. We disclosed the security vulnerability to both eScan and the India CERT and received confirmation on 2023-07-31 from eScan that the issue was fixed and successfully resolved. </p> <p>During the GuptiMiner operation, the attackers were deploying a wide chain of stages and functionalities, including performing DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others. </p> <p>Two different types of backdoors were discovered, targeting large corporate networks. The first provided SMB scanning of the local network, enabling lateral movement over the network to potentially exploit vulnerable Windows 7 and Windows Server 2008 systems on the network. The second backdoor is multi-modular, accepting commands on background to install more modules as well as focusing on stealing stored private keys and cryptowallets. </p> <p>Interestingly, the final payload distributed by GuptiMiner was also XMRig which is a bit unexpected for such a thought-through operation. </p> <p>We have also found possible ties to Kimsuky, a notorious North Korean APT group, while observing similarities between Kimsuky keylogger and fragments discovered during the analysis of the GuptiMiner operation. </p> <h2 class="wp-block-heading">eScan follow-up</h2> <p>We have shared our findings and our research with eScan prior to publishing this analysis. For the sake of completeness, we are including their statement on this topic:</p> <p><em>“I would also like to highlight some key points:</em><br><em>1. Our records indicate that the last similar report was received towards the end of the year 2019.</em><br><em>2. Since 2020, we have implemented a stringent checking mechanism that utilizes EV Signing to ensure that non-signed binaries are rejected.</em><br><em>3. Multiple heuristic rules have been integrated into our solution to detect and block any instances of legitimate processes being used for mining, including the forking of unsigned binaries.</em><br><em>4. While our internal investigations did not uncover instances of the XRig miner, it is possible that this may be due to geo-location factors.</em><br><em>5. Our latest solution versions employ secure (https) downloads, ensuring encrypted communication when clients interact with our cloud-facing servers for update downloads.”</em></p> <p>According to our telemetry, we continue to observe new infections and GuptiMiner builds within our userbase. This may be attributable to eScan clients on these devices not being updated properly.</p> <h2 class="wp-block-heading" id="ioc">Indicators of Compromise (IoCs)</h2> <p>In this section, we would like to summarize the Indicators of Compromise mentioned in this analysis. As they are indicators, it doesn’t automatically mean the mentioned files and/or domains are malicious on their own. </p> <p>For more detailed list of IoCs of the whole GuptiMiner campaign, please visit our <a href="https://github.com/avast/ioc/tree/master/GuptiMiner" target="_blank" rel="noreferrer noopener">GitHub</a>.</p> <h3 class="wp-block-heading">Evolution and Timelines </h3> <h4 class="wp-block-heading">Domains </h4> <figure class="wp-block-table"><table><tbody><tr><td><strong>Domain</strong></td></tr><tr><td>_spf.microsoft[.]com</td></tr><tr><td>acmeautoleasing[.]net</td></tr><tr><td>b.guterman[.]net</td></tr><tr><td>breedbackfp[.]com</td></tr><tr><td>crl.microsoft[.]com</td></tr><tr><td>crl.peepzo[.]com</td></tr><tr><td>crl.sneakerhost[.]com</td></tr><tr><td>desmoinesreg[.]com</td></tr><tr><td>dl.sneakerhost[.]com</td></tr><tr><td>edgesync[.]net</td></tr><tr><td>espcomp[.]net</td></tr><tr><td>ext.microsoft[.]com</td></tr><tr><td>ext.peepzo[.]com</td></tr><tr><td>ext.sneakerhost[.]com</td></tr><tr><td>gesucht[.]net</td></tr><tr><td>gesucht[.]net</td></tr><tr><td>globalsign.microsoft[.]com</td></tr><tr><td>icamper[.]net</td></tr><tr><td>m.airequipment[.]net</td></tr><tr><td>m.cbacontrols[.]com</td></tr><tr><td>m.gosoengine[.]com</td></tr><tr><td>m.guterman[.]net</td></tr><tr><td>m.indpendant[.]com</td></tr><tr><td>m.insomniaccinema[.]com</td></tr><tr><td>m.korkyt[.]net</td></tr><tr><td>m.satchmos[.]net</td></tr><tr><td>m.sifraco[.]com</td></tr><tr><td>ns.bretzger[.]net</td></tr><tr><td>ns.deannacraite[.]com</td></tr><tr><td>ns.desmoinesreg[.]com</td></tr><tr><td>ns.dreamsoles[.]com</td></tr><tr><td>ns.editaccess[.]com</td></tr><tr><td>ns.encontacto[.]net</td></tr><tr><td>ns.gravelmart[.]net</td></tr><tr><td>ns.gridsense[.]net</td></tr><tr><td>ns.jetmediauk[.]com</td></tr><tr><td>ns.kbdn[.]net</td></tr><tr><td>ns.lesagencestv[.]net</td></tr><tr><td>ns.penawarkanser[.]net</td></tr><tr><td>ns.srnmicro[.]net</td></tr><tr><td>ns.suechiLton[.]com</td></tr><tr><td>ns.trafomo[.]com</td></tr><tr><td>ns.trafomo[.]com</td></tr><tr><td>ns1.earthscienceclass[.]com</td></tr><tr><td>ns1.peepzo[.]com</td></tr><tr><td>ns1.securtelecom[.]com</td></tr><tr><td>ns1.sneakerhost[.]com</td></tr><tr><td>p.bramco[.]net</td></tr><tr><td>p.hashvault[.]pro</td></tr><tr><td>r.sifraco[.]com</td></tr><tr><td>spf.microsoft[.]com</td></tr><tr><td>widgeonhill[.]com</td></tr><tr><td>www.bascap[.]net</td></tr></tbody></table></figure> <h4 class="wp-block-heading">Mutexes </h4> <figure class="wp-block-table"><table><tbody><tr><td><strong>Mutex</strong> </td></tr><tr><td>ESOCESS_ </td></tr><tr><td>Global\Fri Aug 13 02:17:49 2021 </td></tr><tr><td>Global\Fri Aug 13 02:22:55 2021 </td></tr><tr><td>Global\Mon Apr 19 06:03:17 2021 </td></tr><tr><td>Global\Mon Apr 24 07:19:54 2023 </td></tr><tr><td>Global\Mon Feb 27 08:11:25 2023 </td></tr><tr><td>Global\Mon Jun 14 03:22:57 2021 </td></tr><tr><td>Global\Mon Mar 13 07:29:11 2023 </td></tr><tr><td>Global\Mon Mar 22 09:16:00 2021 </td></tr><tr><td>Global\Sun Jun 13 08:22:07 2021 </td></tr><tr><td>Global\Thu Aug 10 03:25:11 2023 </td></tr><tr><td>Global\Thu Aug 12 02:07:58 2021 </td></tr><tr><td>Global\Thu Feb 23 08:37:09 2023 </td></tr><tr><td>Global\Thu Mar 25 02:03:14 2021 </td></tr><tr><td>Global\Thu Mar 25 09:31:19 2021 </td></tr><tr><td>Global\Thu Nov 2 08:21:56 2023 </td></tr><tr><td>Global\Thu Nov 9 06:19:40 2023 </td></tr><tr><td>Global\Tue Apr 25 08:32:05 2023 </td></tr><tr><td>Global\Tue Mar 23 02:37:32 2021 </td></tr><tr><td>Global\Tue Oct 10 08:07:11 2023 </td></tr><tr><td>Global\Wed Aug 11 09:16:37 2021 </td></tr><tr><td>Global\Wed Jan 5 09:15:56 2022 </td></tr><tr><td>Global\Wed Jun 2 09:43:03 2021 </td></tr><tr><td>Global\Wed Mar 1 01:29:48 2023 </td></tr><tr><td>Global\Wed Mar 23 08:56:01 2022 </td></tr><tr><td>Global\Wed Mar 23 09:06:36 2022 </td></tr><tr><td>Global\Wed May 10 06:38:46 2023 </td></tr><tr><td>Global1 </td></tr><tr><td>GlobalMIVOD_V4 </td></tr><tr><td>GMCM1 </td></tr><tr><td>MIVOD_6 </td></tr><tr><td>MTX_EX01 </td></tr><tr><td>Mutex_ONLY_ME_V1 </td></tr><tr><td>Mutex_ONLY_ME_V2 </td></tr><tr><td>Mutex_ONLY_ME_V3 </td></tr><tr><td>PROCESS_ </td></tr><tr><td>SLDV014 </td></tr><tr><td>SLDV02 </td></tr><tr><td>SLDV024 </td></tr><tr><td>SLDV04 </td></tr><tr><td>SLDV10 </td></tr><tr><td>SLDV11 </td></tr><tr><td>SLDV13 </td></tr><tr><td>SLDV15 </td></tr><tr><td>SLDV17 </td></tr><tr><td>SLDV22 </td></tr><tr><td>SLDV26 </td></tr></tbody></table></figure> <h4 class="wp-block-heading">PDB paths </h4> <figure class="wp-block-table"><table><tbody><tr><td><strong>PDB path</strong></td></tr><tr><td>E:\projects\projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb</td></tr><tr><td>F:\CODE-20221019\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>F:\Pro\MainWork\Release\MainWork.pdb</td></tr><tr><td>F:\Pro\MainWork\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-IPHLPAPI\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\2020-NEW\20200307-NEW\MainWork-VS2017-nvhelper\x64\Release\MainWork.pdb</td></tr><tr><td>F:\Projects\RunCompressedSC\x64\Release\RunCompressedSC.pdb</td></tr><tr><td>F:\V202102\MainWork-VS2017 – Monitor\Release\MainWork.pdb</td></tr><tr><td>F:\V202102\MainWork-VS2017 – Monitor\x64\Release\MainWork.pdb</td></tr><tr><td>H:\projects\MainWork\Release\MainWork.pdb</td></tr></tbody></table></figure> <h3 class="wp-block-heading">Stage 0 – Installation Process </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>http://update3[.]mwti[.]net/pub/update/updll3.dlz </td><td> </td></tr><tr><td>c3122448ae3b21ac2431d8fd523451ff25de7f6e399ff013d6fa6953a7998fa3 </td><td>C:\Program Files\eScan\VERSION.DLL </td></tr><tr><td>7a1554fe1c504786402d97edecc10c3aa12bd6b7b7b101cfc7a009ae88dd99c6 </td><td>updll65.dlz </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Stage 0.9 – Installation Improvements </h3> <h3 class="wp-block-heading">Stage 1 – PNG Loader </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>ff884d4c01fccf08a916f1e7168080a2d740a62a774f18e64f377d23923b0297 </td><td> </td></tr><tr><td>ext.peepzo[.]com </td><td> </td></tr><tr><td>crl.peepzo[.]com </td><td> </td></tr><tr><td>ns1.peepzo[.]com </td><td> </td></tr><tr><td>http://www.deanmiller[.]net/m/ </td><td> </td></tr><tr><td>294b73d38b89ce66cfdefa04b1678edf1b74a9b7f50343d9036a5d549ade509a </td><td> </td></tr><tr><td>185.45.192[.]43/elimp/ </td><td> </td></tr><tr><td>6305d66aac77098107e3aa6d85af1c2e3fc2bb1f639e4a9da619c8409104c414</td><td></td></tr><tr><td>SYSTEM\CurrentControlSet\Control\Arbiters\Class </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\Class </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\CORE </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\DEF </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\Els </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\CMF\ASN </td><td>Registry </td></tr><tr><td>SYSTEM\CurrentControlSet\Control\MSDTC\BSR </td><td>Registry </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Stage 2 – Gzip Loader </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>357009a70daacfc3379560286a134b89e1874ab930d84edb2d3ba418f7ad6a0b </td><td> </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Stage 3 – Puppeteer </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>Ioc</strong> </td><td><strong>Note</strong> </td></tr><tr><td>364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65 </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\dss.exe </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3 </td><td> </td></tr><tr><td>C:\Windows\system32\tasks\Microsoft\windows\autochk\ESUpgrade </td><td>Scheduled task </td></tr><tr><td>HKEY_LOCAL_MACHINE\SOFTWARE\AVC3 </td><td>Registry </td></tr><tr><td>\Device\HarddiskVolume1\Program Files (x86)\eScan\download.exe </td><td> </td></tr><tr><td>4dfd082eee771b7801b2ddcea9680457f76d4888c64bb0b45d4ea616f0a47f21 </td><td> </td></tr><tr><td>SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server </td><td>Registry </td></tr><tr><td>net group ”domain computers” /domain </td><td>Command </td></tr><tr><td>https://m.airequipment[.]net/gpse/ </td><td> </td></tr><tr><td>487624b44b43dacb45fd93d03e25c9f6d919eaa6f01e365bb71897a385919ddd </td><td> </td></tr><tr><td>C:\Program Files (x86)\eScan\updll3.dll3 </td><td> </td></tr><tr><td>C:\Program Files\Common Files\SYSTEM\SysResetErr\SysResetErr.DLL </td><td> </td></tr><tr><td>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellChecking.DLL </td><td> </td></tr><tr><td>C:\Program Files\Microsoft SQL Server\SpellChecking\MsSpellCheckingHost.DLL </td><td> </td></tr><tr><td>C:\ProgramData\AMD\CNext\atiadlxx.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Assistance\LunarG\vulkan-1.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Crypto\Escan\updll3.dll3 </td><td> </td></tr><tr><td>C:\ProgramData\Microsoft\Network\Escan\AutoWake.dll </td><td> </td></tr><tr><td>1c31d06cbdf961867ec788288b74bee0db7f07a75ae06d45d30355c0bc7b09fe </td><td> </td></tr><tr><td>1fbc562b08637a111464ba182cd22b1286a185f7cfba143505b99b07313c97a4 </td><td> </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Stage 4 – Backdoor </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>07beca60c0a50520b8dbc0b8cc2d56614dd48fef0466f846a0a03afbfc42349d </td><td> </td></tr><tr><td>E:\Projects\putty-src\windows\VS2012\x64\Release\plink.pdb </td><td>PDB </td></tr><tr><td>HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\CMF\Class </td><td>Registry </td></tr><tr><td>HKEY_LOCAL_MACHINE\SYSTEM\RNG\FFFF </td><td>Registry </td></tr><tr><td>gesucht[.]net </td><td> </td></tr><tr><td>f0ccfcb5d49d08e9e66b67bb3fedc476fdf5476a432306e78ddaaba4f8e3bbc4 </td><td> </td></tr><tr><td>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\DECLAG </td><td>Registry </td></tr><tr><td>8446d4fc1310b31238f9a610cd25ea832925a25e758b9a41eea66f998163bb34 </td><td>Shellcode </td></tr><tr><td>74D7F1AF69FB706E87FF0116B8E4FA3A9B87275505E2EE7A32A8628A2D066549 </td><td> </td></tr><tr><td>www.righttrak[.]net:443 </td><td> </td></tr><tr><td>185.248.160[.]141 </td><td> </td></tr><tr><td>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCB </td><td>Registry </td></tr><tr><td>af9f1331ac671d241bf62240aa52389059b4071a0635cb9cb58fa78ab942a33b </td><td> </td></tr></tbody></table></figure> <h3 class="wp-block-heading">Related and Future Research </h3> <figure class="wp-block-table"><table><tbody><tr><td><strong>IoC</strong> </td><td><strong>Note</strong> </td></tr><tr><td>“cmd.exe” /c type “\<domain>\SYSVOL\<domain>\scripts\gpon.inc” | “\<domain>\SYSVOL\<domain>\scripts\powAMD64.dat” -nop – </td><td>Command </td></tr><tr><td>C:\Windows\System32\Tasks\ScheduledDefrag </td><td>Scheduled task </td></tr><tr><td>529763AC53562BE3C1BB2C42BCAB51E3AD8F8A56 </td><td>Certificate SHA1 </td></tr><tr><td>31070C2EA30E6B4E1C270DF94BE1036AE7F8616B </td><td>Certificate SHA1 </td></tr><tr><td>31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878 </td><td> </td></tr><tr><td>8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec049 </td><td> </td></tr><tr><td>b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54 </td><td> </td></tr><tr><td>f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e </td><td> </td></tr><tr><td>7f1221c613b9de2da62da613b8b7c9afde2ea026fe6b88198a65c9485ded7b3d </td><td> </td></tr><tr><td>F:\!PROTECT\Real\startW-2008\MainWork\Release\MainWork.pdb </td><td>PDB </td></tr></tbody></table></figure><p>The post <a href="https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/">GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</title> <link>https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/?utm_source=rss&utm_medium=rss&utm_campaign=from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams</link> <dc:creator><![CDATA[Luigino Camastra]]></dc:creator> <pubDate>Thu, 18 Apr 2024 06:30:00 +0000</pubDate> <category><![CDATA[PC]]></category> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[APT]]></category> <category><![CDATA[Lazarus]]></category> <category><![CDATA[Recruiting scams]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8332</guid> <description><![CDATA[<p>Key Points Introduction In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is […]</p><p>The post <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/">From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<h2 class="wp-block-heading">Key Points</h2> <ul class="wp-block-list"><li>Avast discovered a new campaign targeting specific individuals through fabricated job offers. </li> <li>Avast uncovered a full attack chain from infection vector to deploying <code>“FudModule 2.0”</code> rootkit with 0-day <code>Admin -> Kernel</code> exploit. </li> <li>Avast found a previously undocumented <code>Kaolin</code> RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from C&C server. We also believe it was loading FudModule along with a 0-day exploit. </li></ul> <h2 class="wp-block-heading">Introduction</h2> <p>In the summer of 2023, Avast identified a campaign targeting specific individuals in the Asian region through fabricated job offers. The motivation behind the attack remains uncertain, but judging from the low frequency of attacks, it appears that the attacker had a special interest in individuals with technical backgrounds. This sophistication is evident from previous research where the Lazarus group exploited vulnerable drivers and performed several rootkit techniques to effectively blind security products and achieve better persistence. </p> <p>In this instance, Lazarus sought to blind security products by exploiting a vulnerability in the default Windows driver, appid.sys (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a>). More information about this vulnerability can be found in a corresponding <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">blog post</a>. </p> <p>This indicates that Lazarus likely allocated additional resources to develop such attacks. Prior to exploitation, Lazarus deployed the toolset meticulously, employing fileless malware and encrypting the arsenal onto the hard drive, as detailed later in this blog post. </p> <p>Furthermore, the nature of the attack suggests that the victim was carefully selected and highly targeted, as there likely needed to be some level of rapport established with the victim before executing the initial binary. Deploying such a sophisticated toolset alongside the exploit indicates considerable resourcefulness. </p> <p>This blog post will present a technical analysis of each module within the entire attack chain. This analysis aims to establish connections between the toolset arsenal used by the Lazarus group and previously published research. </p> <h2 class="wp-block-heading">Initial access </h2> <p>The attacker initiates the attack by presenting a fabricated job offer to an unsuspecting individual, utilizing social engineering techniques to establish contact and build rapport. While the specific communication platform remains unknown, previous research by <a href="https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" target="_blank" rel="noreferrer noopener">Mandiant</a> and <a href="https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" target="_blank" rel="noreferrer noopener">ESET</a> suggests potential delivery vectors may include LinkedIn, WhatsApp, email or other platforms. Subsequently, the attacker attempts to send a malicious ISO file, disguised as VNC tool, which is a part of the <a href="https://securelist.com/apt-trends-report-q3-2023/110752/" target="_blank" rel="noreferrer noopener">interviewing process</a>. The choice of an ISO file is starting to be very attractive for attackers because, from Windows 10, an ISO file could be automatically mounted just by double clicking and the operating system will make the ISO content easily accessible. This may also serve as a potential Mark-of-the-Web (MotW) bypass. </p> <p>Since the attacker created rapport with the victim, the victim is tricked by the attacker to mount the ISO file, which contains three files: <code>AmazonVNC.exe</code>, <code>version.dl</code>l and <code>aws.cfg</code>. This leads the victim to execute <code>AmazonVNC.exe</code>. </p> <p>The <code>AmazonVNC.exe</code> executable only pretends to be the Amazon VNC client, instead, it is a legitimate Windows application called <code>choice.exe</code> that ordinarily resides in the <code>System32</code> folder. This executable is used for sideloading, to load the malicious <code>version.dll</code> through the legitimate <code>choice.exe</code> application. Sideloading is a popular technique among attackers for evading detection since the malicious DLL is executed in the context of a legitimate application. </p> <p>When <code>AmazonVNC.exe</code> gets executed, it loads <code>version.dll</code>. This malicious DLL is using native Windows API functions in an attempt to avoid defensive techniques such as user-mode API hooks. All native API functions are invoked by direct syscalls. The malicious functionality is implemented in one of the exported functions and not in DLL Main. There is no code in <code>DLLMain</code> it just returns 1, and in the other exported functions is just Sleep functionality. </p> <p>After the DLL obtains the correct syscall numbers for the current Windows version, it is ready to spawn an <code>iexpress.exe</code> process to host a further malicious payload that resides in the third file, <code>aws.cfg</code>. Injection is performed only if the Kaspersky antivirus is installed on the victim’s computer, which seems to be done to evade Kaspersky detection. If Kaspersky is not installed, the malware executes the payload by creating a thread in the current process, with no injection. The <code>aws.cfg</code> file, which is the next stage payload, is obfuscated by VMProtect, perhaps in an effort to make reverse engineering more difficult. The payload is capable of downloading shellcode from a Command and Control (C&C) server, which we believe is a legitimate hacked website selling marble material for construction. The official website is <code>https://www[.]henraux.com/</code>, and the attacker was able to download shellcode from <code>https://www[.]henraux.com/sitemaps/about/about.asp </code></p> <p>In detailing our findings, we faced challenges extracting a shellcode from the C&C server as the malicious URL was unresponsive. </p> <p>By analyzing our telemetry, we uncovered potential threats in one of our clients, indicating a significant correlation between the loading of shellcode from the C&C server via an ISO file and the subsequent appearance of the <code>RollFling</code>, which is a new undocumented loader that we discovered and will delve into later in this blog post. </p> <p>Moreover, the delivery method of the ISO file exhibits tactical similarities to those employed by the Lazarus group, a fact previously noted by researchers from <a href="https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" target="_blank" rel="noreferrer noopener">Mandiant</a> and <a href="https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" target="_blank" rel="noreferrer noopener">ESET</a>. </p> <p>In addition, a <code>RollSling </code>sample was identified on the victim machines, displaying code similarities with the <code>RollSling </code>sample discussed in <a href="https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" target="_blank" rel="noreferrer noopener">Microsoft’s research</a>. Notably, the <code>RollSling </code>instance discovered in our client’s environment was delivered by the <code>RollFling </code>loader, confirming our belief in the connection between the absent shellcode and the initial loader <code>RollFling</code>. For visual confirmation, refer to the first screenshot showcasing the SHA of <code>RollSling</code> report code from <a href="https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" target="_blank" rel="noreferrer noopener">Microsoft</a>, while on the second screenshot is the code derived from our <code>RollSling </code>sample. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="481" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1024x481.png" alt="" class="wp-image-8347" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1024x481.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-300x141.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-768x361.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4-1536x721.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/RollSling_IDA_Microsoft-4.png 1725w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Image illustrates the <code>RollSling </code>code identified by Microsoft. SHA: <br><code>d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca</code>.</figcaption></figure></div> <div class="wp-block-group"><div class="wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained"><div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="477" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1024x477.png" alt="" class="wp-image-8346" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1024x477.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-768x358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2-1536x715.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-2.png 1733w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Image showcases the <code>RollSling </code>code discovered within our targe. SHA: <code>68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f</code>.</figcaption></figure></div> <p>In the next paragraphs, we are going to explain every component in the execution chain, starting with the initial <code>RollFling</code> loader, continuing with the subsequently loaded <code>RollSling</code> loader, and then the final <code>RollMid</code> loader. Finally, we will analyze the <code>Kaolin</code> RAT, which is ultimately loaded by the chain of these three loaders. </p></div></div> <h2 class="wp-block-heading">Loaders</h2> <h3 class="wp-block-heading">RollFling</h3> <p>The <code>RollFling</code> loader is a malicious DLL that is established as a service, indicating the attacker’s initial attempt at achieving persistence by registering as a service. Accompanying this <code>RollFling</code> loader are essential files crucial for the consistent execution of the attack chain. Its primary role is to kickstart the execution chain, where all subsequent stages operate exclusively in memory. Unfortunately, we were unable to ascertain whether the DLL file was installed as a service with administrator rights or just with standard user rights. </p> <p>The loader acquires the System Management BIOS (SMBIOS) table by utilizing the Windows API function <code>GetSystemFirmwareTable</code>. Beginning with Windows 10, version 1803, any user mode application can access SMBIOS information. SMBIOS serves as the primary standard for delivering management information through system firmware. </p> <p>By calling the <code>GetSystemFirmwareTable</code> (see Figure 1.) function, <code>SMBIOSTableData</code> is retrieved, and that <code>SMBIOSTableData</code> is used as a key for decrypting the encrypted <code>RollSling</code> loader by using the XOR operation. Without the correct <code>SMBIOSTableData</code>, which is a 32-byte-long key, the <code>RollSling</code> decryption process would be ineffective so the execution of the malware would not proceed to the next stage. This suggests a highly targeted attack aimed at a specific individual. </p> <p>This suggests that prior to the attacker establishing persistence by registering the <code>RollFling</code> loader as a service, they had to gather information about the <code>SMBIOS</code> table and transmit it to the C&C server. Subsequently, the C&C server could then reply with another stage. This additional stage, called <code>RollSling</code>, is stored in the same folder as <code>RollFling</code> but with the <code>".nls"</code> extension. </p> <p>After successful <code>XOR</code> decryption of <code>RollSling</code>, <code>RollFling</code> is now ready to load decrypted <code>RollSling</code> into memory and continue with the execution of <code>RollSling</code>. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="524" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-1024x524.png" alt="" class="wp-image-8350" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-1024x524.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-300x153.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table-768x393.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/SMBIOS_firmware_table.png 1469w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Figure 1: Obtaining SMBIOS firmware table provider</figcaption></figure></div> <h3 class="wp-block-heading">RollSling</h3> <p>The <code>RollSling</code> loader, initiated by <code>RollFling</code>, is executed in memory. This choice may help the attacker evade detection by security software. The primary function of <code>RollSling</code> is to locate a binary blob situated in the same folder as <code>RollSling</code> (or in the Package Cache folder). If the binary blob is not situated in the same folder as the <code>RollSling</code>, then the loader will look in the Package Cache folder. This binary blob holds various stages and configuration data essential for the malicious functionality. This binary blob must have been uploaded to the victim machine by some previous stage in the infection chain. </p> <p>The reasoning behind binary blob holding multiple files and configuration values is twofold. Firstly, it is more efficient to hold all the information in a single file and, secondly, most of the binary blob can be encrypted, which may add another layer of evasion meaning lowering the chance of detection. </p> <p><code>Rollsling</code> is scanning the current folder, where it is looking for a specific binary blob. To determine which binary blob in the current folder is the right one, it first reads 4 bytes to determine the size of the data to read. Once the data is read, the bytes from the binary blob are reversed and saved in a temporary variable, afterwards, it goes through several conditions checks like the MZ header check. If the MZ header check is done, subsequently it looks for the <code>“StartAction”</code> export function from the extracted binary. If all conditions are met, then it will load the next stage <code>RollMid</code> in memory. The attackers in this case didn’t use any specific file name for a binary blob or any specific extension, to be able to easily find the binary blob in the folder. Instead, they have determined the right binary blob through several conditions, that binary blob had to meet. This is also one of the defensive evasion techniques for attackers to make it harder for defenders to find the binary blob in the infected machine. </p> <p>This stage represents the next stage in the execution chain, which is the third loader called <code>RollMid</code> which is also executed in the computer’s memory. </p> <p>Before the execution of the <code>RollMid</code> loader, the malware creates two folders, named in the following way: </p> <ul class="wp-block-list"><li>%driveLetter%:\\ProgramData\\Package Cache\\[0-9A-Z]{8}-DF09-AA86-YI78-[0-9A-Z]{12}\\ </li> <li>%driveLetter%:\\ProgramData\\Package Cache\\ [0-9A-Z]{8}-09C7-886E-II7F-[0-9A-Z]{12}\\ </li></ul> <p>These folders serve as destinations for moving the binary blob, now renamed with a newly generated name and a <code>".cab"</code> extension. <code>RollSling</code> loader will store the binary blob in the first created folder, and it will store a new temporary file, whose usage will be mentioned later, in the second created folder. </p> <p>The attacker utilizes the <code>"Package Cache"</code> folder, a common repository for software installation files, to better hide its malicious files in a folder full of legitimate files. In this approach, the attacker also leverages the <code>".cab"</code> extension, which is the usual extension for the files located in the <code>Package Cache</code> folder. By employing this method, the attacker is trying to effectively avoid detection by relocating essential files to a trusted folder. </p> <p>In the end, the <code>RollSling</code> loader calls an exported function called <code>"StartAction"</code>. This function is called with specific arguments, including information about the actual path of the <code>RollFling</code> loader, the path where the binary blob resides, and the path of a temporary file to be created by the <code>RollMid</code> loader. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="477" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1024x477.png" alt="" class="wp-image-8352" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1024x477.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-768x358.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3-1536x715.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/IDA_Avast_rollSling-3.png 1733w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Figure 2: Looking for a binary blob in the same folder as the <code>RollFling</code> loader</figcaption></figure></div> <h3 class="wp-block-heading">RollMid</h3> <p>The responsibility of the <code>RollMid</code> loader lies in loading key components of the attack and configuration data from the binary blob, while also establishing communication with a C&C server. </p> <p>The binary blob, containing essential components and configuration data, serves as a critical element in the proper execution of the attack chain. Unfortunately, our attempts to obtain this binary blob were unsuccessful, leading to gaps in our full understanding of the attack. However, we were able to retrieve the <code>RollMid</code> loader and certain binaries stored in memory. </p> <p>Within the binary blob, the <code>RollMid</code> loader is a fundamental component located at the beginning (see Figure 3). The first 4 bytes in the binary blob describe the size of the <code>RollMid</code> loader. There are two more binaries stored in the binary blob after the <code>RollMid</code> loader as well as configuration data, which is located at the very end of the binary blob. These two other binaries and configuration data are additionally subject to compression and AES encryption, adding layers of security to the stored information. </p> <p>As depicted, the first four bytes enclosed in the initial yellow box describe the size of the <code>RollMid </code>loader. This specific information is also important for parsing, enabling the transition to the subsequent section within the binary blob. </p> <p>Located after the <code>RollMid</code> loader, there are two 4-byte values, distinguished by yellow and green colors. The former corresponds to the size of <code>FIRST_ENCRYPTED_DLL</code> section, while the latter (green box) signifies the size of <code>SECOND_ENCRYPTED_DLL</code> section. Notably, the second 4-byte value in the green box serves a dual purpose, not only describing a size but also at the same time constituting a part of the 16-byte AES key for decrypting the <code>FIRST_ENCRYPTED_DLL</code> section. Thanks to the provided information on the sizes of each encrypted DLL embedded in the binary blob, we are now equipped to access the configuration data section placed at the end of the binary blob. </p> <div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="483" height="422" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio.png" alt="" class="wp-image-8356" style="width:483px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio.png 483w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/BinaryBlob.drawio-300x262.png 300w" sizes="(max-width: 483px) 100vw, 483px" /><figcaption class="wp-element-caption">Figure 3: Structure of the Binary blob </figcaption></figure></div> <p>The <code>RollMid</code> loader requires the <code>FIRST_DLL_BINARY </code>for proper communication with the C&C server. However, before loading <code>FIRST_DLL_BINARY</code>, the <code>RollMid</code> loader must first decrypt the <code>FIRST_ENCRYPTED_DLL</code> section. </p> <p>The decryption process applies the AES algorithm, beginning with the parsing of the decryption key alongside an initialization vector to use for AES decryption. Subsequently, a decompression algorithm is applied to further extract the decrypted content. Following this, the decrypted <code>FIRST_DLL_BINARY</code> is loaded into memory, and the <code>DllMain</code> function is invoked to initialize the networking library. </p> <p>Unfortunately, as we were unable to obtain the binary blob, we didn’t get a chance to reverse engineer the <code>FIRST_DLL_BINARY</code>. This presents a limitation in our understanding, as the precise implementation details for the imported functions in the <code>RollMid</code> loader remain unknown. These imported functions include the following: </p> <ul class="wp-block-list"><li><code>SendDataFromUrl </code></li> <li><code>GetImageFromUrl</code> </li> <li><code>GetHtmlFromUrl </code></li> <li><code>curl_global_cleanup </code></li> <li><code>curl_global_init </code></li></ul> <p>After reviewing the exported functions by their names, it becomes apparent that these functions are likely tasked with facilitating communication with the C&C server. <code>FIRST_DLL_BINARY</code> also exports other functions beyond these five, some of which will be mentioned later in this blog. </p> <p>The names of these five imported functions imply that <code>FIRST_DLL_BINARY</code> is built upon the <a href="https://curl.se/libcurl/">curl library</a> (as can be seen by the names <code>curl_global_cleanup</code> and <code>curl_global_init</code>). In order to establish communication with the C&C servers, the <code>RollMid</code> loader employs the imported functions, utilizing HTTP requests as its preferred method of communication. </p> <p>The rationale behind opting for the curl library for sending HTTP requests may stem from various factors. One notable reason could be the efficiency gained by the attacker, who can save time and resources by leveraging the HTTP communication protocol. Additionally, the ease of use and seamless integration of the curl library into the code further support its selection. </p> <p>Prior to initiating communication with the C&C server, the malware is required to generate a dictionary filled with random words, as illustrated in Figure 4 below. Given the extensive size of the dictionary (which contains approximately hundreds of elements), we have included only a partial screenshot for reference purposes. The subsequent sections of this blog will delve into a comprehensive exploration of the role and application of this dictionary in the overall functionality of malware. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="545" height="1024" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-545x1024.png" alt="" class="wp-image-8358" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-545x1024.png 545w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1-160x300.png 160w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/FillDictonary-1.png 562w" sizes="(max-width: 545px) 100vw, 545px" /><figcaption class="wp-element-caption">Figure 4: Filling the main dictionary </figcaption></figure></div> <p>To establish communication with the C&C server, as illustrated in Figure 5, the malware must obtain the initial C&C addresses from the <code>CONFIGURATION_DATA</code> section. Upon decrypting these addresses, the malware initiates communication with the first layer of the C&C server through the <code>GetHtmlFromUrl</code> function, presumably using an HTTP GET request. The server responds with an HTML file containing the address of the second C&C server layer. Subsequently, the malware engages in communication with the second layer, employing the imported <code>GetImageFromUrl</code> function. The function name implies this performs a GET request to retrieve an image. </p> <p>In this scenario, the attackers employ steganography to conceal crucial data for use in the next execution phase. Regrettably, we were unable to ascertain the nature of the important data concealed within the image received from the second layer of the C&C server. </p> <div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="521" height="374" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio.png" alt="" class="wp-image-8359" style="width:649px;height:auto" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio.png 521w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/04/CC_communication.drawio-300x215.png 300w" sizes="(max-width: 521px) 100vw, 521px" /><figcaption class="wp-element-caption"><em>Figure <em>5</em>: Communication with C&C servers </em></figcaption></figure></div> <p>We are aware that the concealed data within the image serves as a parameter for a function responsible for transmitting data to the third C&C server. Through our analysis, we have determined that the acquired data from the image corresponds to another address of the third C&C server. Communication with the third C&C server is initiated with a POST request. </p> <p>Malware authors strategically employ multiple C&C servers as part of their operational tactics to achieve specific objectives. In this case, the primary goal is to obtain an additional data blob from the third C&C server, as depicted in Figure 5, specifically in step 7. Furthermore, the use of different C&C servers and diverse communication pathways adds an additional layer of complexity for security tools attempting to monitor such activities. This complexity makes tracking and identifying malicious activities more challenging, as compared to scenarios where a single C&C server is employed.</p> <p>The malware then constructs a URL, by creating the query string with GET parameters (name/value pairs). The parameter name consists of a randomly selected word from the previously created dictionary and the value is generated as a random string of two characters. The format is as follows: </p> <p><code><em>"%addressOfThirdC&C%?%RandomWordFromDictonary%=%RandomString%"</em> </code></p> <p>The URL generation involves the selection of words from a generated dictionary, as opposed to entirely random strings. This intended choice aims to enhance the appearance and legitimacy of the URL. The words, carefully curated from the dictionary, contribute to the appearance of a clean and organized URL, resembling those commonly associated with authentic applications. The terms such as <code>"atype"</code>, <code>"User"</code>,” or <code>"type"</code> are not arbitrary but rather thoughtfully chosen words from the created dictionary. By utilizing real words, the intention is to create a semblance of authenticity, making the HTTP <code>POST </code>payload appear more structured and in line with typical application interactions. </p> <p>Before dispatching the <code>POST</code> request to the third layer of the C&C server, the request is populated with additional key-value tuples separated by standard delimiters “?” and “=” between the key and value. In this scenario, it includes: </p> <p><code>%<em>RandomWordFromDictonary</em> %=%sleep_state_in_minutes%?%size_of_configuration_data% </code></p> <p>The data received from the third C&C server is parsed. The parsed data may contain an integer, describing sleep interval, or a data blob. This data blob is encoded using the base64 algorithm. After decoding the data blob, where the first 4 bytes indicate the size of the first part of the data blob, the remainder represents the second part of the data blob. </p> <p>The first part of the data blob is appended to the <code>SECOND_ENCRYPTED_DLL</code> as an overlay, obtained from the binary blob. After successfully decrypting and decompressing <code>SECOND_ENCRYPTED_DLL</code>, the process involves preparing the <code>SECOND_ENCRYPTED_DLL</code>, which is a Remote Access Trojan (RAT) component to be loaded into memory and executed with the specific parameters. </p> <p>The underlying motivation behind this maneuver remains shrouded in uncertainty. It appears that the attacker, by choosing this method, sought to inject a degree of sophistication or complexity into the process. However, from our perspective, this approach seems to border on overkill. We believe that a simpler method could have sufficed for passing the data blob to the <code>Kaolin</code> RAT. </p> <p>The second part of the data blob, once decrypted and decompressed, is handed over to the <code>Kaolin</code> RAT component, while the <code>Kaolin</code> RAT is executed in memory. Notably, the decryption key and initialization vector for decrypting the second part of the data blob reside within its initial 32 bytes. </p> <h2 class="wp-block-heading">Kaolin RAT</h2> <p>A pivotal phase in orchestrating the attack involves the utilization of a Remote Access Trojan (RAT). As mentioned earlier, this <code>Kaolin</code> RAT is executed in memory and configured with specific parameters for proper functionality. It stands as a fully equipped tool, including file compression capabilities. </p> <p>However, in our investigation, the <code>Kaolin</code> RAT does not mark the conclusion of the attack. In the previous blog post, we already introduced another significant component – the <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" target="_blank" rel="noreferrer noopener">FudModule</a> rootkit. Thanks to our robust telemetry, we can confidently assert that this rootkit was loaded by the aforementioned <code>Kaolin</code> RAT, showcasing its capabilities to seamlessly integrate and deploy <code>FudModule</code>. This layered progression underscores the complexity and sophistication of the overall attack strategy. </p> <p>One of the important steps is establishing secure communication with the RAT’s C&C server, encrypted using the AES encryption algorithm. Despite the unavailability of the binary containing the communication functionalities (the RAT also relies on functions imported from <code>FIRST_DLL_BINARY</code> for networking), our understanding is informed by other components in the attack chain, allowing us to make certain assumptions about the communication method. </p> <p>The <code>Kaolin</code> RAT is loaded with six arguments, among which a key one is the base address of the network module DLL binary, previously also used in the <code>RollMid</code> loader. Another argument includes the configuration data from the second part of the received data blob. </p> <p>For proper execution, the <code>Kaolin</code> RAT needs to parse this configuration data, which includes parameters such as: </p> <ul class="wp-block-list"><li>Duration of the sleep interval. </li> <li>A flag indicating whether to collect information about available disk drives. </li> <li>A flag indicating whether to retrieve a list of active sessions on the remote desktop. </li> <li>Addresses of additional C&C servers. </li></ul> <p>In addition, the <code>Kaolin</code> RAT must load specific functions from <code>FIRST_DLL_BINARY</code>, namely: </p> <ul class="wp-block-list"><li><code>SendDataFromURL </code></li> <li><code>ZipFolder </code></li> <li><code>UnzipStr</code> </li> <li><code>curl_global_cleanup</code> </li> <li><code>curl_global_init</code> </li></ul> <p>Although the exact method by which the <code>Kaolin</code> RAT sends gathered information to the C&C server is not precisely known, the presence of exported functions like <code>"curl_global_cleanup"</code> and <code>"curl_global_init"</code> suggests that the sending process involves again API calls from the curl library. </p> <p>For establishing communication, the <code>Kaolin</code> RAT begins by sending a <code>POST</code> request to the C&C server. In this first <code>POST</code> request, the malware constructs a URL containing the address of the C&C server. This URL generation algorithm is very similar to the one used in the <code>RollMid</code> loader. To the C&C address, the <code>Kaolin</code> RAT appends a randomly chosen word from the previously created dictionary (the same one as in the <code>RollMid</code> loader) along with a randomly generated string. The format of the URL is as follows: </p> <p><code><em>"%addressOfC&Cserver%?%RandomWordFromDictonary%=%RandomString%"</em> </code></p> <p>The malware further populates the content of the <code>POST</code> request, utilizing the default <code>"application/x-www-form-urlencoded"</code> content type. The content of the <code>POST</code> request is subject to AES encryption and subsequently encoded with base64. </p> <p>Within the encrypted content, which is appended to the key-value tuples (see the form below), the following data is included <code>(<em>EncryptedContent)</em></code>: </p> <ul class="wp-block-list"><li>Installation path of the <code>RollFling</code> loader and path to the binary blob </li> <li>Data from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Iconservice </li> <li><code>Kaolin</code> RAT process ID </li> <li>Product name and build number of the operating system. </li> <li>Addresses of C&C servers. </li> <li>Computer name </li> <li>Current directory </li></ul> <p>In the <code>POST</code> request with the encrypted content, the malware appends information about the generated key and initialization vector necessary for decrypting data on the backend. This is achieved by creating key-value tuples, separated by “&” and “=” between the key and value. In this case, it takes the following form: </p> <p><code><em>%RandomWordFromDictonary%=%TEMP_DATA%&%RandomWordFromDictonary%=%IV%%KEY%&%RandomWordFromDictonary%=%EncryptedContent%&%RandomWordFromDictonary%=%EncryptedHostNameAndIPAddr%</em> </code></p> <p>Upon successfully establishing communication with the C&C server, the <code>Kaolin</code> RAT becomes prepared to receive commands. The received data is encrypted with the aforementioned generated key and initialization vector and requires decryption and parsing to execute a specific command within the RAT. </p> <p>When the command is processed the <code>Kaolin</code> RAT relays back the results to the C&C server, encrypted with the same AES key and IV. This encrypted message may include an error message, collected information, and the outcome of the executed function. </p> <p>The <code>Kaolin</code> RAT has the capability to execute a variety of commands, including: </p> <ul class="wp-block-list"><li>Updating the duration of the sleep interval. </li> <li>Listing files in a folder and gathering information about available disks. </li> <li>Updating, modifying, or deleting files. </li> <li>Changing a file’s last write timestamp. </li> <li>Listing currently active processes and their associated modules. </li> <li>Creating or terminating processes. </li> <li>Executing commands using the command line. </li> <li>Updating or retrieving the internal configuration. </li> <li>Uploading a file to the C&C server. </li> <li>Connecting to the arbitrary host. </li> <li>Compressing files. </li> <li>Downloading a DLL file from C&C server and loading it in memory, potentially executing one of the following exported functions: <ul class="wp-block-list"><li><code>_DoMyFunc </code></li> <li><code>_DoMyFunc2 </code></li> <li><code>_DoMyThread (executes a thread)</code> </li> <li><code>_DoMyCommandWork</code> </li></ul></li> <li>Setting the current directory.</li></ul> <h2 class="wp-block-heading">Conclusion</h2> <p>Our investigation has revealed that the Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products. Thanks to our robust telemetry, we were able to uncover almost the entire attack chain, thoroughly analyzing each stage. The Lazarus group’s level of technical sophistication was surprising and their approach to engaging with victims was equally troubling. It is evident that they invested significant resources in developing such a complex attack chain. What is certain is that Lazarus had to innovate continuously and allocate enormous resources to research various aspects of Windows mitigations and security products. Their ability to adapt and evolve poses a significant challenge to cybersecurity efforts. </p> <h2 class="wp-block-heading">Indicators of Compromise (IoCs) </h2> <p>ISO<br>b8a4c1792ce2ec15611932437a4a1a7e43b7c3783870afebf6eae043bcfade30 </p> <p>RollFling<br>a3fe80540363ee2f1216ec3d01209d7c517f6e749004c91901494fb94852332b </p> <p>NLS files<br>01ca7070bbe4bfa6254886f8599d6ce9537bafcbab6663f1f41bfc43f2ee370e<br>7248d66dea78a73b9b80b528d7e9f53bae7a77bad974ededeeb16c33b14b9c56 </p> <p>RollSling<br>e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f<br>f47f78b5eef672e8e1bd0f26fb4aa699dec113d6225e2fcbd57129d6dada7def </p> <p>RollMid<br>9a4bc647c09775ed633c134643d18a0be8f37c21afa3c0f8adf41e038695643e </p> <p>Kaolin RAT<br>a75399f9492a8d2683d4406fa3e1320e84010b3affdff0b8f2444ac33ce3e690 </p><p>The post <a href="https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/">From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> <item> <title>Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</title> <link>https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day</link> <dc:creator><![CDATA[Jan Vojtěšek]]></dc:creator> <pubDate>Wed, 28 Feb 2024 13:14:50 +0000</pubDate> <category><![CDATA[PC]]></category> <category><![CDATA[BYOVD]]></category> <category><![CDATA[CVE-2024-21338]]></category> <category><![CDATA[exploit]]></category> <category><![CDATA[FudModule]]></category> <category><![CDATA[kernel]]></category> <category><![CDATA[Lazarus]]></category> <category><![CDATA[rootkit]]></category> <category><![CDATA[zero-day]]></category> <guid isPermaLink="false">https://decoded.avast.io/?p=8182</guid> <description><![CDATA[<p>The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.</p><p>The post <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/">Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></description> <content:encoded><![CDATA[<h2 class="wp-block-heading">Key Points</h2> <ul class="wp-block-list"><li>Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. </li> <li>Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a> in the February Patch Tuesday update. </li> <li>The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. </li> <li>This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">ESET</a> and <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">AhnLab</a>. </li> <li>After completely reverse engineering this updated rootkit variant, Avast identified substantial advancements in terms of both functionality and stealth, with four new – and three updated – rootkit techniques. </li> <li>In a key advancement, the rootkit now employs a new handle table entry manipulation technique in an attempt to suspend PPL (Protected Process Light) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. </li> <li>Another significant step up is exploiting the zero-day vulnerability, where Lazarus previously utilized much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. </li> <li>Avast’s investigation also recovered large parts of the infection chain leading up to the deployment of the rootkit, resulting in the discovery of a new RAT (Remote Access Trojan) attributed to Lazarus. </li> <li>Technical details concerning the RAT and the initial infection vector will be published in a follow-up blog post, scheduled for release along with our <a href="https://www.blackhat.com/asia-24/briefings/schedule/#from-byovd-to-a--day-unveiling-advanced-exploits-in-cyber-recruiting-scams-37786" target="_blank" rel="noreferrer noopener">Black Hat Asia 2024 briefing</a>. </li></ul> <h2 class="wp-block-heading">Introduction </h2> <p>When it comes to Windows security, there is a thin line between admin and kernel. Microsoft’s <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria" target="_blank" rel="noreferrer noopener">security servicing criteria</a> have long asserted that “[a]dministrator-to-kernel is not a security boundary”, meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel. This isn’t just a theoretical concern. In practice, attackers with admin privileges <a href="https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/#:~:text=Known%20usage%20in%20the%20wild" target="_blank" rel="noreferrer noopener">frequently</a> achieve kernel-level access by exploiting known vulnerable drivers, in a technique called <a href="https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/" target="_blank" rel="noreferrer noopener">BYOVD</a> (Bring Your Own Vulnerable Driver). </p> <p>Microsoft hasn’t given up on securing the admin-to-kernel boundary though. Quite the opposite, it has made a great deal of progress in making this boundary harder to cross. Defense-in-depth protections, such as <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/install/driver-signing" target="_blank" rel="noreferrer noopener">DSE</a> (Driver Signature Enforcement) or <a href="https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-hvci-enablement" target="_blank" rel="noreferrer noopener">HVCI</a> (Hypervisor-Protected Code Integrity), have made it increasingly difficult for attackers to execute custom code in the kernel, forcing most to resort to data-only attacks (where they achieve their malicious objectives solely by reading and writing kernel memory). Other defenses, such as <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules" target="_blank" rel="noreferrer noopener">driver blocklisting,</a> are pushing attackers to move to exploiting less-known vulnerable drivers, resulting in an increase in attack complexity. Although these defenses haven’t yet reached the point where we can officially call admin-to-kernel a security boundary (BYOVD attacks are still feasible, so calling it one would just mislead users into a false sense of security), they clearly represent steps in the right direction. </p> <p>From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of <a href="https://github.com/wavestone-cdt/EDRSandblast" target="_blank" rel="noreferrer noopener">possibilities</a>. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more. Additionally, as the security of <a href="https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-" target="_blank" rel="noreferrer noopener">PPL</a> (Protected Process Light) relies on the admin-to-kernel boundary, our hypothetical attacker also gains the ability to tamper with protected processes or add protection to an arbitrary process. This can be especially powerful if lsass is <a href="https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection" target="_blank" rel="noreferrer noopener">protected with RunAsPPL</a> as bypassing PPL could enable the attacker to dump otherwise unreachable credentials. </p> <p>For more specific examples of what an attacker might want to achieve with kernel-level access, keep reading this blog – in the <a href="#techniques">latter half</a>, we will dive into all the techniques implemented in the FudModule rootkit. </p> <h5 class="wp-block-heading">Living Off the Land: Vulnerable Drivers Edition </h5> <p>With a seemingly growing number of attackers seeking to abuse some of the previously mentioned kernel capabilities, defenders have no choice but to hunt heavily for driver exploits. Consequently, attackers wishing to target well-defended networks must also step up their game if they wish to avoid detection. We can broadly break down admin-to-kernel driver exploits into three categories, each representing a trade-off between attack difficulty and stealth. </p> <h6 class="wp-block-heading"><strong>N-Day BYOVD Exploits</strong> </h6> <p>In the simplest case, an attacker can leverage BYOVD to exploit a publicly known n-day vulnerability. This is very easy to pull off, as there are plenty of public proof-of-concept exploits for various vulnerabilities. However, it’s also relatively straightforward to detect since the attacker must first drop a known vulnerable driver to the file system and then load it into the kernel, resulting in two great detection opportunities. What’s more, some systems may have Microsoft’s <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist" target="_blank" rel="noreferrer noopener">vulnerable driver blocklist</a> enabled, which would block some of the most common vulnerable drivers from loading. <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">Previous</a> <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">versions</a> of the FudModule rootkit could be placed in this category, initially exploiting a known vulnerability in <a href="https://www.virustotal.com/gui/file/0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5/detection" target="_blank" rel="noreferrer noopener">dbutil_2_3.sys</a> and then moving on to targeting <a href="https://www.virustotal.com/gui/file/175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" target="_blank" rel="noreferrer noopener">ene.sys</a> in later versions. </p> <h6 class="wp-block-heading"><strong>Zero-Day BYOVD Exploits</strong> </h6> <p>In more sophisticated scenarios, an attacker would use BYOVD to exploit a zero-day vulnerability within a signed third-party driver. Naturally, this requires the attacker to first discover such a zero-day vulnerability, which might initially seem like a daunting task. However, note that any exploitable vulnerability in any signed driver will do, and there is unfortunately no shortage of low-quality third-party drivers. Therefore, the difficulty level of discovering such a vulnerability might not be as high as it would initially seem. It might suffice to scan a collection of drivers for known vulnerability patterns, as demonstrated by Carbon Black researchers who recently used bulk static analysis to <a href="https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html" target="_blank" rel="noreferrer noopener">uncover</a> 34 unique vulnerabilities across more than 200 signed drivers. Such zero-day BYOVD attacks are notably stealthier than n-day attacks since defenders can no longer rely on hashes of known vulnerable drivers for detection. However, some detection opportunities still remain, as loading a random driver represents a suspicious event that might warrant deeper investigation. For an example of an attack belonging to this category, consider the spyware vendor Candiru, which we <a href="https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/" target="_blank" rel="noreferrer noopener">caught</a> exploiting a zero-day vulnerability in <a href="https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" target="_blank" rel="noreferrer noopener">hw.sys</a> for the final privilege escalation stage of their browser exploit chain. </p> <h6 class="wp-block-heading"><strong>Beyond BYOVD</strong> </h6> <p>Finally, the holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system. </p> <p>Discovering an exploitable vulnerability in such a driver is significantly more challenging than in the previous BYOVD scenarios for two reasons. First, the number of possible target drivers is vastly smaller, resulting in a much-reduced attack surface. Second, the code quality of built-in drivers is arguably higher than that of random third-party drivers, making vulnerabilities much more difficult to find. It’s also worth noting that – while patching tends to be ineffective at stopping BYOVD attacks (even if a vendor patches their driver, the attacker can still abuse the older, unpatched version of the driver) – patching a built-in driver will make the vulnerability no longer usable for this kind of zero-day attacks. </p> <p>If an attacker, despite all of these hurdles, manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation. By exploiting such a vulnerability, the attacker is in a sense <a href="https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/" target="_blank" rel="noreferrer noopener">living off the land</a> with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place (which might seem a bit ironic, given that CVE-2024-21338 concerns an AppLocker driver). </p> <p>While we can only speculate on Lazarus’ motivation for choosing this third approach for crossing the admin-to-kernel boundary, we believe that stealth was their primary motivation. Given their level of notoriety, they would have to swap vulnerabilities any time someone burned their currently used BYOVD technique. Perhaps they also reasoned that, by going beyond BYOVD, they could minimize the need for swapping by staying undetected for longer. </p> <h2 class="wp-block-heading">CVE-2024-21338 </h2> <p>As far as zero-days go, CVE-2024-21338 is relatively straightforward to both understand and exploit. The vulnerability resides within the IOCTL (Input and Output Control) dispatcher in <code>appid.sys</code>, which is the central driver behind <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview" target="_blank" rel="noreferrer noopener">AppLocker</a>, the application whitelisting <a href="https://www.tiraniddo.dev/2019/11/the-internals-of-applocker-part-1.html" target="_blank" rel="noreferrer noopener">technology</a> built into Windows. The vulnerable control code <code>0x22A018</code> is designed to compute a <em>smart hash</em> of an executable image file. This IOCTL offers some flexibility by allowing the caller to specify how the driver should query and read the hashed file. The problem is, this flexibility is achieved by expecting two kernel function pointers referenced from the IOCTL’s input buffer: one containing a callback pointer to query the hashed file’s size and the other a callback pointer to read the data to be hashed. </p> <p>Since user mode would typically not be handling kernel function pointers, this design suggests the IOCTL may have been initially designed to be invoked from the kernel. Indeed, while we did not find any legitimate user-mode callers, the IOCTL does get invoked by other AppLocker drivers. For instance, there is a <code>ZwDeviceIoControlFile</code> call in <code>applockerfltr.sys</code>, passing <code>SmpQueryFile</code> and <code>SmpReadFile</code> for the callback pointers. Aside from that, <code>appid.sys</code> itself also uses this functionality, passing <code>AipQueryFileHandle</code> and <code>AipReadFileHandle</code> (which are basically just wrappers over <code>ZwQueryInformationFile</code> and <code>ZwReadFile</code>, respectively). </p> <p>Despite this design, the vulnerable IOCTL remained accessible from user space, meaning that a user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer. What’s more, the attacker also partially controlled the data referenced by the first argument passed to the invoked callback function. This presented an ideal exploitation scenario, allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="390" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-1024x390.png" alt="" class="wp-image-8197" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-1024x390.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-300x114.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered-768x292.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vuln_triggered.png 1172w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">A WinDbg session with the triggered vulnerability, traced to the arbitrary callback invocation. Note that the attacker controls both the function pointer to be called (<code>0xdeadbeefdeadbeef</code> in this session) and the data pointed to by the first argument (<code>0xbaadf00dbaadf00d</code>). </figcaption></figure></div> <p>If exploitation sounds trivial, note that there are some constraints on what pointers this vulnerability allows an attacker to call. Of course, in the presence of <a href="https://j00ru.vexillium.org/2011/06/smep-what-is-it-and-how-to-beat-it-on-windows/" target="_blank" rel="noreferrer noopener">SMEP</a> (Supervisor Mode Execution Prevention), the attacker cannot just supply a user-mode shellcode pointer. What’s more, the callback invocation is an indirect call that may be safeguarded by <a href="https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard" target="_blank" rel="noreferrer noopener">kCFG</a> (Kernel Control Flow Guard), requiring that the supplied kernel pointers represent valid kCFG call targets. In practice, this does not prevent exploitation, as the attacker can just find some kCFG-compliant gadget function that would turn this into another primitive, such as a (limited) read/write. There are also a few other constraints on the IOCTL input buffer that must be solved in order to reach the vulnerable callback invocation. However, these too are relatively straightforward to satisfy, as the attacker only needs to fake some kernel objects and supply the right values so that the IOCTL handler passes all the necessary checks while at the same time not crashing the kernel. </p> <p>The vulnerable IOCTL is exposed through a device object named <code>\Device\AppId</code>. <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/defining-i-o-control-codes" target="_blank" rel="noreferrer noopener">Breaking down</a> the <code>0x22A018</code> control code and extracting the <code>RequiredAccess</code> field reveals that a handle with write access is required to call it. Inspecting the device’s ACL (Access Control List; see the screenshot below), there are entries for <code>local service</code>, <code>administrators</code>, and <code>appidsvc</code>. While the entry for <code>administrators</code> does not grant write access, the entry for <code>local service</code> does. Therefore, to describe CVE-2024-21338 more accurately, we should label it <em>local service-to-kernel</em> rather than <em>admin-to-kernel</em>. It’s also noteworthy that <code>appid.sys</code> might create two additional device objects, namely <code>\Device\AppidEDPPlugin</code> and <code>\Device\SrpDevice</code>. Although these come with more permissive ACLs, the vulnerable IOCTL handler is unreachable through them, rendering them irrelevant for exploitation purposes. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1019" height="476" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl.png" alt="" class="wp-image-8198" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl.png 1019w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl-300x140.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/appid_device_acl-768x359.png 768w" sizes="(max-width: 1019px) 100vw, 1019px" /><figcaption class="wp-element-caption">Access control entries of <code>\Device\AppId</code>, revealing that while <code>local service</code> is allowed write access, <code>administrators</code> are not. </figcaption></figure></div> <p>As the <a href="https://learn.microsoft.com/en-us/windows/win32/services/localservice-account" target="_blank" rel="noreferrer noopener">local service</a> account has reduced privileges compared to administrators, this also gives the vulnerability a somewhat higher impact than standard admin-to-kernel. This might be the reason Microsoft characterized the CVE as <code>Privileges Required: Low</code>, taking into account that <code>local service</code> processes do not always necessarily have to run at higher integrity levels. However, for the purposes of this blog, we still chose to refer to CVE-2024-21338 mainly as an admin-to-kernel vulnerability because we find it better reflects how it was used in the wild – Lazarus was already running with elevated privileges and then impersonated the local service account just prior to calling the IOCTL. </p> <p>The vulnerability was introduced in Win10 1703 (RS2/15063) when the <code>0x22A018</code> IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions. As for the later versions, the vulnerability extended all the way up to the most recent builds, including Win11 23H2. There have been some slight changes to the IOCTL, including an extra argument expected in the input buffer, but nothing that would prevent exploitation. </p> <p>We developed a custom PoC (Proof of Concept) exploit and submitted it in August 2023 as part of a vulnerability report to Microsoft, leading to an advisory for <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" target="_blank" rel="noreferrer noopener">CVE-2024-21338</a> in the February Patch Tuesday update. The update addressed the vulnerability by adding an <code>ExGetPreviousMode</code> check to the IOCTL handler (see the patch below). This aims to prevent user-mode initiated IOCTLs from triggering the arbitrary callbacks. </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="332" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-1024x332.png" alt="" class="wp-image-8199" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-1024x332.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-300x97.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1-768x249.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/patch_diaphora-1.png 1260w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">The patched IOCTL handler. If feature <code>2959575357</code> is enabled, attempts to call the IOCTL with <code>PreviousMode==UserMode</code> should immediately result in <code>STATUS_INVALID_DEVICE_REQUEST</code>, failing to even reach <code>AipSmartHashImageFile</code>. </figcaption></figure></div> <p>Though the vulnerability may only barely meet Microsoft’s security servicing criteria, we believe patching was the right choice and would like to thank Microsoft for eventually addressing this issue. Patching will undoubtedly disrupt Lazarus’ offensive operations, forcing them to either find a new admin-to-kernel zero-day or revert to using BYOVD techniques. While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel), we believe that finding one would still require Lazarus to invest significant resources, potentially diverting their focus from attacking some other unfortunate targets. </p> <h4 class="wp-block-heading">Exploitation </h4> <p>The Lazarus exploit begins with an initialization stage, which performs a one-time setup for both the exploit and the rootkit (both have been compiled into the same module). This initialization starts by dynamically resolving all necessary Windows API functions, followed by a low-effort anti-debug check on <code>PEB.BeingDebugged</code>. Then, the exploit inspects the build number to see if it’s running on a supported Windows version. If so, it loads hardcoded constants tailored to the current build. Interestingly, the choice of constants sometimes comes down to the update build revision (UBR), showcasing a high degree of dedication towards ensuring that the code runs cleanly across a wide range of target machines. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="763" height="482" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets.png" alt="" class="wp-image-8201" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets.png 763w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/offsets-300x190.png 300w" sizes="(max-width: 763px) 100vw, 763px" /><figcaption class="wp-element-caption">A decompiled code snippet, loading version-specific hardcoded constants. This particular example contains offsets and syscall numbers for Win10 1809. </figcaption></figure></div> <p>The initialization process then continues with leaking the base addresses of three kernel modules: <code>ntoskrnl</code>, <code>netio</code>, and <code>fltmgr</code>. This is achieved by calling <code>NtQuerySystemInformation</code> using the <code>SystemModuleInformation</code> class. The <code>KTHREAD</code> address of the currently executing thread is also leaked in a similar fashion, by duplicating the current thread pseudohandle and then finding the corresponding kernel object address using the <code>SystemExtendedHandleInformation</code> system information class. Finally, the exploit manually loads the <code>ntoskrnl</code> image into the user address space, only to scan for relative virtual addresses (RVAs) of some functions of interest. </p> <p>Since the <code>appid.sys</code> driver does not have to be already loaded on the target machine, the exploit may first have to load it itself. It chooses to accomplish this in an indirect way, by writing an event to one specific AppLocker-related ETW (Event Tracing for Windows) provider. Once <code>appid.sys</code> is loaded, the exploit impersonates the <code>local service</code> account using a direct syscall to <code>NtSetInformationThread</code> with the <code>ThreadImpersonationToken</code> thread information class. By impersonating <code>local service</code>, it can now obtain a read/write handle to <code>\Device\AppId</code>. With this handle, the exploit finally prepares the IOCTL input buffer and triggers the vulnerability using the <code>NtDeviceIoControlFile</code> syscall. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="511" height="913" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall.png" alt="" class="wp-image-8202" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall.png 511w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/direct_syscall-168x300.png 168w" sizes="(max-width: 511px) 100vw, 511px" /><figcaption class="wp-element-caption">Direct syscalls are heavily used throughout the exploit. </figcaption></figure></div> <p>The exploit crafts the IOCTL input buffer in such a way that the vulnerable callback is essentially a gadget that performs a 64-bit copy from the IOCTL input buffer to an arbitrary target address. This address was chosen to corrupt the <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/previousmode" target="_blank" rel="noreferrer noopener">PreviousMode</a> of the current thread. By ensuring the corresponding source byte in the IOCTL input buffer is zero, the copy will clear the <code>PreviousMode</code> field, effectively resulting in its value being interpreted as <code>KernelMode</code>. Targeting <code>PreviousMode</code> like this is a widely popular <a href="https://research.nccgroup.com/2020/05/25/cve-2018-8611-exploiting-windows-ktm-part-5-5-vulnerability-detection-and-a-better-read-write-primitive/#previousmode-abuse:~:text=into%20PreviousMode%20further.-,PreviousMode%20%E2%80%93%20a%20%22god%20mode%22%20primitive%3F,-PreviousMode%20on%2064" target="_blank" rel="noreferrer noopener">exploitation technique</a>, as corrupting this one byte in the <code>KTHREAD</code> structure bypasses kernel-mode checks inside syscalls such as <code>NtReadVirtualMemory</code> or <code>NtWriteVirtualMemory</code>, allowing a user-mode attacker to read and write arbitrary kernel memory. Note that while this technique was <a href="https://x.com/GabrielLandau/status/1597001955909697536" target="_blank" rel="noreferrer noopener">mitigated</a> on some Windows Insider Builds, this mitigation has yet to reach general availability at the time of writing. </p> <p>Interestingly, the exploit may attempt to trigger the vulnerable IOCTL twice. This is due to an extra argument that was added in Win11 22H2. As a result, the IOCTL handler on newer builds expects the input buffer to be <code>0x20</code> bytes in size while, previously, the expected size was only <code>0x18</code>. Rather than selecting the proper input buffer size for the current build, the exploit just tries calling the IOCTL twice: first with an input buffer size <code>0x18</code> then – if not successful – with <code>0x20</code>. This is a valid approach since the IOCTL handler’s first action is to check the input buffer size, and if it doesn’t match the expected size, it would just immediately return <code>STATUS_INVALID_PARAMETER</code>. </p> <p>To check if it was successful, the exploit employs the <code>NtWriteVirtualMemory</code> syscall, attempting to read the current thread’s <code>PreviousMode</code> (Lazarus avoids using <code>NtReadVirtualMemory</code>, more on this later). If the exploit succeeded, the syscall should return <code>STATUS_SUCCESS</code>, and the leaked <code>PreviousMode</code> byte should equal <code>0</code> (meaning <code>KernelMode</code>). Otherwise, the syscall should return an error status code, as it should be impossible to read kernel memory without a corrupted <code>PreviousMode</code>. </p> <p>In our exploit analysis, we deliberately chose to omit some key details, such as the choice of the callback gadget function. This decision was made to strike the right balance between helping defenders with detection but not making exploitation too widely accessible. For those requiring more information for defensive purposes, we may be able to share additional details on a case-by-case basis. </p> <h2 class="wp-block-heading">The FudModule Rootkit</h2> <p>The entire goal of the admin-to-kernel exploit was to corrupt the current thread’s <code>PreviousMode</code>. This allows for a powerful kernel read/write primitive, where the affected user-mode thread can read and write arbitrary kernel memory using the <code>Nt(Read|Write)VirtualMemory</code> syscalls. Armed with this primitive, the FudModule rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt various kernel security mechanisms. It’s worth reiterating that FudModule is a data-only rootkit, meaning it executes entirely from user space and all the kernel tampering is performed through the read/write primitive. </p> <p>The first variants of the FudModule rootkit were independently discovered by AhnLab and ESET research teams, with both publishing detailed analyses in September 2022. The rootkit was named after the <code>FudModule.dll</code> string used as the name in its export table. While this artifact is not present anymore, there is no doubt that what we found is an updated version of the same rootkit. AhnLab’s <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">report</a> documented a sample from early 2022, which incorporated seven data-only rootkit techniques and was enabled through a BYOVD exploit for <a href="https://www.virustotal.com/gui/file/175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" target="_blank" rel="noreferrer noopener">ene.sys</a>. ESET’s <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">report</a> examined a slightly earlier variant from late 2021, also featuring seven rootkit techniques but exploiting a different BYOVD vulnerability in <a href="https://www.virustotal.com/gui/file/0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5/detection" target="_blank" rel="noreferrer noopener">dbutil_2_3.sys</a>. In contrast, our discovery concerns a sample featuring nine rootkit techniques and exploiting a previously unknown admin-to-kernel vulnerability. Out of these nine techniques, four are new, three are improved, and two remain unchanged from the previous variants. This leaves two of the original seven techniques, which have been deprecated and are no longer present in the latest variant. </p> <p>Each rootkit technique is assigned a bit, ranging from <code>0x1</code> to <code>0x200</code> (the <code>0x20</code> bit is left unused in the current variant). FudModule executes the techniques sequentially, in an ascending order of the assigned bits. The bits are used to report on the success of the individual techniques. During execution, FudModule will construct an integer value (named <code>bitfield_techniques</code> in the decompilation below), where only the bits corresponding to successfully executed techniques will be set. This integer is ultimately written to a file named <code>tem1245.tmp</code>, reporting on the rootkit’s success. Interestingly, we did not find this filename referenced in any other Lazarus sample, suggesting the dropped file is only inspected through hands-on-keyboard activity, presumably through a RAT (Remote Access Trojan) command. This supports our beliefs that FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="779" height="704" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main.png" alt="" class="wp-image-8203" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main.png 779w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main-300x271.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/rootkit_main-768x694.png 768w" sizes="(max-width: 779px) 100vw, 779px" /><figcaption class="wp-element-caption">The rootkit’s “main” function, executing the individual rootkit techniques. Note the missing <code>0x20</code> technique. </figcaption></figure></div> <p>Based on the large number of updates, it seems that FudModule remains under active development. The latest variant appears more robust, avoiding some potentially problematic practices from the earlier variants. Since some techniques target undocumented kernel internals in a way that we have not previously encountered, we believe that Lazarus must be conducting their own kernel research. Further, though the rootkit is certainly technically sophisticated, we still identified a few bugs here and there. These may either limit the rootkit’s intended functionality or even cause kernel bug checks under the right conditions. While we find some of these bugs very interesting and would love to share the details, we do not enjoy the idea of providing free bug reports to threat actors, so we will hold onto them for now and potentially share some information later if the bugs get fixed. </p> <p>Interestingly, FudModule utilizes the <code>NtWriteVirtualMemory</code> syscall for both reading and writing kernel memory, eliminating the need to call <code>NtReadVirtualMemory</code>. This leverages the property that, when limited to a single virtual address space, <code>NtReadVirtualMemory</code> and <code>NtWriteVirtualMemory</code> are basically inverse operations with respect to the values of the source <code>Buffer</code> and the destination <code>BaseAddress</code> <a href="http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FMemory%20Management%2FVirtual%20Memory%2FNtWriteVirtualMemory.html" target="_blank" rel="noreferrer noopener">arguments</a>. In other words, writing to kernel memory can be thought of as writing from a user-mode <code>Buffer</code> to a kernel-mode <code>BaseAddress</code>, while reading from kernel memory could be conversely achieved by swapping arguments, that is writing from a kernel-mode <code>Buffer</code> to a user-mode <code>BaseAddress</code>. Lazarus’ implementation takes advantage of this, which seems to be an intentional design decision since most developers would likely prefer the more straightforward way of using <code>NtReadVirtualMemory</code> for reading kernel memory and <code>NtWriteVirtualMemory</code> for writing kernel memory. We can only guess why Lazarus chose this approach, but this might be yet another stealth-enhancing feature. With their implementation, they only must use one suspicious syscall instead of two, potentially reducing the number detection opportunities. </p> <h6 class="wp-block-heading"><strong>Debug Prints</strong> </h6> <p>Before we delve into the actual rootkit techniques, there is one last thing worth discussing. To our initial surprise, Lazarus left a handful of plaintext debug prints in the compiled code. Such prints are typically one of the best things that can happen to a malware researcher, because they tend to accelerate the reverse engineering process significantly. In this instance, however, some of the prints had the opposite effect, sometimes even making us question if we understood the code correctly. </p> <p>As an example, let us mention the string <code>get rop function addresses failed</code>. Assuming <em>rop</em> stands for <em>return-oriented programming</em>, this string would make perfect sense in the context of exploitation, if not for the fact that not a single return address was corrupted in the exploit. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="984" height="148" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines.png" alt="" class="wp-image-8204" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines.png 984w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines-300x45.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/vaccines-768x116.png 768w" sizes="(max-width: 984px) 100vw, 984px" /><figcaption class="wp-element-caption">Plaintext debug strings found in the rootkit. The term <em>vaccine</em> is used to refer to security software. </figcaption></figure></div> <p>While written in English, the debug strings suggest their authors are not native speakers, occasionally even pointing to their supposed Korean origin. This is best seen on the frequent usage of the term <em>vaccine</em> throughout the rootkit. This had us scratching our heads at first, because it was unclear how vaccines would relate to the rootkit functionality. However, it soon became apparent that the term was used to <a href="https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606#:~:text=use%20are%20different.-,Vaccine%20Detection,-DarkGate%20detects%20installed" target="_blank" rel="noreferrer noopener">refer</a> to security software. This might originate from a common Korean <a href="https://translate.google.com/?sl=en&tl=ko&text=antivirus&op=translate" target="_blank" rel="noreferrer noopener">translation</a> of <em>antivirus</em> (바이러스 백신), a compound word with the literal meaning <em>virus vaccine</em>. Note that even North Korea’s “own” antivirus was called <a href="https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/" target="_blank" rel="noreferrer noopener">SiliVaccine</a>, and to the best of our knowledge, the term <em>vaccine</em> would not be used like this in other languages such as Japanese. Additionally, this is not the first time Korean-speaking threat actors have used this term. For instance, AhnLab’s recent <a href="https://asec.ahnlab.com/en/59387/" target="_blank" rel="noreferrer noopener">report</a> on Kimsuky mentions the following telltale command: <br> <br><code>cmd.exe /U /c wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname > vaccine.txt</code></p> <p>Another puzzle is the abbreviation <code>pvmode</code>, which we believe refers to <code>PreviousMode</code>. A Google search for <code>pvmode</code> yields exactly zero relevant results, and we suspect most English speakers would choose different abbreviations, such as <code>prvmode</code> or <code>prevmode</code>. However, after consulting this with language experts, we learned that using the abbreviation <code>pvmode</code> would be unusual for Korean speakers too. </p> <p>Finally, there is also the debug message <code>disableV3Protection passed</code>. Judging from the context, the rather generic term <em>V3</em> here refers to <em>AhnLab V3 Endpoint Security</em>. Considering the geopolitical situation, North Korean hacker groups are likely well-acquainted with South Korean AhnLab, so it would make perfect sense that they internally refer to them using such a non-specific shorthand. </p> <h4 class="wp-block-heading" id="techniques">0x01 – Registry Callbacks </h4> <p>The first rootkit technique is designed to address <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/filtering-registry-calls" target="_blank" rel="noreferrer noopener">registry callbacks.</a> This is a documented Windows mechanism which allows security solutions to monitor registry operations. A security solution’s kernel-mode component can call the <code>CmRegisterCallbackEx</code> routine to register a callback, which gets notified whenever a registry operation is performed on the system. What’s more, since the callback is invoked synchronously, before (or after) the actual operation is performed, the callback can even block or modify forbidden/malicious operations. FudModule’s goal here is to remove existing registry callbacks and thus disrupt security solutions that rely on this mechanism. </p> <p>The callback removal itself is performed by directly modifying some internal data structures managed by the kernel. This was also the case in the previous version, as documented by <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">ESET</a> and <a href="https://download.ahnlab.com/global/brochure/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD.pdf" target="_blank" rel="noreferrer noopener">AhnLab</a>. There, the rootkit found the address of <code>nt!CallbackListHead</code> (which contains a doubly linked, circular list of all existing registry callbacks) and simply emptied it by pointing it to itself. </p> <p>In the current version of FudModule, this technique was improved to leave some selected callbacks behind, perhaps making the rootkit stealthier. This updated version starts the same as the previous one: by finding the address of <code>nt!CallbackListHead</code>. This is done by resolving <code>CmUnRegisterCallback</code> (this resolution is performed by name, through iterating over the export table of <code>ntoskrnl</code> in memory), scanning its function body for the <code>lea rcx,[nt!CallbackListHead]</code> instruction, and then calculating the final address from the offset extracted from the instruction’s opcodes. </p> <p>With the <code>nt!CallbackListHead</code> address, FudModule can iterate over the registry callback linked list. It inspects each entry and determines if the callback routine is implemented in <code>ntoskrnl.exe</code>, <code>applockerfltr.sys</code>, or <code>bfs.sys</code>. If it is, the callback is left untouched. Otherwise, the rootkit replaces the callback routine pointer with a pointer to <code>ObIsKernelHandle</code> and then proceeds to unlink the callback entry. </p> <h4 class="wp-block-heading">0x02 – Object Callbacks </h4> <p><a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks" target="_blank" rel="noreferrer noopener">Object callbacks</a> allow drivers to execute custom code in response to thread, process, and desktop handle operations. They are often used in self-defense, as they represent a convenient way to protect critical processes from being tampered with. Since the protection is enforced at the kernel level, this should protect even against elevated attackers, as long as they stay in user mode. Alternatively, object callbacks are also useful for monitoring and detecting suspicious activity. </p> <p>Whatever the use case, object callbacks can be set up using the <code>ObRegisterCallbacks</code> routine. FudModule naturally attempts to do the exact opposite: that is to remove all registered object callbacks. This could let it bypass self-defense mechanisms and evade object callback-based detection/telemetry. </p> <p>The implementation of this rootkit technique has stayed the same since the previous version, so there is no need to go into too much detail. First, the rootkit scans the body of the <code>ObGetObjectType</code> routine to obtain the address of <code>nt!ObTypeIndexTable</code>. This contains an array of pointers to <code>_OBJECT_TYPE</code> structures, each of which represents a distinct object type, such as <code>Process</code>, <code>Token</code>, or <code>SymbolicLink</code>. FudModule iterates over this array (skipping the first two special-meaning elements) and inspects each <code>_OBJECT_TYPE.CallbackList</code>, which contains a doubly linked list of object callbacks registered for the particular object type. The rootkit then empties the <code>CallbackList</code> by making each node’s forward and backward pointer point to itself. </p> <h4 class="wp-block-heading">0x04 – Process, Thread, and Image Kernel Callbacks </h4> <p>This next rootkit technique is designed to disable three more types of kernel callbacks: <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine" target="_blank" rel="noreferrer noopener">process</a>, <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreatethreadnotifyroutine" target="_blank" rel="noreferrer noopener">thread</a>, and <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetloadimagenotifyroutine" target="_blank" rel="noreferrer noopener">image</a> callbacks. As their names suggest, these are used to execute custom kernel code whenever a new process is created, a new thread spawned, or a new image loaded (e.g. a DLL loaded into a process). These callbacks are extremely useful for detecting malicious activity. For instance, process callbacks allow AVs and EDRs to perform various checks on each new process that is to be created. Registering these callbacks is very straightforward. All that is needed is to pass the new callback routine as an argument to <code>PsSetCreateProcessNotifyRoutine</code>, <code>PsSetCreateThreadNotifyRoutine</code>, or <code>PsSetLoadImageNotifyRoutine</code>. These routines also come in their updated <code>Ex</code> variants, or even <code>Ex2</code> in the case of <code>PsSetCreateProcessNotifyRoutineEx2</code>. </p> <p>Process, thread, and image callbacks are managed by the kernel in an almost identical way, which allows FudModule to use essentially the same code to disable all three of them. We find that this code has not changed much since the previous version, with the main difference being new additions to the list of drivers whose callbacks are left untouched. </p> <p>FudModule first finds the addresses of <code>nt!PspNotifyEnableMask</code>, <code>nt!PspLoadImageNotifyRoutine</code>, <code>nt!PspCreateThreadNotifyRoutine</code>, and <code>nt!PspCreateProcessNotifyRoutine</code>. These are once again obtained by scanning the code of exported routines, with the exact scanning method subject to some variation based on the Windows build number. Before any modification is performed, the rootkit clears <code>nt!PspNotifyEnableMask</code> and sleeps for a brief amount of time. This mask contains a bit field of currently enabled callback types, so clearing it disables all callbacks. While some EDR bypasses would <a href="https://overlayhack.com/edr-bypass-evasion" target="_blank" rel="noreferrer noopener">stop here</a>, FudModule’s goal is not to disable all callbacks indiscriminately, so the modification of <code>nt!PspNotifyEnableMask</code> is only temporary, and FudModule eventually restores it back to its original value. We believe the idea behind this temporary modification is to decrease the chance of a race condition that could potentially result in a bug check. </p> <p>All three of the above <code>nt!Psp(LoadImage|CreateThread|CreateProcess)NotifyRoutine</code> globals are organized as an array of <code>_EX_FAST_REF</code> pointers to <code>_EX_CALLBACK_ROUTINE_BLOCK</code> structures (at least that’s the name used in <a href="https://github.com/reactos/reactos/blob/e0c17c3f462e3b62bf0c4ca2479c1e5c6b8ff496/sdk/include/ndk/extypes.h#L535" target="_blank" rel="noreferrer noopener">ReactOS,</a> Microsoft does not share a symbol name here). FudModule iterates over all these structures and checks if <code>_EX_CALLBACK_ROUTINE_BLOCK.Function</code> (the actual callback routine pointer) is implemented in one of the below-whitelisted modules. If it is, the pointer will get appended to a new array that will be used to replace the original one. This effectively removes all callbacks except for those implemented in one of the below-listed modules. </p> <figure class="wp-block-table"><table><tbody><tr><td><code>ntoskrnl.exe </code></td><td><code>ahcache.sys </code></td><td><code>mmcss.sys </code></td><td><code>cng.sys </code></td></tr><tr><td><code>ksecdd.sys </code></td><td><code>tcpip.sys </code></td><td><code>iorate.sys </code></td><td><code>ci.dll </code></td></tr><tr><td><code>dxgkrnl.sys </code></td><td><code>peauth.sys </code></td><td><code>wtd.sys</code></td><td></td></tr></tbody></table><figcaption class="wp-element-caption">Kernel modules that are allowed during the removal of process, thread, and image callbacks. </figcaption></figure> <h4 class="wp-block-heading">0x08 – Minifilter Drivers </h4> <p><a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts" target="_blank" rel="noreferrer noopener">File system minifilters</a> provide a mechanism for drivers to intercept file system operations. They are used in a wide range of scenarios, including encryption, compression, replication, monitoring, antivirus scanning, or file system virtualization. For instance, an encryption minifilter would encrypt the data before it is written to the storage device and, conversely, decrypt the data after it is read. FudModule is trying to get rid of all the monitoring and antivirus minifilters while leaving the rest untouched (after all, some minifilters are crucial to keep the system running). The choice about which minifilters to keep and which to remove is based mainly on the minifilter’s altitude, an integer value that is used to decide the processing order in case there are multiple minifilters attached to the same operation. Microsoft defines <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers" target="_blank" rel="noreferrer noopener">altitude ranges</a> that should be followed by well-behaved minifilters. Unfortunately, these ranges also represent a very convenient way for FudModule to distinguish anti-malware minifilters from the rest. </p> <p>In its previous version, FudModule disabled minifilters by directly patching their filter functions’ prologues. This would be considered very unusual today, with <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard" target="_blank" rel="noreferrer noopener">HVCI</a> (Hypervisor-Protected Code Integrity) becoming more prevalent, even turned on by default on Windows 11. Since HVCI is a security feature designed to prevent the execution of arbitrary code in the kernel, it would stand in the way of FudModule trying to patch the filter function. This forced Lazarus to completely reimplement this rootkit technique, so the current version of FudModule disables file system minifilters in a brand-new data-only attack. </p> <p>This attack starts by resolving <code>FltEnumerateFilters</code> and using it to find <code>FltGlobals.FrameList.rList</code>. This is a linked list of <code>FLTMGR!_FLTP_FRAME</code> structures, each representing a single <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts#:~:text=Each%20of%20FltMgr%27s%20filter%20device%20objects%20is%20called%20a%20frame" target="_blank" rel="noreferrer noopener">filter manager frame</a>. From here, FudModule follows another linked list at <code>_FLTP_FRAME.AttachedVolumes.rList</code>. This linked list consists of <code>FLTMGR!_FLT_VOLUME</code> structures, describing minifilters attached to a particular file system volume. Interestingly, the rootkit performs a sanity check to make sure that the pool tag associated with the <code>_FLT_VOLUME</code> allocation is equal to <code>FMvo</code>. With the sanity check satisfied, FudModule iterates over <code>_FLT_VOLUME.Callbacks.OperationsLists</code>, which is an array of linked lists of <code>FLTMGR!_CALLBACK_NODE</code> structures, indexed by IRP major function codes. For instance, <code>OperationsLists[IRP_MJ_READ]</code> is a linked list describing all filters attached to the <code>read</code> operation on a particular volume. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1389" height="458" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check.png" alt="" class="wp-image-8205" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check.png 1389w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-300x99.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-1024x338.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/pooltag_check-768x253.png 768w" sizes="(max-width: 1389px) 100vw, 1389px" /><figcaption class="wp-element-caption">FudModule making sure the pool tag of a <code>_FLT_VOLUME</code> chunk is equal to <code>FMvo</code>. </figcaption></figure></div> <p>For each <code>_CALLBACK_NODE</code>, FudModule obtains the corresponding <code>FLTMGR!_FLT_INSTANCE</code> and <code>FLTMGR!_FLT_FILTER</code> structures and uses them to decide whether to unlink the callback node. The first check is based on the name of the driver behind the filter. If it is <code>hmpalert.sys</code> (associated with the HitmanPro anti-malware solution), the callback will get immediately unlinked. Conversely, the callback is preserved if the driver’s name matches an entry in the following list: </p> <figure class="wp-block-table"><table><tbody><tr><td><code>bindflt.sys </code></td><td><code>storqosflt.sys </code></td><td><code>wcifs.sys </code></td><td><code>cldflt.sys </code></td></tr><tr><td><code>filecrypt.sys </code></td><td><code>luafv.sys </code></td><td><code>npsvctrig.sys </code></td><td><code>wof.sys </code></td></tr><tr><td><code>fileinfo.sys </code></td><td><code>applockerfltr.sys </code></td><td><code>bfs.sys </code></td><td></td></tr></tbody></table><figcaption class="wp-element-caption">Kernel modules that are allowlisted to preserve their file system minifilters.</figcaption></figure> <p>If there was no driver name match, FudModule uses <code>_FLT_FILTER.DefaultAltitude</code> to make its ultimate decision. Callbacks are unlinked if the default altitude belongs either to the range <code>[320000, 329999]</code> (<a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers#:~:text=recover%20deleted%20files.-,FSFilter%20Anti%2DVirus,-320000%2D329999" target="_blank" rel="noreferrer noopener">defined</a> as <code>FSFilter Anti-Virus</code> by Microsoft) or the range <code>[360000, 389999]</code> (<code>FSFilter Activity Monitor</code>). Besides unlinking the callback nodes, FudModule also wipes the whole <code>_FLT_INSTANCE.CallbackNodes</code> array in the corresponding <code>_FLT_INSTANCE</code> structures. </p> <h4 class="wp-block-heading">0x10 – Windows Filtering Platform </h4> <p><a href="https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page" target="_blank" rel="noreferrer noopener">Windows Filtering Platform</a> (WFP) is a documented set of APIs designed for host-based network traffic filtering. The WFP API offers capabilities for deep packet inspection as well as for modification or dropping of packets at various layers of the network stack. This is very useful functionality, so it serves as a foundation for a lot of Windows network security software, including intrusion detection/prevention systems, firewalls, and network monitoring tools. The WFP API is accessible both in user and kernel space, with the kernel part offering more powerful functionality. Specifically, the kernel API allows for installing so-called <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-windows-filtering-platform-callout-drivers" target="_blank" rel="noreferrer noopener">callout drivers,</a> which can essentially hook into the network stack and perform arbitrary actions on the processed network traffic. FudModule is trying to interfere with the installed callout routines in an attempt to disrupt the security they provide. </p> <p>This rootkit technique is executed only when Kaspersky drivers (<code>klam.sys</code>, <code>klif.sys</code>, <code>klwfp.sys</code>, <code>klwtp.sys</code>, <code>klboot.sys</code>) are present on the targeted system and at the same time Symantec/Broadcom drivers (<code>symevnt.sys</code>, <code>bhdrvx64.sys</code>, <code>srtsp64.sys</code>) are absent. This check appears to be a new addition in the current version of FudModule. In other aspects, our analysis revealed that the core idea of this technique matches the <a href="https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" target="_blank" rel="noreferrer noopener">findings</a> described by ESET researchers during their analysis of the previous version. </p> <p>Initially, FudModule resolves <code>netio!WfpProcessFlowDelete</code> to locate the address of <code>netio!gWfpGlobal</code>. As the name suggests, this is designed to store WFP-related global variables. Although its exact layout is undocumented, it is <a href="https://codemachine.com/articles/find_wfp_callouts.html" target="_blank" rel="noreferrer noopener">not hard to find</a> the build-specific offset where a pointer to an array of WFP callout structures is stored (with the length of this array stored at an offset immediately preceding the pointer). FudModule follows this pointer and iterates over the array, skipping all callouts implemented in <code>ndu.sys</code>, <code>tcpip.sys</code>, <code>mpsdrv.sys</code>, or <code>wtd.sys</code>. For the remaining callouts, FudModule accesses the callout structure’s flags and sets the flag stored in the least significant bit. While the callout structure itself is undocumented, this particular <code>0x01</code> flag is <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/fwpsk/ns-fwpsk-fwps_callout2_" target="_blank" rel="noreferrer noopener">documented in another structure</a>, where it is called <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code>. The documentation reads “if this flag is specified, the filter engine calls the callout driver’s classifyFn2 callout function only if there is a context associated with the data flow”. In other words, setting this flag will conditionally disable the callout in cases where no flow context is available (see the implementation of <code>netio!IsActiveCallout</code> below). </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1143" height="1127" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout.png" alt="" class="wp-image-8206" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout.png 1143w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-300x296.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-1024x1010.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/is_active_callout-768x757.png 768w" sizes="(max-width: 1143px) 100vw, 1143px" /><figcaption class="wp-element-caption">The meaning of the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag can be nicely seen in <code>netio!IsActiveCallout</code>. If this flag is set and no flow context can be obtained, <code>IsActiveCallout</code> will return <code>false</code> (see the highlighted part of the condition). </figcaption></figure></div> <p>While this rootkit technique has the potential to interfere with some WFP callouts, it will not be powerful enough to disrupt all of them. Many WFP callouts registered by security vendors already have the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag set by design, so they will not be affected by this technique at all. Given the initial driver check, it seems like this technique might be targeted directly at Kaspersky. While Kaspersky does install dozens of WFP callouts, about half of those are designed for processing flows and already have the <code>FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW</code> flag set. Since we refrained from reverse engineering our competitor’s products, the actual impact of this rootkit technique remains unclear. </p> <h4 class="wp-block-heading">0x20 – Missing </h4> <p>So far, the rootkit techniques we analyzed were similar to those detailed by ESET in their paper on the earlier rootkit variant. But starting from now, we are getting into a whole new territory. The <code>0x20</code> technique, which used to deal with Event Tracing for Windows (ETW), has been deprecated, leaving the <code>0x20</code> bit unused. Instead, there are two new replacement techniques that target ETW, indexed with the bits <code>0x40</code> and <code>0x80</code>. The indexing used to end at <code>0x40</code>, which was a technique to obstruct forensic analysis by disabling prefetch file creation. However, now the bits go all the way up to <code>0x200</code>, with two additional new techniques that we will delve into later in this blog. </p> <h4 class="wp-block-heading">0x40 – Event Tracing for Windows: System Loggers</h4> <p><a href="https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing" target="_blank" rel="noreferrer noopener">Event Tracing for Windows</a> (ETW) serves as a high-performance mechanism dedicated to tracing and logging events. In a nutshell, its main purpose is to connect providers (who generate some log events) with consumers (who process the generated events). Consumers can define which events they would like to consume, for instance, by selecting some specific providers of interest. There are providers built into the operating system, like <code>Microsoft-Windows-Kernel-Process</code> which generates process-related events, such as process creation or termination. However, third-party applications can also define their custom providers. </p> <p>While many built-in providers are not security-related, some generate events useful for detection purposes. For instance, the <code>Microsoft-Windows-Threat-Intelligence</code> provider makes it possible to watch for suspicious events, such as writing another process’ memory. Furthermore, various security products take advantage of ETW by defining their custom providers and consumers. FudModule tampers with ETW internals in an attempt to intercept suspicious events and thus evade detection. </p> <p>The main idea behind this rootkit technique is to disable system loggers by zeroing out <code>EtwpActiveSystemLoggers</code>. The specific implementation of how this address is found varies based on the target Windows version. On newer builds, the <code>nt!EtwSendTraceBuffer</code> routine is resolved first and used to find <code>nt!EtwpHostSiloState</code>. This points to an <code>_ETW_SILODRIVERSTATE</code> structure, and using a hardcoded build-specific offset, the rootkit can access <code>_ETW_SILODRIVERSTATE.SystemLoggerSettings.EtwpActiveSystemLoggers</code>. On older builds, the rootkit first scans the entire ntoskrnl <code>.text</code> section, searching for opcode bytes specific to the <code>EtwTraceKernelEvent</code> prologue. The rootkit then extracts the target address from the <code>mov ebx, cs:EtwpActiveSystemLoggers</code> instruction that immediately follows. </p> <p>To understand the technique’s impact, we can take a look at how <code>EtwpActiveSystemLoggers</code> is used in the kernel. Accessed on a bit-by-bit basis, its least significant eight bits might be set in the <code>EtwpStartLogger</code> routine. This indicates that the value itself is a bit field, with each bit signifying whether a particular system logger is active. Looking at the other references to <code>EtwpActiveSystemLoggers</code>, a clear pattern emerges. After its value is read, there tends to be a loop guarded by a <code>bsf</code> instruction (bit scan forward). Inside the loop tends to be a call to an ETW-related routine that might generate a log event. The purpose of this loop is to iterate over the set bits of <code>EtwpActiveSystemLoggers</code>. When the rootkit clears all the bits, the body of the loop will never get executed, meaning the event will not get logged. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="1796" height="579" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1.png" alt="" class="wp-image-8320" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1.png 1796w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-300x97.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-1024x330.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-768x248.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/etw_activesystemloggers-1-1536x495.png 1536w" sizes="(max-width: 1796px) 100vw, 1796px" /><figcaption class="wp-element-caption">Example decompilation of <code>EtwpTraceKernelEventWithFilter</code>. After the rootkit zeroes out <code>EtwpActiveSystemLoggers</code>, <code>EtwpLogKernelEvent</code> will never get called from inside the loop since the condition guarding the loop will always evaluate to zero. </figcaption></figure></div> <h4 class="wp-block-heading">0x80 – Event Tracing for Windows: Provider GUIDs </h4> <p>Complementing the previous technique, the <code>0x80</code> technique is also designed to blind ETW, however using a different approach. While the <code>0x40</code> technique was quite generic – aiming to disable all system loggers – this technique operates in a more surgical fashion. It contains a <a href="https://github.com/avast/ioc/tree/master/FudModule#targeted-etw-provider-guids" target="_blank" rel="noreferrer noopener">hardcoded list</a> of 95 GUIDs, each representing an identifier for some specific ETW provider. The rootkit iterates over all these GUIDs and attempts to disable the respective providers. While this approach requires the attackers to invest some effort into assembling the list of GUIDs, it also offers them a finer degree of control over which ETW providers they will eventually disrupt. This allows them to selectively target providers that pose a higher detection risk and ignore the rest to minimize the rootkit’s impact on the target system. </p> <p>This technique starts by obtaining the address of <code>EtwpHostSiloState</code> (or <code>EtwSiloState</code> on older builds). If <code>EtwpHostSiloState</code> was already resolved during the previous technique, the rootkit just reuses the address. If not, the rootkit follows the reference chain <code>PsGetCurrentServerSiloName</code> -> <code>PsGetCurrentServerSiloGlobals</code> -> <code>PspHostSiloGlobals</code> -> <code>EtwSiloState</code>. In both scenarios, the result is that the rootkit just obtained a pointer to an <code>_ETW_SILODRIVERSTATE</code> structure, which contains a member named <code>EtwpGuidHashTable</code>. As the name suggests, this is a hash table holding ETW GUIDs (<code>_ETW_GUID_ENTRY</code>). </p> <p>FudModule then iterates over its hardcoded list of GUIDs and attempts to locate each of them in the hash table. Although the hash table internals are officially undocumented, Yarden Shafir provided a nice description in her <a href="https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/" target="_blank" rel="noreferrer noopener">blog</a> on exploiting an ETW vulnerability. In a nutshell, the hash is computed by just splitting the 128-bit GUID into four 32-bit parts and XORing them together. By ANDing the hash with <code>0x3F</code>, an index of the relevant hash bucket (<code>_ETW_HASH_BUCKET</code>) can be obtained. The bucket contains three linked lists of <code>_ETW_GUID_ENTRY</code> structures, each designated for a different type of GUIDs. FudModule always opts for the first one (<code>EtwTraceGuidType</code>) and traverses it, looking for the relevant <code>_ETW_GUID_ENTRY</code> structure. </p> <p>With a pointer to <code>_ETW_GUID_ENTRY</code> corresponding to a GUID of interest, FudModule proceeds to clear <code>_ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled</code>. The purpose of this modification seems self-explanatory: FudModule is trying to disable the ETW provider. To better understand how this works, let’s examine <code>nt!EtwEventEnabled</code> (see the decompiled code below). This is a routine that often serves as an <code>if</code> condition before <code>nt!EtwWrite</code> (or <code>nt!EtwWriteEx</code>) gets called. </p> <p>Looking at the decompilation, there are two <code>return 1</code> statements. Setting <code>ProviderEnableInfo.IsEnabled</code> to zero ensures that the first one is never reached. However, the second <code>return</code> statement could still potentially execute. To make sure this doesn’t happen, the rootkit also iterates over all <code>_ETW_REG_ENTRY</code> structures from the <code>_ETW_GUID_ENTRY.RegListHead</code> linked list. For each of them, it makes a single doubleword write to zero out four masks, namely <code>EnableMask</code>, <code>GroupEnableMask</code>, <code>HostEnableMask</code>, and <code>HostGroupEnableMask</code> (or only <code>EnableMask</code> and <code>GroupEnableMask</code> on older builds, where the latter two masks were not yet introduced). </p> <div class="wp-block-image"><figure class="aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="610" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1024x610.png" alt="" class="wp-image-8208" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1024x610.png 1024w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-300x179.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-768x457.png 768w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2-1536x915.png 1536w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/EtwEventEnabled-2.png 1610w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption">Decompilation of <code>nt!EtwEventEnabled</code>. After the rootkit has finished its job, this routine will always return <code>false</code> for events related to the targeted GUIDs. This is because the rootkit cleared both <code>_ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled</code> and <code>_ETW_REG_ENTRY.GroupEnableMask</code>, forcing the highlighted conditions to fail. </figcaption></figure></div> <p>Clearing these masks also has an additional effect beyond making <code>EtwEventEnabled</code> always return <code>false</code>. These four are all also checked in <code>EtwWriteEx</code> and this modification effectively neutralizes this routine, as when no mask is set for a particular event registration object, execution will never proceed to a lower-level routine (<code>nt!EtwpEventWriteFull</code>) where the bulk of the actual event writing logic is implemented. </p> <h4 class="wp-block-heading">0x100 – Image Verification Callbacks </h4> <p>Image verification callbacks are yet another callback mechanism disrupted by FudModule. Designed similarly to process/thread/image callbacks, image verification callbacks are supposed to get invoked whenever a new driver image is loaded into kernel memory. This represents useful functionality for anti-malware software, which can leverage them to blocklist known malicious or vulnerable drivers (though there might be some problems with this blocking approach as the callbacks get invoked asynchronously). Furthermore, image verification callbacks also offer a valuable source of telemetry, providing visibility into suspicious driver load events. The callbacks can be registered using the <code>SeRegisterImageVerificationCallback</code> routine, which is publicly undocumented. As a result of this undocumented nature, the usage here is limited mainly to deep-rooted anti-malware software. For instance, Windows Defender registers a callback named <code>WdFilter!MpImageVerificationCallback</code>. </p> <p>As the kernel internally manages image verification callbacks in a similar fashion to some of the other callbacks we already explored, the rootkit’s removal implementation will undoubtedly seem familiar. First, the rootkit resolves the <code>nt!SeRegisterImageVerificationCallback</code> routine and scans its body to locate <code>nt!ExCbSeImageVerificationDriverInfo</code>. Dereferencing this, it obtains a pointer to a <code>_CALLBACK_OBJECT</code> structure, which holds the callbacks in the <code>_CALLBACK_OBJECT.RegisteredCallbacks</code> linked list. This list consists of <code>_CALLBACK_REGISTRATION</code> structures, where the actual callback function pointer can be found in <code>_CALLBACK_REGISTRATION.CallbackFunction</code>. FudModule clears the entire list by making the <code>RegisteredCallbacks</code> head <code>LIST_ENTRY</code> point directly to itself. Additionally, it also walks the original linked list and similarly short-circuits each individual <code>_CALLBACK_REGISTRATION</code> entry in the list. </p> <p>This rootkit technique is newly implemented in the current version of FudModule, and we can only speculate on the motivation here. It seems to be designed to help avoid detection when loading either a vulnerable or a malicious driver. However, it might be hard to understand why Lazarus should want to load an additional driver if they already have control over the kernel. It would make little sense for them to load a vulnerable driver, as they already established their kernel read/write primitive by exploiting a zero-day in a preinstalled Windows driver. Further, even if they were exploiting a vulnerable driver in the first place (as was the case in the previous version of FudModule), it would be simply too late to unlink the callback now. By the time this rootkit technique executes, the image verification callback for the vulnerable driver would have already been invoked. Therefore, we believe the most likely explanation is that the threat actors are preparing the grounds for loading some malicious driver later. Perhaps the idea is that they just want to be covered in case they decide to deploy some additional kernel-mode payload in the future. </p> <h4 class="wp-block-heading">0x200 – Direct Attacks on Security Software </h4> <p>The rootkit techniques we explored up to this point were all somewhat generic. Each targeted some security-related system component and, through it, indirectly interfered with all security software that relied on the component. In contrast, this final technique goes straight to the point and aims to directly disable specific security software. In particular, the targeted security solutions are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro. </p> <p>The attack starts with the rootkit obtaining the address of its own <code>_EPROCESS</code> structure. This is done using <code>NtDuplicateHandle</code> to duplicate the current process pseudohandle and then calling <code>NtQuerySystemInformation</code> to get <code>SystemExtendedHandleInformation</code>. With the extended handle information, the rootkit looks for an entry corresponding to the duplicated handle and obtains the <code>_EPROCESS</code> pointer from there. Using <code>NtQuerySystemInformation</code> to leak kernel pointers is a well-known technique that Microsoft <a href="https://windows-internals.com/kaslr-leaks-restriction/" target="_blank" rel="noreferrer noopener">aims to restrict</a> by gradually building up mitigations. However, attackers capable of enabling <code>SeDebugPrivilege</code> at high integrity levels are out of scope of these mitigations, so FudModule can keep using this technique, even on the upcoming 24H2 builds. With the <code>_EPROCESS</code> pointer, FudModule disables mitigations by zeroing out <code>_EPROCESS.MitigationFlags</code>. Then, it also clears the <code>EnableHandleExceptions</code> flag from <code>_EPROCESS.ObjectTable.Flags</code>. We believe this is meant to increase stability in case something goes wrong later during the handle table entry manipulation technique that we will describe shortly. </p> <p>Regarding the specific technique used to attack the security solutions, AhnLab is handled differently than the other three targets. FudModule first checks if AhnLab is even running, by traversing the <code>ActiveProcessLinks</code> linked list and looking for a process named <code>asdsvc.exe</code> (AhnLab Smart Defense Service) with <code>_EPROCESS.Token.AuthenticationId</code> set to <code>SYSTEM_LUID</code>. If such a process is found, FudModule clears its <code>_EPROCESS.Protection</code> byte, effectively toggling off PPL protection for the process. While this <code>asdsvc.exe</code> process is under usual circumstances meant to be protected at the standard <code>PsProtectedSignerAntimalware</code> level, this modification makes it just a regular non-protected process. This opens it up to further attacks from user mode, where now even other privileged, yet non-protected processes could be able to tamper with it. However, we suspect the main idea behind this technique might be to disrupt the link between AhnLab’s user-mode and kernel-mode components. By removing the service’s PPL protection, the kernel-mode component might no longer recognize it as a legitimate AhnLab component. However, this is just a speculation as we didn’t test the real impact of this technique. </p> <h6 class="wp-block-heading"><strong>Handle Table Entry Manipulation</strong> </h6> <p>The technique employed to attack Defender, CrowdStrike, and HitmanPro is much more intriguing: FudModule attempts to suspend them using a new handle table entry manipulation technique. To better understand this technique, let’s begin with a brief <a href="https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-5-a-2368187685e" target="_blank" rel="noreferrer noopener">background on handle tables</a>. When user-mode code interacts with kernel objects such as processes, files, or mutexes, it typically doesn’t work with the objects directly. Instead, it references them indirectly through handles. Internally, the kernel must be able to translate the handle to the corresponding object, and this is where the handle table comes in. This per-process table, available at <code>_EPROCESS.ObjectTable.TableCode</code>, serves as a mapping from handles to the underlying objects. Organized as an array, it is indexed by the integer value of the handle. Each element is of type <code>_HANDLE_TABLE_ENTRY</code> and contains two crucial pieces of information: a (compressed) pointer to the object’s header (<code>nt!_OBJECT_HEADER</code>) and access bits associated with the handle. </p> <p>Due to this handle design, kernel object access checks are typically split into two separate logical steps. The first step happens when a process attempts to acquire a handle (such as opening a file with <code>CreateFile</code>). During this step, the current thread’s token is typically checked against the target object’s security descriptor to ensure that the thread is allowed to obtain a handle with the desired access mask. The second check takes place when a process performs an operation using an already acquired handle (such as writing to a file with <code>WriteFile</code>). This typically only involves verifying that the handle is powerful enough (meaning it has the right access bits) for the requested operation. </p> <p>FudModule executes as a non-protected process, so it theoretically shouldn’t be able to obtain a powerful handle to a PPL-protected process such as the CrowdStrike Falcon Service. However, leveraging the kernel read/write primitive, FudModule has the ability to access the handle table directly. This allows it to craft a custom handle table entry with control over both the referenced object and the access bits. This way, it can conjure an arbitrary handle to any object, completely bypassing the check typically needed for handle acquisition. What’s more, if it sets the handle’s access bits appropriately, it will also satisfy the subsequent handle checks when performing its desired operations. </p> <p>To prepare for the handle table entry manipulation technique, FudModule creates a dummy thread that just puts itself to sleep immediately. The thread itself is not important. What is important is that by calling <code>CreateThread</code>, the rootkit just obtained a thread handle with <code>THREAD_ALL_ACCESS</code> rights. This handle is the one that will have its handle table entry manipulated. Since it already has very powerful access bits, the rootkit will not even have to touch its <code>_HANDLE_TABLE_ENTRY.GrantedAccessBits</code>. All it needs to do is overwrite <code>_HANDLE_TABLE_ENTRY.ObjectPointerBits</code> to redirect the handle to an arbitrary object of its choice. This will make the handle reference that object and enable the rootkit to perform privileged operations on it. Note that <code>ObjectPointerBits</code> is not the whole pointer to the object: it only represents 44 bits of the 64-bit pointer. But since the <code>_OBJECT_HEADER</code> pointed to by <code>ObjectPointerBits</code> is guaranteed to be aligned (meaning the least significant four bits must be zero) and in kernel address space (meaning the most significant sixteen bits must be <code>0xFFFF</code>), the remaining 20 bits can be easily inferred. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="505" height="251" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread.png" alt="" class="wp-image-8209" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread.png 505w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/sleep_thread-300x149.png 300w" sizes="(max-width: 505px) 100vw, 505px" /><figcaption class="wp-element-caption">A dummy thread whose handle will be the subject of handle table entry manipulation. </figcaption></figure></div> <p>The specific processes targeted by this technique are <code>MsSense.exe</code>, <code>MsMpEng.exe</code>, <code>CSFalconService.exe</code>, and <code>hmpalert.exe</code>. FudModule first finds their respective <code>_EPROCESS</code> structures, employing the same algorithm as it did to find the AhnLab service. Then, it performs a sanity check to ensure that the dummy thread handle is not too high by comparing it with <code>_EPROCESS.ObjectTable.NextHandleNeedingPool</code> (which holds information on the maximum possible handle value given the current handle table allocation size). With the sanity check satisfied, FudModule accesses the handle table itself (<code>EPROCESS.ObjectTable.TableCode</code>) and modifies the dummy thread’s <code>_HANDLE_TABLE_ENTRY</code> so that it points to the <code>_OBJECT_HEADER</code> of the target <code>_EPROCESS</code>. Finally, the rootkit uses the redirected handle to call <code>NtSuspendProcess</code>, which will suspend the targeted process. </p> <p>It might seem odd that the manipulated handle used to be a thread handle, but now it’s being used as a process handle. In practice, there is nothing wrong with this since the handle table itself holds no object type information. The object type is stored in <code>_OBJECT_HEADER.TypeIndex</code> so when the rootkit redirected the handle, it also effectively changed the handle object type. As for the access bits, the original <code>THREAD_ALL_ACCESS</code> gets reinterpreted in the new context as <code>PROCESS_ALL_ACCESS</code> since both constants share the same underlying value. </p> <div class="wp-block-image"><figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="932" height="190" src="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry.png" alt="" class="wp-image-8210" srcset="https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry.png 932w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry-300x61.png 300w, https://decoded.avast.io/wp-content/uploads/sites/2/2024/02/windbg_handle_table_entry-768x157.png 768w" sizes="(max-width: 932px) 100vw, 932px" /><figcaption class="wp-element-caption">The manipulated dummy thread handle (<code>0x168</code>), now referencing a process object. </figcaption></figure></div> <p>Though suspending the target process might initially appear to be a completed job, FudModule doesn’t stop here. After taking five seconds of sleep, it also attempts to iterate over all the threads in the target process, suspending them one by one. When all threads are suspended, FudModule uses <code>NtResumeProcess</code> to resume the suspended process. At this point, while the process itself is technically resumed, its individual threads remain suspended, meaning the process is still effectively in a suspended state. We can only speculate why Lazarus implemented process suspension this way, but it seems like an attempt to make the technique stealthier. After all, a suspended process is much more conspicuous than just several threads with increased suspend counts. </p> <p>To enumerate threads, FudModule calls <code>NtQuerySystemInformation</code> with the <code>SystemExtendedHandleInformation</code> class. Iterating over the returned handle information, FudModule searches for thread handles from the target process. The owner process is checked by comparing the PID of the target process with <code>SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.UniqueProcessId</code> and the type is checked by comparing <code>SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.ObjectTypeIndex</code> with the thread type index, which was previously obtained using <code>NtQueryObject</code> to get <code>ObjectTypesInformation</code>. For each enumerated thread (which might include some threads multiple times, as there might be more than one open handle to the same thread), FudModule manipulates the dummy thread handle so that it points to the enumerated thread and suspends it by calling <code>SuspendThread</code> on the manipulated handle. Finally, after all threads are suspended and the process resumed, FudModule restores the manipulated handle to its original state, once again referencing the dummy sleep thread. </p> <h2 class="wp-block-heading">Conclusion </h2> <p>The Lazarus Group remains among the most <a href="https://attack.mitre.org/groups/G0032/" target="_blank" rel="noreferrer noopener">prolific and long-standing</a> advanced persistent threat actors. Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication. The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal. Recent updates examined in this blog show Lazarus’ commitment to keep actively developing this rootkit, focusing on improvements in both stealth and functionality. </p> <p>With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques. Regardless of their choice, we will continue closely monitoring their activity, eager to see how they will cope with these new circumstances. </p> <h4 class="wp-block-heading">Indicators of Compromise (IoCs) </h4> <p>A YARA rule for the latest FudModule variant is available at <a href="https://github.com/avast/ioc/tree/master/FudModule#yara" target="_blank" rel="noreferrer noopener">https://github.com/avast/ioc/tree/master/FudModule#yara</a>.</p><p>The post <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/">Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day</a> appeared first on <a href="https://decoded.avast.io">Avast Threat Labs</a>.</p>]]></content:encoded> </item> </channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=https%3A//decoded.avast.io/feed/
