Malware Threats Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/malware-threats/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 09 Feb 2024 19:43:38 +0000 en-US hourly 1 https://wordpress.org/?v=73723 200474804 HijackLoader Malware Comes With New Evasion Methods https://gridinsoft.com/blogs/hijackloader-malware-new-evasion-methods/ https://gridinsoft.com/blogs/hijackloader-malware-new-evasion-methods/#respond Fri, 09 Feb 2024 19:43:38 +0000 https://gridinsoft.com/blogs/?p=19543 The HijackLoader malware has added new defense evasion techniques. Other threat actors are increasingly using the malware to deliver payloads and tooling. The developer used a standard process hollowing technique coupled with a trigger that makes defense evasion stealthier. What is HijackLoader? According to the researchers’ report, the HijackLoader malware, or IDAT Loader, has recently… Continue reading HijackLoader Malware Comes With New Evasion Methods

The post HijackLoader Malware Comes With New Evasion Methods appeared first on Gridinsoft Blog.

]]>
The HijackLoader malware has added new defense evasion techniques. Other threat actors are increasingly using the malware to deliver payloads and tooling. The developer used a standard process hollowing technique coupled with a trigger that makes defense evasion stealthier.

What is HijackLoader?

According to the researchers’ report, the HijackLoader malware, or IDAT Loader, has recently included advanced evasion techniques. This malware has gained immense popularity as a loader with outstanding flexibility. The attackers frequently use this malware to introduce various payloads and tools. Its structure not only facilitates the seamless integration of new functionalities but also comprises a variety of dynamic anti-analysis methods.

First observed in July 2023, the malware employs some techniques to fly under the radar. Although HijackLoader is not a highly advanced malware, it has a modular architecture. This means it can use different modules for code injection and execution – a feature that most loaders do not have. The loader downloads an encrypted configuration block that varies from one sample to another, indicating that the threat actors can change or update it quickly. This adaptability makes it a difficult target, making the development of effective countermeasures challenging.

HijackLoader Enhanced Detection Evasion Techniques

The HijackLoader follows a complex infection chain, employing multi-stage behavior to obfuscate its activities. Initially, the malware utilizes WinHTTP APIs to check for an active internet connection before proceeding with its malicious operations. Upon successful connectivity, it downloads a second-stage configuration blob from a remote address, initiating decryption and decompression processes to retrieve essential payloads. The subsequent stages involve loading legitimate Windows DLLs specified in the configuration blob, followed by the execution of position-independent shellcode.

Infection chain image
Infection chain. Schematics by CrowdStrike

This shellcode orchestrates various evasion activities, including injecting subsequent payloads into child processes, such as cmd.exe and logagent.exe. HijackLoader uses advanced hook bypass methods, including Heaven’s Gate, to evade user mode hooks and security monitoring. It also uses process hollowing, injecting malicious shellcodes into legitimate processes to gain persistence. The malware employs interactive and transacted hollowing techniques to enhance stealthiness. These new defense evasion capabilities for HijackLoader may make it healthier and more complex to detect than traditional security solutions.

Safety Recommendations

To protect against HijackLoader and other malware, we recommend following several cybersecurity tips:

  • Educate yourself. Stay informed about the latest malware threats. They constantly seek for new ways to trick users into revealing sensitive information or downloading malicious files. Educating users about these threats and the importance of avoiding opening suspicious attachments or clicking on dubious links is crucial in cybersecurity.
  • Keep software updated. You should regularly update your operating system, applications, and software to ensure you have the latest versions. Malware often exploits known vulnerabilities that have been fixed in newer versions.
  • Use anti-malware software. This is a complex measure to protect you against threats. Install a reputable anti-malware solution and keep it updated. These programs can detect and remove known malware strains, including variants of HijackLoader.

The post HijackLoader Malware Comes With New Evasion Methods appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hijackloader-malware-new-evasion-methods/feed/ 0 19543
SugarGh0st RAT Targets Uzbekistan and South Korea https://gridinsoft.com/blogs/sugargh0st-rat-targets-governments/ https://gridinsoft.com/blogs/sugargh0st-rat-targets-governments/#respond Fri, 01 Dec 2023 22:24:44 +0000 https://gridinsoft.com/blogs/?p=18107 A new malicious campaign employs SugarGh0st RAT to target government agencies. Artifacts in the decoy documents hint at a potential Chinese-speaking actor. SugarGh0st Uses Spear Phishing to Attack Governments Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of… Continue reading SugarGh0st RAT Targets Uzbekistan and South Korea

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

]]>
A new malicious campaign employs SugarGh0st RAT to target government agencies. Artifacts in the decoy documents hint at a potential Chinese-speaking actor.

SugarGh0st Uses Spear Phishing to Attack Governments

Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.

Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.

Fake document screenshot
Fake document used as a disguise to launch the malware attack

Multi-stage infection chain

Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.

Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.

Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.

A Gh0st RAT Variant and Potential Chinese Connection

While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.

SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:

  • expanded anti-detection tactics
  • reconnaissance commands tailored to harvest documents and credentials
  • new communications disguising C2 servers as Google Drive domains

Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.

SugarGh0st RAT Targets Uzbekistan and South Korea

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/sugargh0st-rat-targets-governments/feed/ 0 18107
HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military https://gridinsoft.com/blogs/hiatusrat-attacks-taiwan-us-military/ https://gridinsoft.com/blogs/hiatusrat-attacks-taiwan-us-military/#respond Tue, 22 Aug 2023 10:20:01 +0000 https://gridinsoft.com/blogs/?p=16600 Recent attacks on US military systems and Taiwan companies are distinctive not only by the brave target choosing, but also for the used toolkit. In the case of both targets, attackers used HiatusRAT as an initial access/reconnaissance tool. Aside from being used in these attacks, Hiatus Trojan has other things to boast of. US DoD… Continue reading HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.

]]>
Recent attacks on US military systems and Taiwan companies are distinctive not only by the brave target choosing, but also for the used toolkit. In the case of both targets, attackers used HiatusRAT as an initial access/reconnaissance tool. Aside from being used in these attacks, Hiatus Trojan has other things to boast of.

US DoD and Taiwan Companies Cyberattacks

First, let’s clear out the attacks upon quite famed organisations and companies. The long-going cyberattack upon Taiwanese companies and at least one government organisation was detected as early as in August 2023. Lumen researchers who studied the botnet established by the HiatusRAT in the past noticed a new flow of connections that comes from Taiwan IP address zones. Soon after, =cyberattacks on chemical production facilities, semiconductor manufacturers and one municipality were uncovered.

The story around the U.S. Department of Defence is a bit different. Same research group detected traffic coming to the IP addresses associated with the botnet not only from Taiwan but also from the US. Specifically, they discovered that crooks who stand behind the RAT used one of its Tier 2 servers to connect to the DoD server dedicated to work with defence contracts. Fortunately, no deep penetration happened here, and hackers were most probably performing reconnaissance before further actions.

HiatusRAT Analysis

First thing that comes into view when you check the Hiatus is its network architecture. Instead of infecting endpoints, it targets networking devices – at least it was doing so since its emergence in late 2021. Routers are gateways for humongous amounts of information – and having complete control over it may sometimes give you much more than hacking the computers in the network. Though, nothing stops Hiatus from delivering additional payloads to the target systems. Aside from sniffing, such a network of compromised routers can also serve as a network of proxy servers that conceal the real IP address from the target server.

HiatusRAT functional scheme

To spread the payload, hackers seek business-grade network routers with vulnerable firmware installed. Firstlings of the botnet were amongst Draytek routers, specifically Vigor 2960 and 3900. Nowadays, malware has builds capable of infecting routers with chipsets based on Arm, i386, x86-64 and MIPS/MIPS64 architectures. This sets up quite a large number of devices, as network infrastructure firmware updates are implemented even more reluctantly than patches to regular software.

Execution flow

The attack chain that enables the RAT injection into the router is not clear even nowadays. Though it is clear that upon gaining initial access, attackers execute a batch script that downloads the payload and an auxiliary utility. The latter is a specific version of a tcpdump, a command-line tool that allows for packet analysis.

Upon execution, the first thing to do for HiatusRAT is kicking out other processes that may be listening to the same 8816 port. If there are any, malware jams one first and proceeds with normal launching. Then, a kind-of-classic step comes: malware gathers basic information about the device it has started on. Among such data is information about its MAC address, architecture, firmware and kernel versions. It also gets precise information about the file system and all files that can potentially be stored in the internal memory.

Once malware is done with these checks, it reads a tiny JSON that contains what appears to be malware config. There, malware retrieves a C2 servers address. Aside from the “main” server, there is one used to receive all the packages gathered with the modified tcpdump tool. The first request to the control server is a classic HTTP POST that contains several fields, with basic system info gathered the step before.

HTTP POST Request Example
“POST /master/Api/active?uuid=005056c00001 HTTP/1.1”
Host: 104.250.48[.]192:443
Accept: */*
Content-Type: application/json
X_UTIME: 1674762549
X_UUID: 005056c00001
X_TOKEN: ffca0c6ca91ce7070c3e5e41d7c983a2

HiatusRAT Functionality

I’ve already mentioned the tcpdump-like tool that supplies a significant part of the RAT functionality. However, it does not stop at this point. Hiatus can receive different commands from the command server, which alter its functionality or even force the malware to melt down. Thing is, some of these functions were not used to the moment, despite being available since the first release of the malware back in 2021.

Command Description
Socks5 Sets up a SocksV5 proxy on the hacked device, that allows for port forwarding/listening that comply with RFC 1928
File Designates the file to read or delete on the infected host; also guides to upload the specified file.
Executor Commands to download and execute the file from the command server.
Tcp_forward Comes with specified forward IP and listening/forwarding port configurations. These changes then applied to router settings, making it forward any TCP traffic through the listening port.
Script Similar to Executor, downloads and runs the script from the C2.
Shell Spawns an instance of a remote shell on the compromised router. Together with Execute and Script, creates the malware delivery functionality.
Quit Self-explaining command, forces malware to melt down with all operations seizure.

How to protect against network infrastructure attacks?

Well, Hiatus used to aim at routers with some specific architecture and series, but now it covers quite a bit of possible variants. The ways hackers use to deploy this malware are still unclear, so there are not many reactive measures to figure out. Instead, I have several proactive advice for you to stick to.

Use advanced network protection solutions. Well, antivirus programs are not greatly effective at preventing this RAT infection. Meanwhile, network protection solutions, especially ones that are designed to bear on heuristics, can effectively detect and dispatch the intruder just by its behaviour. Network Detection and Response systems, conjoined with SOAR and UBA solutions, can show excellent results at protecting the environment against tricky malware attacks.

Update (or upgrade) your networking devices regularly. Since the key point of the malware injection is vulnerable router firmware, it is essential to keep it updated. Keep an eye on malware attacks that were executed with or via vulnerabilities in networking devices. Usually, device manufacturers release updates in a matter of weeks. Though, there could be unfortunate cases when some really old devices reach end-of-life and are not supported in any form. In this case, you are out for device updating – this is the best and most definite way to get rid of the hazard.

Keep a well-done anti-malware software on hand. I’ve just said that anti-malware programs are not very effective in this case, and I say it is nice to have – so inconsistent of me, isn’t it? The answer is no, as anti-malware programs will serve as a preventive mechanism for malware that HiatusRAT can deliver through its functionality. Multi-layer security structures are always harder to penetrate, at least without triggering the alarm.

HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hiatusrat-attacks-taiwan-us-military/feed/ 0 16600
Domino Backdoor is Lead by FIN7 and Conti Actors https://gridinsoft.com/blogs/domino-backdoor/ https://gridinsoft.com/blogs/domino-backdoor/#comments Sat, 15 Apr 2023 22:13:57 +0000 https://gridinsoft.com/blogs/?p=14218 A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group. Who are… Continue reading Domino Backdoor is Lead by FIN7 and Conti Actors

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

]]>
A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

ALPHV onionsite
ALPHV onionsite. Gang uses it to publish data leaked from victims that refused to pay the ransom

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique multi-step malware spreading campaign.

Domino multi-stage attack

Dave Loader is a classic dropper malware example – the one which serves only to deliver other malware. Its presence in this scheme, however, gives an interesting clue about the possible relations between Domino and Conti ransomware gang. The infection proceeds with the delivery of Domino backdoor and, in a quick succession, its dropper module. Then, at the final stage, Domino drops a Project Nemesis stealer. The latter aims generally at credentials from social networks, VPN clients and cryptocurrency services.

Why, Exactly, a Collaboration?

The key things that point to the fact that Domino backdoor is a collaboration rather than a stand-alone development is the use of Dave Loader as a delivery way, and sharing certain code elements with FIN7’s brainchild Lizar Malware. Dave is an internal product of Conti gang, used exclusively in its cyberattacks. It never leaked, contrary to the Conti ransomware code, thus there’s no way that a third party uses it. Lizar Loader a.k.a Tirion/DiceLoader, on the other hand, is an auxiliary malware used by FIN7. Domino malware shares major parts of code with this loader, including bot ID generation and data package encryption mechanisms. Moreover, the IPs range where Domino’s command servers are hosted is pretty close to the one FIN7 uses for their C2s; both ranges belong to MivoCloud hosting.

Domino Backdoor & Loader Analysis

Analysts from IBM Security Intelligence already got their hands on Domino samples, both backdoor and dropper. First things first – so let’s start from a backdoor.

Domino Backdoor

It arrives to the infected system as a C++ 64-bit DLL file. The form of DLL file makes it easier for crooks to perform a stealth execution. Droppers Domino generally rely on running it using the shellcode embedded into the payload retrieved from the command server. Once executed, Domino starts hashing the system data in order to generate a bot ID value. Primarily, it looks for username and system name; additionally, malware takes its process ID and adds it to the hash. Its final form looks like a648628c13d928dc-3250.

Hashing proceeds with further decryption of the Domino’s code. It carries an XOR-encrypted code in a data section of its binary; the 16-bit decryption XOR key is placed right before this section. This part contains not only further execution instructions, but also C2 communication data.

Domino C2 communication
Code responsible for correct command handling

C2 Communications

To secure the data transfer, it generates a 32-bit key and uses an embedded RSA public key to encrypt it. This, however, is used only for an initial connection. After that, malware continues with collecting information about the system. For further C2 connections, the malware uses the AES-256-CBC key, which also comes into the initial package. Same as in the first case, Domino generates a public key on the run and uses it to cipher the data package.

It is also interesting how Domino backdoor picks the C2 address it will use as primary. By design, there are only two C2 addresses in the malware configuration section. If the parent system for the malware belongs to a domain (i.e. LAN or WAN), it uses the second IP as a primary. When the computer is stand-alone, Domino chooses the first one.

To guide the malware, C2 sends it a set of commands and a payload. Same as data that goes from the client, they are encrypted. Commands instruct not only about the action, but also about the preferred way to run the payload. The set of commands is like the following:

Command Explanation
0x1 Copy the payload in the allocated memory. The instructions about allocation are retrieved in 0x5/0x6 commands.
0x3 quit execution
0x4 save the retrieved payload to the %Temp% folder. The name for the file is generated with GetTempFileNameA and CreateProcessA functions
0x5, 0x6 Instructs malware about allocating the memory for further payload deployment in a certain process.
0x7 Asks malware to enumerate the processes and send the output to the server. Precedes the 0x5/0x6, as it supplies the C2 with info about possible processes to use for injection.

Domino Loader

Domino Loader resembles the Domino Backdoor in many ways, so the naming convention there is quite obvious. This malware uses the same methods of C2 requests encryption. However, the amount of data gathered about the system is way less; its capabilities are concentrated around retrieving and running the payload’s DLL. It uses an infamous ReflectiveDLLInjection project – a concept of DLL injection technique. This, however, is not the only possible way of the Loader operations – it can change its behaviour depending on the command from the C2 that comes as a supplementary to a payload. It most definitely depends on the form the payload arrives in.

The commands convention is pretty much the same as in the Domino Backdoor. A single-byte blob that precedes the payload indicates what exactly the malware should do. Aside from that, the payload is succeeded with a value that notifies malware about the preferred method of loading. If the value is >0, malware allocates memory within the process it runs in, and runs the DLL payload at the offset that equals the value. That method, actually, requires the aforementioned ReflectiveDLLInjection technique.

Value 0 corresponds to running the payload as a .NET assembly. This supposes calling for VirtualAlloc for memory allocation, and a PAGE_EXECUTE_READWRITE for securing this area. Assembly.Load function finishes the job by making the payload run.

Once the value is -1, Domino Loader runs a PE loading procedure. First, it allocates memory in its current process – same as in the case of DLL loading. Then, however, it copies the headers and sections to the newly allocated memory area, loads the imports of the PE file, and finally runs it. In this case, malware applies the offsets present within the payload PE sections.

Protection against Domino Backdoor/Domino Loader

This malware is rare enough, so it is quite hard to judge on its counteraction ways. Nonetheless, they are definitely needed, as it promises to be pretty dangerous. First and foremost sources of such instructions – spreading ways – are unclear. It may possibly become more obvious in future when Domino will see more popularity. Thus now only common steps may have significant efficiency.

Use a security solution that features a zero-trust protection policy. Only having no trusted programs at all you can be sure that your security tool will not miss a new cunning malware that hides behind a benign program. Zero-trust has its downsides, but they’re much less critical than a paralysed workflow after a ransomware attack.

Improve your network security. This is Domino-specific advice, as this malware features a pretty limited list of only two C2 servers. It may be changed in future, but currently it is not a big deal to block them. This, however, will be much easier to accomplish by having a Network Detection and Response solution. It automatically weeds out potentially malicious requests, and also offers a lot of analytics information. Stopping malware from contacting the C2 makes it useless, as it cannot deliver payloads and do other unpleasant things.

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/domino-backdoor/feed/ 1 14218