Trojan Wacatac Detection

Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware families. A lot of similar-yet-different malicious software received this name because of the use of the same code solutions and similar functionality. Microsoft’s name often becomes a common noun for all similar malware.

When it comes to functionality, Wacatac is mostly spyware or stealer malware. Some of the sub-specimens may be distinctive for using Discord, Telegram, or Mastodon as data exfiltration channels. To have a more clear understanding of what the malware under the Wacatac name looks like, let’s analyze a sample of malware detected as Wacatac.

Trojan:Script/Wacatac.B!ml Overview

For the analysis of a real-world Wacatac trojan example, I’ve opted for a Trap Stealer. Microsoft detects it as Trojan:Script/Wacatac.B!ml (see more info on VirusTotal). The Python-based malware sample is pretty unique – it is an open-source stealer with the source code listed on GitHub. Its builder features extensive functionality, particularly offers to create a disguise out of the box. But let’s have a more precise look.

On the GitHub repository that contains the source code of the malware, its devs show most of the functionality. It corresponds to the abilities of a classic stealer: malware gathers info from WhatsApp, steals cookies, and contents of the clipboard and AutoFill, scrapes passwords, and can capture screenshots. On top of that, Trap Stealers boast of the ability to mischief the host system.

Detection Evasion Methods

I’d pay additional attention to how this malware disguises itself. As I said, the builder offers not only to specify a Discord webhook as a relay server, but also to establish a “shell” that will make the user launch the malware deliberately. Currently, there are two options for this shell – a fake Discord webhook creation tool and a pseudo-Discord Nitro generator. Malware masters may choose one during the building, or choose none at all.

Though, these methods are called to evade user suspicion. Against anti-malware software, especially malware analysis environments, malware has several dedicated tricks up its sleeve.

Upon execution, this malware performs a row of checks that ensure that the system is not running a debug environment, resides away from the banned countries, and is not a virtual machine. If one of the checks returns an unacceptable result, any further execution will be terminated.

Establishing Persistence

Once all the aforementioned checks are done, Wacatac makes itself persistent to the attacked environment. It creates its randomly-named copy in a random directory in the AppData or LocalAppData folder of a user directory. Then, the malware adds a corresponding value to the Run entry of the system registry. This ensures the malware startup with the system.

Code responsible for registry entry creation

These steps may be accompanied by more, if additional actions were specified in the process of sample building. For instance, malware can hook up to the Discord startup, or establish persistence using the user startup folder instead of the registry key.

Data Gathering

The malware proceeds to its normal activity after establishing persistence. The first thing to do is to collect all the data about the system – it gathers quite a big list of it. Interestingly enough, the malware sends the log with this info to the command server almost instantly. This contrasts with the typical fashion of doing things, when the stealer will get everything it can reach and only then send it to the C2.

This extensive list of system data is then accompanied by collected passwords and cookies. For stealing passwords, malware particularly aims at web browser files. There, it seeks specific files that programs use to keep the info. Aside from files that can contain credentials, Wacatac also collects all the cookies it can find. All the stuff is then kept in the specific files in the AppData\Local\Temp directory, under specific names that start with the “wp” particle.

This Wacatac instance particularly goes for browsing history. Since the way it is handled is more or less unified for most of the browsers, malware targets quite a few of them. Here is the list:

• Safari
• Firefox
• Chrome
• Opera
• Edge
• Opera GX
• Internet Explorer

Stealing Discord Tokens

The Wacatac sample we are reviewing pays significant attention to Discord, though it is not unique for stealers. Moreover, the method it uses to extract the session tokens is more or less the same for all malware samples. Let’s dive into it.

To get Discord tokens from web browsers, malware seeks for leveldb files (.ldb). It is a database file specific to Chromium-based browsers, that stores auth tokens, keys, and things the like. As there are quite a few popular browsers that derive from Chromium core, malware tries to target them all.

For the sake of clarity, it is worth noting that non-Chromium browsers are not invulnerable to such manipulations. By using database calls, malware can easily extract the info it needs, or even everything all at once. The fact that a browser keeps the data differently means just the need for a couple more lines in malware code.

Aside from crawling through the browser files, the malware also tries to grab the same Discord session tokens from the app’s directory. As there are a few different clients out there, the malware tries targeting them all by scanning for corresponding folders in the AppData\Roaming directory.

Stealing Data of Crypto Wallets & Gaming Apps

Another typical edge of interest for Win32/Wacatac is crypto wallets as extensions, desktop apps, and gaming applications. It particularly aims for Metamask, Atomic, Exodus, and NationsGlory crypto wallets. However, stealing other wallets is just a question of a proper configuration, so they may appear in the future. All the collected data is compressed into a .zip folder and sent to the C2.

For gaming apps, malware particularly aims at Steam and Riot Client. Malware seeks for their folders in AppData\Local and then creates a zipped copy of their directories.

Exfiltration & C&C Connections

Once Wacatac finishes the extraction, it will keep idling, waiting for new data to steal. Upon every startup, it will go through all the scans I’ve mentioned above, trying to find new stuff to steal. However, a malware master can order it to self-destruct when it finishes the data collection, or even enforce the system crash at this moment. This all is needed to hide the traces of malware activity.

Protecting Against Trojan:Win32/Wacatac

Stealer malware, such as Wacatac, is often easily detectable by well-designed antivirus programs. An antivirus program equipped with heuristic detection systems and AI assistance can readily identify and remove this threat. GridinSoft Anti-Malware, in particular, is a reliable choice for this task. It can remove the malware and ensure your PC remains safeguarded for an extended period.

Simultaneously, due to the reasons I mentioned earlier, this virus heavily depends on user errors. Non-existent items like Discord Nitro key generators prey exclusively on users’ belief that it is possible. More legitimate tools, such as network engineering utilities, should be thoroughly checked before use. Even seemingly legitimate emails may contain malicious links or files in email spam. By addressing these weak spots, the likelihood of malware infection can be significantly reduced.

The post Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

GoDaddy Refund Email Phishing

Being a widely popular web hosting provider, GoDaddy obviously has a line of different options for money chargebacks. Some people are not happy with how the service works, some people want to cancel the domain parking or hosting due to personal reasons – refund emails are typical for such requests. This is where hackers decided to take inspiration from.

Random users started receiving emails with the topic set as “GoDaddy Refund”. It touched even ones who have never ever interacted with the company and its services. There were no reported cases of using compromised emails that belong to GoDaddy. These emails contain a pretty standard notification about the incoming refund and the link to a page “where you can get the refund details”. Obviously, even when a person is new to GoDaddy, they will most likely be eager to check it up. This link leads to a page that, once again, repeats a genuine one used by the company to share documents.

The page, however, does not start a direct download, and instead redirects the victim to a Discord URL, where the .zip archive is downloaded. This archive contains an .lnk file, disguised as a PDF document, which launches the PowerShell script. The latter initiates downloading and running the Invicta stealer.

Invicta Stealer Description

Invicta is a pretty unique example of an infostealer. By default, it is free and open-source, meaning that its source code is available to the public on GitHub. Another malware with similar philosophy is HiddenTear ransomware – one in its kind as well. Though in the Telegram group where the stealer developers are promoting their stealer, there are the offers to purchase the web panel access for $50.

However, other details of Invicta are way less unusual. Same as other modern-time stealers, it applies several anti-analysis and anti-detection tricks upon execution. Then, it routinely starts with grabbing Discord and Steam session tokens and crypto wallets information. The latter is collected only from desktop apps, while most of other stealers will also aim at browser extensions as well. Browsers are treated separately: malware takes every piece of a file that can contain valuable information. It also can target the KeyPass password manager app – less common, but still expected capability.

Targeted browsers and cryptowallets

Aside from passwords and session tokens, Invicta stealer gathers some trivial information regarding the system. It is a system screen size, CPU count, OS version and build, HWID, time zone and username. Malware can also gather other data when receiving a corresponding command – for example, enumerate users and installed programs. That data is commonly used to fingerprint the system, but can also be useful to emulate the victim’s system for more precise session hijacks.

How to protect yourself?

Here, two vectors of protection may be applied. First is proactive – the counteraction to email spam and phishing pages on the Web. Another one is rather a second line of defence – the one which protects against the spyware/stealer payload.

Pay attention to emails you’re opening. Most of the time, they are harmless – but that is what hackers want you to think. If you’ve received an email which you do not expect to receive, or its contents are not typical to what the sender typically sends, it is better to perform a diligent checkup. Most of the time, you will find differences in the sender’s email address, and, in some cases, typos or mistakes in the message body. Though, in rare cases of business email compromise, it may be hard to say whether the sender is legit or not. For that reason, relying entirely on your attention is not a guarantee.

Use anti-malware software with network monitoring. Here, anti-malware programs will act as both reactive and proactive solutions. Having a netmonitor makes it useful for preventing you from accessing phishing pages. Meanwhile, when malware manages to arrive at your device, it will still be blocked, especially when the program has a well-designed proactive protection system. GridinSoft Anti-Malware is the one you may rely on – consider giving it a try.

The post GoDaddy Refund Phishing Emails Spread Infostealer appeared first on Gridinsoft Blog.

What is Ducktail Malware?

Ducktail is malware built on .NET Core that predominantly targets individuals and employees who may have access to a Facebook Business account. The Ducktail campaign is believed to have been active since 2018. However, the author became actively involved in developing and distributing malware related to the DUCKTAIL operation in the second half of 2021. The chain of evidence suggests that the attacker’s motives are driven by financial considerations and that the cybercriminal behind the campaign hails from Vietnam.

As mentioned at the outset, the primary targets of this stealer were individuals who hold senior positions in clothing, footwear, and cosmetics companies, as well as employees involved in digital marketing, digital media, and human resources. However, the author is believed to have recently updated the malware, expanding its capabilities. The new version of Ducktail is written in PHP. Now it targets users with any level of access to Facebook Business accounts.

How does it work?

The Ducktail malware is specifically designed to extract browser cookies and use social media sessions. In this way, the attacker obtains sensitive information from the victim’s social media accounts and over Social Media Business accounts respectively. The scammers then use the access to place advertisements for financial gain. We will now look at this process in more detail.

Delivery

To infect a target device, attackers use time-tested social engineering. I have repeatedly mentioned that the weakest link in any defense is the human factor, so this tactic will always be relevant. First, scammers place a malicious file on popular cloud storage. They typically use Google Drive, OneDrive, Mega, MediaFire, Discord, Trello, iCloud, and Dropbox. Next, they trick the victim into downloading and opening the malicious file. To do this, hackers contact the victim via social networks, and send a link to the archive. To make it look more legitimate, they pick a name like “Project Information And Salary Details At AVALON ORGANICS.zip”. Consequently, no suspicion is raised by the victim.

Inside the archive, there may be some thematic images (e.g., images of cosmetics, if it is a cosmetics company) and PDF or PDF document files. In reality, however, these are executable files disguised as documents, as can be seen by checking the file extension. These files are actual payloads – .NET assemblies that carry both executable sections and DLLs in it.

Info Stealing

Once launched, Ducktail scans web browsers, mainly Google Chrome, Mozilla Firefox, Microsoft Edge, and Brave Browser. The malware extracts all stored cookies as well as access tokens. It is also interested in information such as name, user ID, email address, and date of birth from the victim’s Facebook account. The malware scans registry data in HKLM\SOFTWARE\WOW6432Node\Clients\StartMenuInternet to get each installed browser’s name, path, and icon path.

Hacking process

Ducktail uses the victim’s social media session cookie and other security credentials obtained. This allows it to interact directly with other social media endpoints from the victim’s computer, extracting information from the victim’s social media account. In addition, the malware checks for two-factor authentication and, if positive, tries to obtain recovery codes. It can also steal access tokens, IP addresses, and user agents, data from commercial and advertising accounts connected to the victim’s personal account. This allows attackers to hijack these accounts and add their email addresses to gain admin and financial editor access.

While the former is self-explanatory, administrator rights give complete control over the Facebook Business account. Financial editor rights allow the change of credit card information and financial details of the business, such as transactions, bills, account charges, and payment methods. Because Ducktail accesses this information by sending requests from the victim’s computer, he impersonates a legitimate user and his session. This is achieved by masking its activity behind the victim’s IP address, cookie values, and system configuration. In addition to the data obtained, the malware attempts to get data from the Facebook Business page the following information:

• Payment initiated
• Payment required
• Verification Status
• Owner ad accounts
• Amount spent
• Currency details
• Account status
• Ads Payment cycle
• Funding source
• Payment method [ credit card, debit card, etc.]
• Paypal Payment method [email address]
• Owned pages.

Exfiltration

As C&C server, Ducktail uses Telegram messenger as a channel. Fraudsters use Telegram.Bot client library makes it easy to upload a file to a chat with a Telegram bot. Finally, the malware runs an infinite loop in the background, establishing a continuous exfiltration process.

How to protect yourself?

Ducktail is a narrowly targeted information thief that can have severe financial losses and identity theft. Its authors constantly make changes and improve delivery mechanisms and approaches to steal sensitive user information. However, the following tips can help you keep the chances of infection to a minimum:

• Only download applications from trusted sources. Please avoid URLs that may be used to spread malware, like Torrent or Warez.
• Use strong passwords and remember to update them regularly.
• Enable multi-factor authentication whenever possible.
• Use reliable antivirus and internet security software on all your devices, such as your PC, laptop, and workplace PC.
• Avoid opening links and email attachments unless you can verify their authenticity.
• Keep an eye on the network beacon to prevent data exfiltration by malware or TAs.
• Consider enabling Data Loss Prevention (DLP) solutions on your employees’ systems.

Ducktail IoCs

MD5:691ca596a4bc5f3e77494239fb614093
MD5:618072b66529c1a3d8826b2185048790
MD5:b4125e56a96e71086467f0938dd6a606

SHA1:20f53032749037caa91d4b15030c2f763e66c14e
SHA1:936139fc7f302e3895f6aea0052864a6cb130c59
SHA1:e692a626c6236332bd659abbd4b1479b860bf84a

SHA256:f024e7b619d3d6e5759e9375ad50798eb64d1d4601f22027f51289d32f6dc0ca
SHA256:2650e6160606af57bd0598c393042f60c65e453f91cde5ecc3d0040a4d91214d
SHA256:385600d3fa3b108249273ca5fe77ca4872dee7d26ce8b46fe955047f164888e7

The post Ducktail Infostealer Malware Targeting Facebook Business Accounts appeared first on Gridinsoft Blog.

Infostealer Malware Market in 2024

Infostealer malware gained more and more popularity during the last decade. However, the biggest spike happened during the course of the last few years. First noticeable factor is a massive popularisation of cryptocurrencies. How is that related? Well, relatively big amounts of money always attracted the attention of hackers. Carding and banking fraud though is now less effective as banks implemented strict controlling measures back in early ‘10s. Cryptocurrency wallets, on the other hand, have low to no control, making them ideal targets for Infostealer.

Another reason that made spyware and infostealers so popular and widespread is their massive application in attacks on corporations. Even when hackers break into the network to cipher the files and ask a ransom for their decryption, they also drop a Infostealer malware that will exfiltrate as much valuable information as possible. Afterwards, hackers request an additional ransom to keep this data secret. Some attacks are based exclusively on stealers, and the result of their job is both sold on the Darknet or used for business email compromise (BEC) attacks. Additionally, some ransomware groups that aim at home users started adding spyware to their attack chain a while ago.

Infostealer Malware Market Leaders

As of May 2024, there are 3 major malware families that dominate the market – RedLine, Raccoon and Vidar. All of them are not new at that point of time, with Vidar being active for the longest time. Let’s have a closer look at them, starting with the youngest one.

RedLine Infostealer

RedLine infostealer appeared in 2020, and saw a pretty wide application in different cyberattacks. Most of the time, however, it was aimed against single users, as its functionality fits best for this purpose. Key targets for the RedLine are cryptocurrency wallets data, both from desktop versions and browser plugins. Still, it can gather other data, like FTP/VPN configurations and session tokens for apps like Discord or Steam. Having a pretty large market share at the edge of 2023, it became much less active starting from March 2024. Yet an enormous number of new samples that popped out recently may be the sign of another campaign getting ready. Key way the RedLine developers find hackers who buy this malware is through Telegram groups and Darknet forums.

Raccoon Infostealer

Raccoon has key properties similar to ones RedLine offers, but is capable of capturing a much wider selection of data. In its scope are browser autofill files, cookies and online banking credentials, on top of the ability to pluck cryptocurrency wallets. Since the emergence in early 2019, Raccoon was holding dominant positions on the market – and keeps holding them even now. In summer 2022, its developers released a new version, promising faster and more reliable malware for a slightly bigger pay. Same as RedLine, Raccoon stealer is commonly spread through ads in Telegram channels and bots; Darknet platforms are less preferred, though are used for public communication.

Vidar Infostealer

Among top 3 Infostealer threats, Vidar is most definitely a dark horse. It is considered to be an offspring of Arkei stealer, malware that made quite an image back in early 10’s. After the launch in 2018, it never had a dominant share on the market, being at best #2. Nonetheless, its efficiency and unique design is hard to deny – Vidar offers a modular approach towards data stealing, and has an uncommon way of C2 communication. It also performs self-destruction after the successful data exfiltration. Additionally, it is often spread in a bundle with other malware, such as STOP/Djvu ransomware. Methods of selling it to cybercriminals, however, are less unique – it uses Telegram channels dedicated to malware promotion.

Newbies

It would be quite reckless to deny the importance of new malware. For sure, not all of them will make it even to the 1-year milestone, but Raccoon and Vidar once were newbies as well – and you can see where they are. Among stealer families that popped out over the last year, there are a couple you should keep in mind.

Lumma

Also known as LummaC2, this infostealer appeared in December 2022. At the outset of familiarity with this malware, you can already see some fairly noteworthy details. At the “pricing plans” panel, developers mention the ability to configure the payload in a specific manner, and add network sniffer functionality. The presence of these functions depends on the price of the chosen plan – $250, $500 or $1,000. Additionally, masters offer access to malware and panel source codes and the right to sell them – for $20,000. Other functions, however, are available regardless of the plan. Lumma can grab browser cookies, autofill forms, data from 2FA plugins/apps, and crypto wallets credentials – from both apps and browser plugins.

Stealc

Stealc is another youngster, which was first mentioned on January 9, 2023, on several Darknet forums. It appears to utilise best practices from most popular stealers, which already makes it pretty potent. Among unusual practices is a free test and weekly releases of new features. As for other functions, malware has a classic set of a modern infostealer: it gathers data from web browsers (cookies, autofill forms etc), cryptocurrency wallets extensions and even email clients and messengers. Such extended functionality, especially compared to other new malware examples, will definitely be appreciated.

How to Protect Against Infostealer Malware?

Protection against threats like infostealer is always a tough question to answer. Thing is, malware like this is forced to evolve constantly, finding new ways to be more efficient and stealthy. This makes any advice that reacts to some malware features useless in the long-term. However, there are still some things Infostealer Malware developers can’t (or don’t want to) change.

Beware of spear phishing. It may have different forms – from email messages that are sent from a compromised business email to posts in social media from the hijacked account of a legit company. But even after all the sophistications, hackers can never make a check-proof legend. Most commonly, they attract victims by urgent events or exclusive deals. A simple source check will reveal any possible scam – if the impersonated company has nothing to do with such claims, ignore the spooking message.

Avoid using pirated software. Despite losing a significant portion of market share due to email spam expansion, software cracks are still used for malware spreading. Torrent-trackers and third party websites are flooded with numerous offers on a brand new software – and try to guess which one is infected. Using only licensed software will not make you clear before the law, but also nail any risk of malware injection. And, believe me – dealing with malware activity consequences will cost you way more than you can save on program licences.

Protect your system with proper anti-malware software. Yes, it is better to avoid muddy waters at all, but having a security tool that will take care of problems will make your life much easier. Not any utility will fit though, as infostealer malware have some tricks to avoid basic anti-malware software. GridinSoft Anti-Malware gives them no chances, thanks to its three-component detection system and constant updates that retain its databases’ relevance.

The post Infostealer Malware: Top Stealers in 2024 appeared first on Gridinsoft Blog.

What is RedLine malware?

First, let me remind you what RedLine is. It is a classic infostealer that targets cryptocurrency wallet credentials, browser AutoFill forms, cookies, and credentials from other applications. The most common way of spreading this malware is spear phishing, which contains infected files and phishing links. Another option used by malware masters recently is malvertising through Google Search ads. The latter supposes the creation of a website that replicates the downloading page of a legit free software – like 7zip, OBS Studio or LibreOffice.

Emerged in early 2020, RedLine had moderate activity throughout its lifespan. The first noticeable activity happened only half a year after the first sample detection – meaning its developers were raising their malware from scratch. But now it made an enormous spike, that peaked on May 7 – over 39,000 samples emerged that day.

What does that mean?

Actually, almost a hundred thousand samples do not correspond to 100,000 victims. RedLine malware toolkit offers sample recompilation and its developers recommend compiling a fresh sample for each attack. That makes every malware unit unique, which makes it way harder to detect by classic anti-virus programs. Encrypting utility, which is also recommended by the malware developers to use, makes it even tougher.

Sure, some of these samples are definitely used in ongoing attacks. RedLine bears on continuous operations and botnet expansions, which requires retaining high infection rates. “Background” activity of this malware is about 1,500 samples a day – meaning most of them are used in actual attacks. Meanwhile, no huge infection spikes were detected recently, at least not of the scale of the sample generation.

The most concerning hypothesis is that RedLine is getting ready for a massive attack. How will this attack be conducted – this is about to be guessed or seen, yet cybercriminals rarely betray their “classic” spreading ways. Email spam, especially precision-made ones, remains very effective and exceptionally cheap – so why would they reinvent the bicycle?

Another possible occasion is way less dramatic, yet does not mean that the threat is over. Such a massive sample generation may be an outcome of some tests – for example, ones done to test the compiler, crypto, or other mechanism. Neither me nor any other analyst can know for sure what exactly they test, but these changes may have qualitative differences. The best way to understand what that means is to spectate, fortunately, these maneuvers do not disrupt threat intelligence in any way.

IoC RedLine Stealer

• Spy.Win32.Redline.lu!heur: 0d5caf9c9e0da55980cda1dd5d9f3f95a8d1b12b0992030b995f49ce54b31f6c
• Malware.U.RedLine.tr: 6e2cf634bd101c5474bcaf2ed9145ab70cc2ea17b717e047498a4e0eff2d6058
• Malware.U.RedLine.tr: 07b0145a4ce9d7a4b01d0cbc46e8926b3dcbc3bce2abd510ffb81e38e464a813
• Malware.Win32.RedLine.tr: fea43fd0b4e01c02a0b4d04413fdab976eee6a36e7364a39f43512ca74de9219
• Malware.U.RedLine.tr: 0c6669dc42df67f65ecdd7cfb36f10c4f55cfd664a546b1fb3acc24aa6da92ae
• Malware.U.RedLine.tr: e365596c8b51835dcea310af6603707a4c87bda046e476fcfeb3a82869e6132e
• Spy.Win32.Redline.lu!heur: 8f6d6ad88f1feb1e5cf723cef754e845e8da6271b34db41afebdfa07e750f605
• Malware.Win64.RedLine.bot: 0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992
• Malware.U.RedLine.tr: e4fed416cc98b62c09eb6bb535751b9fa362b106b62e4c858361433487f83a05
• Spy.Win32.Redline.lu!heur: 0abd67edd302610c2f17419320c6a53dc1f441807e45e87b0c974d34ee6c3053

How to stay protected?

I’ve already mentioned preferred spreading ways that RedLine has used since its emergence in 2020. Protective measures should be built around counteracting these methods. And, of course, as the last line of defense, there should be anti-malware software.

Perform a diligent check for each email you receive. It may look like a too paranoid measure for messages, but be aware – it is not about “just emails”. The number of cyberattacks on companies of all sizes done through email spam is terrifying, thus such a threat should not be ignored. Any questionable attachment, link, or strange email address of a sender is a red flag.

Use network monitoring tools. Both active and passive will fit, as RedLine does not apply complicated anti-detection methods. Still, it tries to spoof the traffic path during the C2 communication – and here is where protective solutions shine. Firewalls are much cheaper and easier to set up, but lack reactive response capabilities. Meanwhile, NDR solutions trade their complexity and expense for the ability to intercept even the most novice threats.

Anti-malware software – the last argument of kings. The ideal network security situation is preventing malware from making its way to the live workstation. Though idealism is sometimes synonymous with naivety. For that reason, a thing to back up your security is essential, both if you’re a home user or are connected to the corporate LAN. GridinSoft Anti-Malware is a great choice for home protection, though it will be better to seek a specialized option to protect an entire network.

The post RedLine Stealer Issues 100,000 Samples – What is Happening? appeared first on Gridinsoft Blog.

What is the 3CX Phone System?

3CX Phone System is a software phone communication program developed by an eponymous company. It provides VoIP communication with a connection to PSTN. All of the operations are served in the cloud, which makes it convenient for use even in small companies. As of the beginning of 2023, the company boasted 12+ million customers in over 600,000 companies around the world. The company provides services to the world’s most-known names, such as Toyota, BMW, Avira, McDonald’s, Boss, Hilton, and IKEA.

Being a company with such success and so notable clients is always a serious responsibility, both image- and cash-worthy. That requires corresponding attention to all the elements of your infrastructure and personnel – to avoid any risks related to security breaches. Supply chain management must be even more diligent in security questions, as consequently linked single-purpose elements are often prone to break. And that is what happened to 3CX.

What is the 3CX supply chain attack about?

Supply chain attacks suppose hacker integration at a certain stage of the supply chain. The researchers who examined the case yet did not find a certain place where the breach could have happened. From what is known now, it is clear that hackers managed to forge the installer and force it doing what they want. That clue points to the fact that crooks made their way to the installer’s source code, as it has no problems with certificates and signatures. The attack itself resembles the SolarWinds hack that happened back in 2020.

After launching the installer, an unsuspecting user will see the routine installation procedure. However, in the background, the binary file will connect to a GitHub repository to get an ICO file. That is actually a second-stage payload, which contains data encoded with base64. Short research shows that this data is a set of shell codes, which execution calls for the next step. They force the system to connect to the C2 and pull the third-stage payload.

Third stage – the final one – is a DLL file, a classic form of the vast majority of modern malware. After retrieving the library, one of the shellcodes makes it run. It seems to be an infostealer that grabs web browser data from an infected system, particularly browsing history. Malware aims for a pretty short list of browsers – Chrome, Edge, Firefox and Brave. Such behaviour is different from common spyware and stealers, thus the malware is most likely a brand new one, possibly created specifically for this attack. Threat researchers from SentinelOne, who were the first to detect dubious activity, coined it SmoothOperator.

Is the 3CX attack dangerous?

As any other spyware attack, it is. Despite the less-than-usual amount of data collected by the detected stealer, the potential scale of this attack is tremendous. We already mentioned the number of 3CX users worldwide – and imagine how many potential victims may be among them. Yes, not all users have installed the infested update, and some of them were saved by anti-malware software. But it is possible that they are in the minority.

The NHS has issued a cyber alert with a "High" severity ranking warning about this active intrusion campaign, warning "legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited."

Alert here: https://t.co/J3NTs6rMD5 https://t.co/M7yBauSlcy

— Alexander Martin (@AlexMartin) March 30, 2023

Given that ignoring the updates is not a very good practice, the only way to protect against such a breach is by using a superb security tool. Its superiority should be defined not only by detection capabilities and amount of functions but also by the zero-trust policy. Regular anti-malware programs generally rely on the trustiness of a program, and will likely ignore malignant activity around a signed installation binary. Zero-trust one, on the other hand, treats any file as potentially hazardous and applies all kinds of checkups to ensure that it is secure.

The post 3CX Phone System is Struck With Chain Supply Attack appeared first on Gridinsoft Blog.

Luca Stealer functionality

As analysts from Cyble state in their report, the set of functions Luca malware offers is similar to the ones available in other stealers. It can successfully break into all Chromium-based web browsers, and deliver different types of information to the hacker. In particular, it aims for cookie files, Discord login tokens, accounts on game distribution platforms, credit card info and cryptocurrency wallets. The last two categories of information are obtained through digging the extensions installed in the browser. Malware checks them by the list of installed plugins and, once getting a match, steals the data these plugins store locally. This technique is different from what is usually applied by stealers.

Besides the categories of data I have mentioned before, Luca Stealer also grabs the information about the attacked system. Using the specific calls, it receives the system memory amount, swap file size, number of CPU cores and so on. After finishing the data collection, Luca packs it into the zip archive and sends it via Discord webhooks, or through bots in Telegram. The choice depends on the size of the resulting file.

There is a single significant difference between Luca and other stealers. It is not able to hijack the cryptocurrency transactions through editing the data copied to clipboard. Still, that function is highly notable for antivirus software. Reading the clipboard contents without the user’s command is suspicious, so the absence of this function makes this malware harder to detect. Moreover, stealing the entire wallet instead of the single transaction may be much more profitable, and the former has more chances to remain undetected.

Luca stealer spreading

It is not clear how exactly this stealer spread. Luca is quite stealthy, as only each fifth antimalware vendor among present on VirusTotal actually detects it. It is likely caused by the programming language of this malware – Rust. It has already appeared in ALPHV/BlackCat ransomware, and showed up as the great way to mask the malware. Additionally, that makes it easier for the crooks to make their malware cross-platform. Usual ways of stealer distribution – through the malicious spamming on different platforms and phishing – will fit Luca as well. But which one will the cybercriminals actually opt for – only God knows.

A few days ago an individual on XSS leaked [sic](shared?) the source code to a Rust-based data theft malware.

We have added it to the vx-underground Malware Source Code collection on GitHub:

/Leaks/Win32/Win32.Rust.LucaStealerhttps://t.co/5RHeEYWYth

— vx-underground (@vxunderground) July 26, 2022

Is there a reason to be concerned?

There is always a reason to be concerned, if you have anything valuable in a digital form. Cryptocurrencies prices are going up, and so do the hackers’ interest to someones’ savings in crypto. The full-scale pandemic of cryptostealers is already gone, but that makes each new stealer with the ability to dig into crypto wallets even more hazardous. Such programs now cannot just rely on an increased demand on the black market. They should offer something ridiculous – or will definitely fail. There are already around 25 cases of Luca Stealer usage in the wild. Not pretty impressive – but still a lot for a newbie that appeared several days ago.

It is recommended to keep all login information in a separate application, rather than in the web browser. But it will be much better to avoid the infection at all by following the rules of cybersecurity. It is better to make the situation less possible, but never deny the probability of such an unpleasant case.

The post Luca Stealer Source Code Published In The Darknet appeared first on Gridinsoft Blog.

FFDroider Stealer is the second malware of this type that popped out last month. The BlackGuard Stealer, which was reviewed by Zscaler a week ago, is quite similar to the subject. Therefore, it is interesting to compare them. While the mentioned “rival” is reportedly better at crypto stealing, FFDroider is closer to a banking trojan. As its distributors on the Darknet say, it may steal credentials from social networks, cryptocurrency wallets and online banking sites. Afterward, stolen media accounts may be used to create a high-trustworthiness spam flow. Additionally, FFDroider carries a downloader module, which can make it a precursor malware to a more serious virus.

It is also interesting to see the disguise this malware uses in the system it has infected. To get missed among numerous other processes, it takes the name of Telegram messenger. Assuming that it became very popular in the USA and Europe over the last half a year, it is a very good way to hide.

FFDroider Stealer distribution

It is not pretty usual, but analysts uncovered almost the whole list of all possible spreading ways for FFDroider malware. Generally, this malware hides inside cracked apps, torrent seedings, hacktools and keygens. Typically the payload is launched along with the “carrier” application, giving the victim the false impression of safety. A less popular way of spreading is freeware. Sure, free software developers do not have a lot of ways to monetize their work hours, but it is a bad idea to embed malware.

The malicious part of such a bundle contains only a downloading script. When you trigger that script, it connects to the download[.]studymathlive[.]com and downloads the exact FFDroider malware. This domain looks legitimately, so some of the network protection tools may skip it without checking. Then the malware is launched, and the first action is to check the installed browsers. Then, it manages to steal and decrypt the cookies from the defined browsers (see the list below) exactly on the infected computer. Finally, after the successful decryption with the use of Windows methods, it sends the stolen login details to the command server.

FFDroider Functionality

As it was mentioned, FFDroider may steal credentials, cryptowallets and act as a downloader malware. However, the exact way the stolen social network accounts are used is not as usual. In usual stealer cases, crooks use hijacked accounts to send spam to all subscribers and friends. This stealer, on the other hand, takes credentials to steal the login credentials from advertising modules of corresponding social networks.

Advertising in networks like Facebook or Instagram requires the attached bank card details. CVV2 code, card number and expiration date are included. Breaking into your account to take your bank card info is a pretty new attack vector, so most of the advice to stay aware will not be effective. You will see neither account restrictions for spam nor messages from your friends asking to stop sending them different links. When you will uncover the main symptom – messages from the bank about the new transaction – it will be too late.

The exact way it gains access to your accounts is more usual. FFDroider grabs the cookies and applies them at the login attempt. Browsers usually keep passwords auto-fill and short information about the user in these files. Hence, obtaining someones’ cookies means getting this info. Sometimes you can meet the offers to sell your cookies to a third party for an attractive price. That’s exactly the same – but with the use of malware to get those cookies.

Targeted browsers

Cookies are valuable only in those browsers that you use quite often. That’s why the main targets of the subject are Chrome, Firefox, Internet Explorer and numerous Chromium-based browsers. Among the latter, there are Edge, late Opera variants, Vivaldi, Yandex Browser, and Avast Secure Browser. As you can see, the possible attack surface is pretty big, thus the attack will surely bring something valuable.

Abusing the Windows Crypto API, it manages to read and analyze Chromium SQLite Credential stores and cookies. Then, it manages to decrypt these files to get the login info and personal data in raw form. After these manipulations, crooks may just take that and use it as they want.

Attacking the accounts in social networks

Since crooks that operate FFDroider has stealing your payment info as a final target, they aim only at the networks that have the ability to set up paid promotions. Other places where they can search for such information with that stealer are online marketplaces, like eBay or Etsy. Here is the full list of the places they intend to hack:

• Facebook
• Instagram
• Twitter
• Amazon
• Etsy
• eBay
• WAX cloud wallet

How dangerous is the FFDroider?

I did several pretty straight hints on how dangerous this thing is, but a good tone requires making a final, overall conclusion. While the aforementioned BlackGuard malware is much more effective in attacks on individual users, or small groups, FFDroider may be used against a large number of users. Stealing and decrypting the cookie files is an omni-purpose action that makes it possible to evolve several attack vectors simultaneously. In addition to the used spreading ways, that may provide the crooks with enormous victim traffic. Nothing stops them from such attacks.

Fortunately, analysts don’t report about any catastrophic rise in stealers activity¹. Just as any other global event, war in Ukraine became a background for malware spreading. New scenery normally requires new approaches, so the appearance of two prospective malware variants will not be missed by cybercriminals. You never know what to expect the next day, especially when the environment changes so fast.

The post FFDroider Stealer – the new hazard to your social networks appeared first on Gridinsoft Blog.