You searched for DNS – Gridinsoft Blog https://gridinsoft.com/blogs/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 12 Mar 2024 10:11:02 +0000 en-US hourly 1 https://wordpress.org/?v=85240 200474804 BianLian Exploits TeamCity Vulnerability to Deploy Backdoors https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/ https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/#respond Tue, 12 Mar 2024 10:11:02 +0000 https://gridinsoft.com/blogs/?p=20303 BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware… Continue reading BianLian Exploits TeamCity Vulnerability to Deploy Backdoors

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]>
BianLian, a group of cybercriminals known for their ransomware attacks, recently caught the attention of the information security community. By exploiting vulnerabilities in the JetBrains TeamCity platform, they managed to carry out multistage cyberattacks. Threat actors reportedly start their attack chain with a Golang-based backdoor, and work their way all the way to the ransomware payload.

BianLian Exploits TeamCity vulnerabilities

Recent research uncovered a new trend in BianLian’s modus operandi. They revealed that threat actors behind the ransomware have been observed exploiting security flaws in JetBrains TeamCity software to conduct their attacks. Leveraging known vulnerabilities such as CVE-2024-27198 or CVE-2023-42793, attackers gained initial access to the environment, paving the way for further infiltration. By creating new users and executing malicious commands within the TeamCity infrastructure, threat actors orchestrated post-exploitation maneuvers and lateral movement, expanding their foothold in the victim’s network.

It is not the first case of TeamCity vulnerabilities exploitation. Consider reading our previous report on CozyBear threat actor using a different set of security flaws in this software.

Backdoor Deployment via PowerShell

The original report from GuidePoint Security says that despite initial success, BianLian fell back to a PowerShell version of their backdoor. This happened due to the surprising detection from Microsoft Defender. At the same time, hackers managed to deploy the network reconnaissance tools and use them before going for a PS backdoor.

The PowerShell backdoor version, obfuscated to hinder analysis, exhibited a multi-layered encryption scheme. Still, it was possible to understand what was going on and analyze the adversaries’ actions. Malware established a tunnel connection to the command server, waving ready for further actions. And while using PS in cyberattacks is not something unusual, entire backdoors based on PS, that also incorporates high levels of obfuscation, is a new tactic.

Functionality and Capabilities of Backdoor

The PowerShell backdoor described above mainly aims at facilitating covert access and control over compromised systems. Research summary reveals several features of this malware to be aware of.

The backdoor incorporates functionality to resolve IP addresses based on provided parameters, establishing TCP sockets for communication with remote command-and-control (C2) servers. Also, this enables bidirectional data exchange between the compromised system and the attacker-controlled infrastructure. Here is the code recovered by analysts:

#Function to Resolve IP address
function cakest{
param($Cakes_Param_1)
IF ($Cakes_Param_1 -as [ipaddress]){
return $Cakes_Param_1
}else{
$Cakes_Resolved_IP = [System.Net.Dns]::GetHostAddresses($Cakes_Param_1)[0].IPAddressToString;
}
return $Cakes_Resolved_ IP
}

Leveraging asynchronous execution techniques, the backdoor optimizes performance and evades detection by utilizing Runspace Pools. This allows multiple PowerShell instances to run concurrently, enhancing operational efficiency during post-exploitation activities.

Also, to ensure secure communication, the backdoor establishes SSL streams between the compromised system and C2 servers, encrypting data exchanged over the network. By employing encryption, threat actors mitigate the risk of interception and detection by network monitoring tools. Overall, the C2 communication bears on this code:

function cookies{
param (
#Default IP in parameter = 127.0.0.1
[String]$Cookies_Param1 - "0x7F000001",
[Int]$Cookies_Param2 - 1080,
[Switch]$Cookies_Param3 - $false,
[String]$Cookies_Param4 - "",
[Int]$Cookies_Params - 200,
[Int]$Cookies_Param6 - 0
)

Mimicking tactics observed in advanced malware, the backdoor validates SSL certificates presented by C2 servers, verifying the authenticity of remote endpoints. This authentication mechanism enhances the resilience of the communication channel against potential interception or infiltration attempts.

How to stay safe?

The BianLian threat group continues to evolve, and in light of their recent attacks, it is important to take appropriate security measures. Fortunately, they are more or less the same even for protecting against high-profile cybercrime groups.

  • First and foremost, it is recommended to regularly update and patch externally facing applications. This helps mitigate known vulnerabilities that threat actors may exploit to infiltrate your systems.
  • Ensure your team is well-versed in incident response procedures. Every member of your team should have a thorough understanding of how to respond effectively to security incidents. Regular drills should be conducted to refine response strategies and minimize the impact of potential security breaches.
  • Conduct penetration tests informed by threat intelligence to proactively identify and address weaknesses in your defenses. Penetration tests involve simulated attacks on your systems to uncover vulnerabilities that could be exploited by malicious actors. By using threat intelligence to inform these tests, you can focus on the most impactful threats facing your organization.

  • Additionally use advanced security solutions. EDR and XDR are a must, when we talk about corporate-grade cybersecurity. They can cover large networks of computers, orchestrating the response and detecting even sophisticated attacks like the one I’ve described above.

BianLian Exploits TeamCity Vulnerability to Deploy Backdoors

The post BianLian Exploits TeamCity Vulnerability to Deploy Backdoors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bianlian-exploits-teamcity-vulnerability/feed/ 0 20303
9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/ https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/#respond Wed, 17 Jan 2024 18:06:42 +0000 https://gridinsoft.com/blogs/?p=19122 A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if… Continue reading 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

]]>
A chain of 9 vulnerabilities in UEFI’s Preboot Execution Environment (PXE), dubbed PixieFail, was uncovered in a recent research. As the network boot process is a rather novice attack vector, only a few vulnerabilities received high severity status. Nonetheless, their sheer volume, along with the location in rather sensitive places, can create a mess if someone manages to exploit those vulnerabilities in a chain.

Analysts Discover Numerous Vulnerabilities in TianoCore EDK II

The extensive research from Quarklabs uncovers the grand total of nine vulnerabilities present in a widely used UEFI implementation from TianoCore, called EDK II. This open-source variant of unified EFI is seeing particularly large applications in various corporations, both in their own machines and in products. Among other functions, it contains a network boot option and a whole bunch of related functionality, which is where all the vulnerabilities are concentrated.

Network boot itself bears on a Preboot Execution Environment (PXE), often shortened to Pixie boot. This place is, eventually, the host to all nine security flaws. Not all vulnerabilities from PixieFail collection are of the utmost severity, but for 3 of them, NIST assigned the CVSS score of 8.3/10.

List of PixieFail Vulnerabilities

Vulnerability Severity score Description
CVE-2023-45229 6.5 Out-of-bounds data read with a crafted DHCPv6 Advertise message
CVE-2023-45230 8.3 Buffer overflow possibility using a crafted Server ID option
CVE-2023-45231 6.5 Out-of-bounds data read with a specifically crafted ND Redirect message
CVE-2023-45232 7.5 Possibility of throwing the machine into infinite boot loop with a wrong Destination option header
CVE-2023-45233 7.5 Possibility of throwing the machine into infinite boot loop with a wrong PadN option
CVE-2023-45234 8.3 Buffer overflow possibility using a crafted DNS Servers option
CVE-2023-45235 8.3 Buffer overflow possibility using a crafted Server ID option from DHCPv6 Advertise message
CVE-2023-45236 5.8 Predictability of TCP Initial Sequence number
CVE-2023-45237 5.3 Weakness of Pseudo Random Number Generator

As you can see, the list is rather vast, with buffer overflow vulnerabilities rated as the most severe. All this is due to the reason that such flaws can enforce arbitrary code execution. Such an action is useful for both initial access and lateral movement within the environment. And since we are talking about doing all this mess almost on a bare metal, outcomes may be rather bad.

Vendors Offer Patches for PixieFail Vulnerabilities

Upon detecting the vulnerabilities back in early August 2023, Quarkslab contacted a selection of software vendors who use EDK II in their products. Among them are such known names as Arm, Insyde Software, Microsoft, American Megatrends and Phoenix Technologies. Throughout half a year, both vendors, authorities and researchers elaborated on creating a fix without leaking any information before the fixes are implemented.

As a result, on January 16, 2024, when the detailed analysis from Qarkslab was published, all the notified vendors got the issue fixed. So, check out the updates for your firmware – it may contain the patch which fixes PixieFail all at once.

9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II

The post 9 PixieFail Vulnerabilities Discovered in TianoCore’s EDK II appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pixiefail-vulnerabilities-discovered/feed/ 0 19122
PUABundler:Win32/CandyOpen Analysis & Removal Guide https://gridinsoft.com/blogs/puabundler-win32-candyopen/ https://gridinsoft.com/blogs/puabundler-win32-candyopen/#respond Thu, 11 Jan 2024 11:39:58 +0000 https://gridinsoft.com/blogs/?p=18938 PUABundler:Win32/CandyOpen is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, that is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen on a real-world example. What is PUABundler:Win32/CandyOpen? As I’ve said… Continue reading PUABundler:Win32/CandyOpen Analysis & Removal Guide

The post PUABundler:Win32/CandyOpen Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
PUABundler:Win32/CandyOpen is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, that is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen on a real-world example.

What is PUABundler:Win32/CandyOpen?

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually installs can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like a straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

PUABundler:Win32/CandyOpen list of programs
“Installer” – unremarkable naming for a remarkable unwanted program

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser going mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Unwanted programs CandyOpen
Unwanted apps installed by CandyOpen

Here goes the main concern: while CandyOpen usually installs junk apps which are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUABundler:Win32/CandyOpen actions:

  • Stops Windows Update
  • Disables User Access Control (UAC)
  • Injects into other processes on your system
  • Adds a local proxy
  • Modifies boot configuration data
  • Modifies file associations
  • Track, keep records, and report an infected user’s internet browsing activity.
  • Modifies your system DNS settings
  • Change the infected user’s browser homepage and tamper with their preferences/settings.
  • Install and insert unwanted/unknown browser toolbars and browser plug-ins/extensions/add-ons.
  • Adds files that run at startup
  • Change the default search provider.
  • Display of unwanted advertisements.
  • Change the desktop background.

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you to use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove PUABundler:Win32/CandyOpen in no sweat. It will also find and remove all the additional junk CandyOpen can bring. And overall, this program is a solid addition to your system’s security.

PUABundler:Win32/CandyOpen Analysis & Removal Guide

The post PUABundler:Win32/CandyOpen Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/puabundler-win32-candyopen/feed/ 0 18938
Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide https://gridinsoft.com/blogs/socks5systemz-proxy-service/ https://gridinsoft.com/blogs/socks5systemz-proxy-service/#respond Tue, 07 Nov 2023 20:44:39 +0000 https://gridinsoft.com/blogs/?p=17509 A proxy botnet, “Socks5Systemz”, uses malware loaders to infiltrate computers across the globe. Attackers have infected about 10,000 devices and organized a full-fledged proxy service based on it. Socks5Systemz Dropper Malware Overview A recent analysis from Bitsight has revealed the existence of a new malware sample called the Socks5Systemz proxy botnet. Although it has been… Continue reading Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide

The post Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide appeared first on Gridinsoft Blog.

]]>
A proxy botnet, “Socks5Systemz”, uses malware loaders to infiltrate computers across the globe. Attackers have infected about 10,000 devices and organized a full-fledged proxy service based on it.

Socks5Systemz Dropper Malware Overview

A recent analysis from Bitsight has revealed the existence of a new malware sample called the Socks5Systemz proxy botnet. Although it has been active since 2016, it has remained unnoticed until now. The primary aim of this malware is to convert the infected devices into traffic-forwarding proxies, enabling malicious, illegal, or anonymous activities.

Threat actors can access this covert service by paying between $1 and $140 in cryptocurrency. Depending on the sum, malware developers offer wider functionality to the user. The Socks5Systemz botnet is typically spread through malware such as PrivateLoader and Amadey, which is commonly propagated through phishing, exploit kits, and malware downloaded from P2P networks.

How does Socks5Systemz Work?

The Proxy Bot Analysis report describes a harmful computer program about 300 KB in size. It creates a specific ID based on the date of the Windows directory on the computer it infects. When it is first run, it saves the current time, downloads a PDF file from a particular website, and saves it to the computer. It then tries to find a way to communicate with a C2 server, which is controlled by the person who created the bot.

If it can’t connect through the method it tries first, it sends an HTTP request to a specific website asking for the IP address of a valid C2 server. Once it connects to a valid C2 server, it can execute various commands, including “idle,” “connect,” “disconnect,” “updips,” and “upduris.” The “connect” command is vital because it allows the bot to become part of a group of available proxies that can be used to forward traffic on behalf of clients.

Expanding the Proxy Network

Experts have mapped a control infrastructure that includes 53 proxy bots, backconnect, DNS, and address acquisition servers. These servers are mainly spread across European countries, such as France, the Netherlands, Sweden, and Bulgaria. Since October, analysts have discovered 10,000 unique communication attempts via port 1074/TCP with the identified backconnect servers, which indicates that there are approximately 10,000 victims.

Overall, the Socks5Systemz proxy botnet has a worldwide impact, with infections observed across the globe. The highest number of infections has been reported in India, the United States, Brazil, Colombia, South Africa, Argentina, and Nigeria. However, the absence of infected systems communicating with backconnect servers in Russia, combined with other clues uncovered during the research, suggests that the operators of this service may be based in Russia.

The Proxy Service

An investigation into the botnet infrastructure revealed a Telegram user named “boost” who shared a screenshot of an account checker tool using the IP addresses of backconnect servers as proxies. This discovery showed that “boost” sells compromised accounts and access to the proxies.
Using a Telegram bot called “BoostyProxy,” “boost” established a complete proxy service. The service offers two subscription options: “Standard” and “VIP.”

Telegram bot to buy proxy screenshot
Telegram bot to buy proxy.

The Standard subscription permits using a single proxy type with no multithreading, while the VIP subscription offers more flexibility, supporting various proxy types (socks4, socks5, and HTTP) and multiple threads. Here are the pricing options for both subscription tiers: Standard starts from $1 for one day with Single Thread and ends at $28 for three months. VIP starts from $22 for one day with 100 Threads and ends at $4000 for three months with 5000 threads. All payments are made using cryptocurrency through the Cryptomus Crypto Payment Gateway.

Protection Against Botnets

The discovery of the Socks5Systemz proxy botnet highlights the ongoing danger that cybercriminals pose to the digital world. This botnet can harm individuals and an entire network of compromised systems, aiding in various types of cybercrime. To keep your systems and network safe from the Socks5Systemz proxy botnet and other similar threats, follow these steps:

  • Use Endpoint Security. Install updated antivirus and anti-malware software to detect and prevent threats.
  • Keep Software Up to Date. Regularly update your operating systems and software applications to patch any vulnerabilities that can be exploited.
  • Boost Network Security. Use intrusion detection and prevention systems to monitor network traffic for suspicious activity. Implement firewalls to prevent unauthorized access to your network and critical assets. Use network segmentation to limit lateral movement within the network in case of a breach.
  • Educate Employees. Teach your employees the risks of clicking suspicious links and downloading attachments from unknown sources. Please encourage them to use strong and unique passwords and enable two-factor authentication.
  • Use Email Filtering. Implement email filtering and phishing detection solutions to block malicious emails. Train employees to recognize phishing attempts and avoid clicking on harmful links.
  • Perform Regular Data Backups. Please back up your data regularly and store it in a secure, isolated environment. Test these procedures to ensure data can be restored quickly in case of an incident.
  • Monitor Network Activity. Continuously monitor your network for any unusual activity or connections that may indicate a compromise.
  • Stay Informed. Subscribe to threat intelligence services to stay informed about emerging threats.

The post Socks5Systemz Proxy Service Infects 10,000 Systems Worldwide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/socks5systemz-proxy-service/feed/ 0 17509
Mirai variant “Pandora” infects Android TV for DDoS attacks. https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/ https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/#respond Sat, 09 Sep 2023 12:07:20 +0000 https://gridinsoft.com/blogs/?p=16826 A new variant of the Mirai malware botnet has been detected, infecting low-cost Android TV set-top boxes. They are extensively used for media streaming by millions of people. The present Trojan is a fresh edition of the ‘Pandora’ backdoor initially identified in 2015, per the analytics. The campaign targets low-cost Android TV boxes such as… Continue reading Mirai variant “Pandora” infects Android TV for DDoS attacks.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

]]>
A new variant of the Mirai malware botnet has been detected, infecting low-cost Android TV set-top boxes. They are extensively used for media streaming by millions of people. The present Trojan is a fresh edition of the ‘Pandora’ backdoor initially identified in 2015, per the analytics.

The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

Mirai service
Malicious service

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

Android apps
Site dropping malware

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

gomediad.so
GoMedia service structure

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mirai-pandora-infects-android-os/feed/ 0 16826
Are .zip Domains Safe to Use and Visit? https://gridinsoft.com/blogs/are-zip-domains-safe/ https://gridinsoft.com/blogs/are-zip-domains-safe/#respond Thu, 03 Aug 2023 10:31:01 +0000 https://gridinsoft.com/blogs/?p=16512 The Internet has become our second home. Every time we surf the Internet, we scammed. And this time, cybercriminals did not miss their chance to deceive us using a new “.zip” domain. What’s a .zip domain? Some time ago, Google allowed new Top Level Domain (TLD) names for registration. Those are .zip, .mov, and .phd.… Continue reading Are .zip Domains Safe to Use and Visit?

The post Are .zip Domains Safe to Use and Visit? appeared first on Gridinsoft Blog.

]]>
The Internet has become our second home. Every time we surf the Internet, we scammed. And this time, cybercriminals did not miss their chance to deceive us using a new “.zip” domain.

What’s a .zip domain?

Some time ago, Google allowed new Top Level Domain (TLD) names for registration. Those are .zip, .mov, and .phd. Now everyone can buy a domain with the .zip extension, just like purchasing domains with .com or .org extensions. However, the security community has expressed concerns about the potential risks associated with these new TLD.

Experts have discovered that cybercriminals are using .zip domains to deceive users into believing that they are downloadable files when they are URLs. Research indicates that one-third of the top 30 .zip domains can be blocked by our threat detection engines utilize the names of prominent tech companies, including Microsoft, Google, Amazon, and Paypal, to fool people into thinking they are trustworthy files associated with these reputable companies.

top 30 .zip domains blocked

Earlier, such concerns appeared about TLDs like .xyz, .online, .biz, .info, .ru, .life, and .site. However, they were mostly true – the vast majority of sites using these domains were used in phishing, shopping scams and pop-up advertisements spam. This time, however, things could be worse.

Security Risks of .Zip Domain

These .zip domains are blurring the lines between a file and a website and making it harder to tell what’s what. One primary concern is the potential for file mix-ups, which can make it hard to tell apart local and remote sources, posing a security threat. Cybercriminals have created a prototype email that considers the possibility that the attachment and the link could lead to different places. This ensures better accuracy and avoids confusion for the recipient.

Security Risks of .Zip Domain
Email that Cybercriminals might have crafted for use

This is an example of a common scam created by cybercriminals. They send an email with an attachment named "attachment.zip," claiming it is a necessary software update. The email contains a link that seems to open the attachment but actually leads to a remote URL. It’s a sneaky tactic used to deceive unsuspecting users.

The Browser file archiver

There is a phishing kit called "file archiver in the browser" that uses ZIP domains to trick users into running malicious files. This attack makes fake WinRAR or Windows File Explorer windows appear in the browser, making it seem like the user is using actual software. Also, to make it even more convincing, the attackers are using a .zip domain. A security researcher recently discovered this phishing tactic.

The Browser file archiver
Fake in-browser WinRar screen pretending to open a ZIP archive

With the toolkit, it is possible to create a fake WinRar window within the browser that appears to open a ZIP archive and show its contents when accessing a .zip domain. But, this can be used to deceive users.
In conclusion, threat actors may use this phishing toolkit to steal credentials and distribute malware.

What are .zip domain phishing risks?

Security researchers have warned that domains using the “.zip” top-level and similar domains increase the chances of exposing sensitive information due to accidental DNS or web requests. With the new .zip TLDs, internet browsers and messaging applications like Telegram recognize strings that end with .zip as URLs and automatically create hyperlinks.

It has been found that these domains are susceptible to abuse, as evidenced by Silent Push Labs. This cyber intelligence firm recently detected a phishing page at microsoft-office[.]zip. This page designed to steal Microsoft Account credentials.

There is a debate among developers, security researchers, and IT administrators regarding the recent developments. Some believe the concerns surrounding the ZIP and MOV top-level domains (TLDs) are unfounded. In contrast, others think these TLDs pose an avoidable risk in an already precarious online environment.

Recommendations

Be cautious of websites with a .zip Top-Level Domain (TLD), as they may contain harmful content.

  • Monitor your company’s web traffic and observe any unusual activities related to .zip TLDs. Above all, keep a close eye on these activities to ensure the safety and security of your company’s online presence.
  • To enhance protection against possible threats, it’s advisable to introduce email filters that target messages containing .zip TLDs in their content.
  • Keep your antivirus software updated to ensure it’s working at its best against any new threats. Make sure to check for updates to stay protected regularly.
  • It’s essential to stay informed about emerging threats to stay safe from potential dangers. Also, Regularly reading security bulletins and reports can help you avoid these threats.

Are .zip Domains Safe to Use and Visit?

The post Are .zip Domains Safe to Use and Visit? appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/are-zip-domains-safe/feed/ 0 16512
Decoy Dog Malware Uncovered: Next-Gen Spyware https://gridinsoft.com/blogs/decoy-dog-spyware-rat/ https://gridinsoft.com/blogs/decoy-dog-spyware-rat/#respond Fri, 28 Jul 2023 07:41:57 +0000 https://gridinsoft.com/blogs/?p=16350 A group of hackers, presumably state-sponsored, is actively developing and beginning to use a sophisticated Decoy Dog toolkit. It has likely been used for over a year in cyber intelligence operations. It utilizes the Domain Name System (DNS) to manage and control a narrowly focused and minimal number of active clients. What is Decoy Dog… Continue reading Decoy Dog Malware Uncovered: Next-Gen Spyware

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

]]>
A group of hackers, presumably state-sponsored, is actively developing and beginning to use a sophisticated Decoy Dog toolkit. It has likely been used for over a year in cyber intelligence operations. It utilizes the Domain Name System (DNS) to manage and control a narrowly focused and minimal number of active clients.

What is Decoy Dog Malware?

In April, Researchers discovered Decoy Dog, a remote access trojan (RAT) toolkit that uses DNS domains that act as command and control (C2) servers for the malware. It caused abnormal DNS signatures in enterprise networks across various regions, and some communications are being sent to a controller in Russia. Then researchers discovered DNS query patterns in enterprise networks that were not linked to consumer devices. They confirmed that the queries came from network appliances in only a few customer networks. Despite researchers announcement and technical analysis of this malware similarity to the Pupy open-source RAT, the toolkit’s operators continued their activity. At that time, had the following domains, which experts recommended organizations to block:

  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc

However, new research reveals that Decoy Dog significantly improves from Pupy, utilizing new domains, unique commands, and configurations that are not publicly available. Pupy is an open-source post-penetration remote access toolkit that emerged in 2015. Its primary purpose was serving a role of RAT in penetration testing simulations. The configs I mentioned as unavailable were hidden until 2019, and are related to the way malware resolves the C2 DNS. But even having the code, it was needed to perform a thorough name server setup for each malware run – which is a complicated task worthy of network engineers.

How Decoy Dog works scheme
How Decoy Dog works

Decoy Dog Is a Better Pupy RAT

Researchers have been investigating the differences between Decoy Dog and Pupy since April. They set up their own C2 server for Pupy to analyze its DNS communication protocol. Thus, they could create DNS signatures to detect new controllers of this malware. Pupy and Decoy Dog both use nonces to identify sessions with clients and establish the ordering of messages. However, the subject uses the same query structure as Pupy. So, researchers decoded nonce values and correlated queries to the same compromised device.

Moreover, researchers could track each controller’s activity, including the sessions’ length and number of active clients. Unfortunately, encryption prevented researchers from seeing the specific data communicated, but they identified the types of messages sent and profiled the overall communication behavior of both clients. Decoy Dog responds to replays, while Pupy does not and has a richer set of commands and responses. The malware also exhibits more variance in message payload length than Pupy.

From this, researchers confirmed that Decoy Dog is a major refactor of Pupy with advanced capabilities that have changed over time. It includes a domain generation algorithm and the ability for clients to execute arbitrary Java code. These features indicate sophistication and intentionality beyond many threat actors. Security vendor detectors still identify Decoy Dog as Pupy, possibly Since reverse engineers assumed the binary samples were identical.

Today’s activity

Decoy Dog’s creators quickly adjusted their system in response to its initial disclosure. Malware has expanded its reach, with at least three different actors now using it. Thus, they ensured uninterrupted operations and still access to previously compromised devices. Though based on the open-source RAT Pupy, researchers have identified Decoy Dog as a new and previously unknown form of malware with advanced features that allow it to persist on compromised machines. Today research shows how Decoy Dog significantly improved over Pupy. The former utilizes unique commands and configurations that are not publicly available. TAs use it in ongoing nation-state cyber-attacks through DNS to establish Command and Control.

Decoy Dog activity
Decoy Dog controller domains activity after the release of Infoblox’s papers

While much about Decoy Dog remains unclear, specialists determined that the malware can only be detected through DNS threat detection algorithms. At least three threat actors have been identified using this malware based on the open-source remote access trojan called Pupy. However, significant changes to the code suggest the involvement of a sophisticated black hat. The security firm stated that the subject can respond to complex DNS requests that do not follow the typical communication structure. In addition, they specified that Pupy, which is associated with Decoy Dog, is a cover-up for the actual abilities of the program.

Threat Actors Use Decoy Dog for Precise Hacking

Based on the analysis of passive DNS traffic, analysts have difficulty determining the exact number of Data Dog targets and affected devices. However, the lowest and highest number of active concurrent connections detected by investigators on any one controller were 4 and 50, respectively. In addition, the number of compromised devices is less than a few hundred. This indicates a minimal target list, typical of a reconnaissance operation. In any case, experts suggest that well-secured and sophisticated attackers are using the malware.

The attackers are likely targeting specific organizations with high information value. As mentioned above, there is a possibility that the victims are located in Russia. However, experts do not rule out that the attackers directed the victims’ traffic through this region as bait or to limit requests to relevant ones. Since it is quite difficult to change this system in modern networks, Decoy Dog behaves similarly to Pupy and uses the default recursive resolver to connect to DNS.

Safety recommendations

Security measures against Decoy Dog are generally similar to basic cyber security recommendations. However, there are key points to consider first. Here are some safety recommendations against this malware:

  • Keep your software up to date. Auto-update should be enabled by default because it includes security patches that can help to protect your devices from malware.
  • Use a firewall and antivirus software. A firewall can help to block unauthorized traffic from reaching your devices, and antivirus software can help to detect and remove malware.
  • Be careful on the web. Look at what websites you visit and what links you click on. Decoy Dog can be spread through malicious websites and links.
  • Use strong passwords and change them regularly. While this is a general recommendation, it is essential because strong passwords can protect your accounts from unauthorized access.
  • Be aware of the signs of malware infection. Some symptoms include the computer running slowly, pop-ups and new programs appearing that you didn’t initiate, your browser settings changing, and files disappearing.

If you think your computer may be infected with Decoy Dog, contact your IT security team immediately. They will be able to help you to remove the malware and protect your organization from further attacks.

Web safety tips

Here are some additional tips to help you stay safe while web surfing:

  • Use VPN when connecting to public Wi-Fi. This will help to protect your traffic from being intercepted by malicious actors.
  • Be careful about what information you share online. Don’t share your personal information, such as your Social Security or credit card number, with websites or individuals you don’t trust.
  • Please educate yourself about malware and how to protect yourself from it. Forewarned is forearmed. There is a lot of helpful, valuable information in the public domain today to help you keep up to date with the latest developments in cybersecurity.

By following these tips, you can help to protect yourself from Decoy Dog and other malware.

The post Decoy Dog Malware Uncovered: Next-Gen Spyware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/decoy-dog-spyware-rat/feed/ 0 16350
Legion Stealer targeting PUBG players https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/ https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/#respond Wed, 12 Jul 2023 10:23:55 +0000 https://gridinsoft.com/blogs/?p=15876 Scammers are using a misleading GitHub page to distribute Legion Stealer to fans of rogue PUBG games. Under the guise of cheats, users download malware. Legion Stealer Attacks PUBG Players Cyble Research and Intelligence Labs (CRIL) recently uncovered a fraudulent GitHub page pretending to be a PUBG bypass hack project. However, instead of providing game… Continue reading Legion Stealer targeting PUBG players

The post Legion Stealer targeting PUBG players appeared first on Gridinsoft Blog.

]]>
Scammers are using a misleading GitHub page to distribute Legion Stealer to fans of rogue PUBG games. Under the guise of cheats, users download malware.

Legion Stealer Attacks PUBG Players

Cyble Research and Intelligence Labs (CRIL) recently uncovered a fraudulent GitHub page pretending to be a PUBG bypass hack project. However, instead of providing game hacks, it distributes a malicious file. Although GitHub is a legitimate code hosting platform, Threat Actors (TAs) also misuse it to distribute malware through repositories. They develop repositories that seem to contain authentic or appropriate code, but they have hidden malware. When users download the project and execute the solution (.sln) file, it unknowingly installs an information stealer named “Legion Stealer” on their systems as a payload.

Malicious file hosted on GitHub screenshot
Malicious file hosted on GitHub

Nobody likes a cheater

To understand the problem, you need to understand the cause. The problem is quite simple in this scenario – some players desire to gain an unfair advantage over their opponents. Specifically, a PUBG bypass hack is a form of exploit or cheat used by players to gain an unfair advantage. These hacks bypass the game’s anti-cheat systems, enabling players to use cheats such as aimbots, wallhacks, speed hacks, and other unfair gameplay advantages. Using these hacks allow a player to dominate over others, as it can foresee and outplay anyone. However, it is essential to note that using bypass hacks violates the game’s terms of service and can result in penalties, including temporary or permanent bans.

Btw, this tactic is something that has been introduced previously. In the early days of online games, when anti-cheat systems were beginning to appear, it was fashionable to punish cheaters by Winlocks. Thus, the cheater was sent the file, masked as another cheat or hack. But once such a file was launched, Winlock was blocking the computer. Though nowadays, tactics are different, and hackers prefer stealing personal information rather than asking for a single-time ransom.

Is It Safe Using Cheats After All?

As we said earlier, the user receives Legion Stealer malware instead of the game cheats. After being executed, Legion Stealer carries out several commands. These commands involve altering the settings of Windows Defender, collecting data from the registry, and obtaining details about the system. These actions aim to avoid detection, prevent unauthorized access, and take advantage of any weaknesses in the affected system. After performing the defense evasion techniques, the stealer gathers next system information:

  • Computer name
  • OS name
  • RAM size
  • UUID
  • CPU/GPU details
  • Product key
  • Region
  • Country
  • Time zone
  • Cellular data connectivity
  • Proxy/VPN usage
  • Reverse DNS

It then checks for web browsers:

  • Brave
  • Chrome
  • Chromium
  • Comodo Dragon
  • Edge
  • Epic Privacy
  • Iridium
  • Opera/Opera GX
  • Slimjet
  • UR Browser
  • Vivaldi
  • Yandex

Thus it accesses sensitive information such as passwords and cookies. Stealer is also interested in cryptocurrency wallets. It scans the system for:

  • Armory
  • AtomicWallet
  • Bytecoin
  • Coinomi
  • Electrum
  • Ethereum
  • Exodus
  • Guarda
  • Jaxx
  • Zcash

When it found them, it read files in their respective directories. Of course, such malware will not get past other games on the infected machine. It also focuses on Minecraft session files, extracting information from follow applications:

  • Badlion
  • CheatBreakers
  • Impact
  • Feather
  • Lunar
  • Meteor
  • Microsoft Store
  • Novoline
  • Palladium
  • PolyMC
  • Rise
  • TLauncher

In addition, the program also collects session files from messaging applications like Discord and Telegram, Roblox cookies, webcam images, and screenshots of the victim’s system.

Gamers often feel tempted to use cheats or hacks to gain an unfair game advantage. So, some malicious individuals exploit this desire by disguising their malware as game cheats or hacks. However, it takes one to know one.

The post Legion Stealer targeting PUBG players appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/feed/ 0 15876
RustBucket Malware Attacks MacOS More Effectively https://gridinsoft.com/blogs/rustbucket-malware-attacks-macos/ https://gridinsoft.com/blogs/rustbucket-malware-attacks-macos/#respond Thu, 06 Jul 2023 14:01:24 +0000 https://gridinsoft.com/blogs/?p=15759 New update of RustBucket Malware introduced several changes. Now the malware is more securely fixed in the systems of its victims and evades detection by security software. Though the most concerning feature there is its enhanced ability to attack macOS. What is RustBucket malware? Researchers from Jamf Threat Lab discovered RustBucket in the spring of… Continue reading RustBucket Malware Attacks MacOS More Effectively

The post RustBucket Malware Attacks MacOS More Effectively appeared first on Gridinsoft Blog.

]]>
New update of RustBucket Malware introduced several changes. Now the malware is more securely fixed in the systems of its victims and evades detection by security software. Though the most concerning feature there is its enhanced ability to attack macOS.

Consider having a peek into out articles of a similar topic: about first ever ransomware for macOS, and attacks of North Korean hackers on macOS using Crypto[.]com.

What is RustBucket malware?

Researchers from Jamf Threat Lab discovered RustBucket in the spring of 2023. They described it as an AppleScript-based backdoor capable of extracting the second stage payload from a remote server. This malware is associated with North Korean hackers from the BlueNoroff group (REF9135 in the Elastic Security Labs classification). They are reportedly related to a larger threat cluster called Lazarus.

Malware of the second stage, compiled in Swift, arrives from the C2 server. Is is a binary file based on Rust and Objective-C. This malware has extensive data collection capabilities and is also capable of extracting and running additional Mach-O files or shell scripts on a compromised system. Interestingly, this was the first BlueNoroff malware specifically designed to attack macOS users, although a .NET version of RustBucket has since appeared with a similar feature set.

RustBucket malware attacks macOS

Typically, such attacks start with phishing emails, and hackers also use fictitious identities specially created for this purpose on social networks (for example, on LinkedIn). Their campaigns tend to target financial institutions in Asia, Europe and the United States, suggesting that the group’s activities are aimed at generating illegal income and evading sanctions. In general, the attacks are based on the macOS installation file, which installs a hidden but working PDF reader. An important aspect of these attacks is the fact that the malicious activity only starts after this PDF file startup in the malicious reader.

The version of RustBucket discovered by Elastic Security Labs is most notable for its unusual pinning mechanism, the use of dynamic DNS (docsend.linkpc[.]net), as well as a number of measures that are aimed at hiding the activity of hackers.

What then?

RustBucket malware appears to be just another malicious utility in hands of politically-motivated hackers. Lazarus as the most notorious North Korean hack group significantly expanded its activity in 2023, so it is not a hollow threat now. To be sure about your secureness against such dangers, I can advice you to follow these tips.

  • Control all email messages you’re going to interact with. Email spam has become a prevalent malware spreading way back in the days. Specifically, Lazarus actors prefer it to other spreading ways. Strange topic, dubious attachments, unusual sender’s address – all such things should raise suspicion. By being vigilant, you can cut almost a half of possible malware injections.
  • Use reliable anti-malware software. Well, vigilance is important, but you can never be sure you’re right. Hackers invent new methods of malware injection every day, and you can never predict them. For that reason, a proactive solution is simply essential. There are solutions for individuals, small companies and large organizations – so you will have wide range of possible options.

RustBucket Malware Attacks MacOS More Effectively

The post RustBucket Malware Attacks MacOS More Effectively appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/rustbucket-malware-attacks-macos/feed/ 0 15759
New SLP Vulnerability Allows 2200x DDoS Amplification https://gridinsoft.com/blogs/new-slp-vulnerability-allows-ddos-amplification/ https://gridinsoft.com/blogs/new-slp-vulnerability-allows-ddos-amplification/#respond Tue, 25 Apr 2023 20:20:32 +0000 https://gridinsoft.com/blogs/?p=14369 A recently-discovered vulnerability in SLP, a legacy network protocol, can be used for disastrous increasing in DDoS-attack efficiency. As researchers say, the use of SMP vulnerability can push the amplification factor of an attack up to 2200 times – an unseen level. What is SLP? First of all, let’s clear things up. SLP, or Service… Continue reading New SLP Vulnerability Allows 2200x DDoS Amplification

The post New SLP Vulnerability Allows 2200x DDoS Amplification appeared first on Gridinsoft Blog.

]]>
A recently-discovered vulnerability in SLP, a legacy network protocol, can be used for disastrous increasing in DDoS-attack efficiency. As researchers say, the use of SMP vulnerability can push the amplification factor of an attack up to 2200 times – an unseen level.

What is SLP?

First of all, let’s clear things up. SLP, or Service Location Protocol, is a legacy protocol that provides LAN devices interactivity. Simply put, it allows all the devices in the network to see the ways to interact with each other. It primarily intended to ease the setup of file servers, printers and stuff like that. Devices were informing about their presence and activity, and were accepting the commands via SLP. With time, other means of communication with such devices appeared – such as UPnP or DNS-SD. Nonetheless, the technology remains demanded, especially in places where old hardware is used.

BitSight researchers, who claimed the detection of a new vulnerability, detected more than 2000 organisations around the world that use this protocol. It includes ~54,000 instances of SLP protocol usage. Hence, this technology is hard to call “dead” or “unused”. And having the possibility to exploit it in any way may have disastrous consequences.

SLP Vulnerability Causes Unseen DDoS Amplification

DDoS attacks that rely on IoT devices are not a new thing. But using CVE-2023-29552, it is possible to push them to a completely different scale. This vulnerability allows an adversary to register services within the network that uses SLP, and send commands to it using a UDP connection. It does not have a serious potential for hackery purposes, but these pseudo-services can wreak havoc on networks. The only thing that limits hackers in their attacks is the max number of services supported by the protocol.

DDoS amplification attack

DDoS amplification attack is pretty simple in its essence. Instead of sending a direct request to a target server, crooks send a tiny request to an intermediary server. The request is picked specifically to call for a much bigger response package. And the key trick there is to spoof the request source IP and set – yes, you guessed it right – a target’s IP. Having extreme amounts of services in the network, ready to respond to requests, it is easy to jam even well-protected targets. Moreover, crooks can boost up the response package size to its limits – 65,000 bytes. Considering that, an amplification factor may reach 2200 – 500KB of traffic sent in requests will end up at 1.7GB in responses. To compare, one of the most massive DDoS attacks – against AWS in 2020 – had an amplification factor of 55X.

How to Protect Against This Breach?

Being a pretty popular and widely-used type of attack, DDoS forced the creation of a huge amount of counteraction measures. It can be implemented on all possible levels – from a specific network design to cloud services that will take the strike for you. However, in this specific case, the defensive strategy should build up from securing the SLP vulnerability.

The problem here is that this protocol does not receive updates itself, and vendors that develop their solutions for the use with SLP are the only place to rely. Some of the ones touched by the problem have already released patches. However, there are over 650 products that can use this protocol, and can be vulnerable to this breach. It could take months or even years for all of them to receive security updates. It is possible to mitigate the issue partially – by closing the 427 UDP port, used by SLP – but it causes a lot of inconvenience. If your network uses SLP, a much better option is to contact the software vendors whose products you use. Once they offer a patch, it is recommended to install it as soon as possible.

For that reason, a much better and faster solution is the use of specific network security methods. Most efficient ones against DDoS attacks are firewalls and network detection and response solutions (NDR). The former will restrict any external and unauthorised connections, making it impossible for hackers even to connect to your network. NDRs, on the other hand, act in a more complicated way. They are designed to track and log any network activities, detecting unusual activities and potentially dangerous connections. Such a software will not only block the attack attempt, but also provide extensive logs about events, giving the security team the ability to adjust their actions in future.

The post New SLP Vulnerability Allows 2200x DDoS Amplification appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-slp-vulnerability-allows-ddos-amplification/feed/ 0 14369