Normal view

There are new articles available, click to refresh the page.
Before yesterdayThreat Analysis Group (TAG)

Financially motivated actor breaks certificate parsing to avoid detection

23 September 2021 at 14:00

Introduction

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Understanding the techniques used by attackers helps us counter these threats effectively. This blog post is intended to highlight a new evasion technique we identified, which is currently being used by a financially motivated threat actor to avoid detection.

Attackers often rely on varying behaviors between different systems to gain access. For instance, attacker’s may bypass filtering by convincing a mail gateway that a document is benign so the computer treats it as an executable program. In the case of the attack outlined below, we see that attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products. We believe this is a technique the attacker is using to evade detection rules.

Technical Details

Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.

OpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user experience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software.

Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the 'parameters' element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13). 


Bytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 

Decodes to the following elements:

SEQUENCE (2 elem)

OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)

EOC


Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files. 

As shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This issue has been reported to Microsoft.

Image of digital signatures settings

Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection.

The following are samples using this evasion:

https://www.virustotal.com/gui/file/5094028a0afb4d4a3d8fa82b613c0e59d31450d6c75ed96ded02be1e9db8104f/detection

New variant:

https://www.virustotal.com/gui/file/5c0ff7b23457078c9d0cbe186f1d05bfd573eb555baa1bf4a45e1b79c8c575db/detection

Our team is working in collaboration with Google Safe Browsing to protect users from downloading and executing this family of unwanted software. Users are encouraged to only download and install software from reputable and trustworthy sources.


How we protect users from 0-day attacks

14 July 2021 at 16:00

Zero-day vulnerabilities are unknown software flaws. Until they’re identified and fixed, they can be exploited by attackers. Google’s Threat Analysis Group (TAG) actively works to detect hacking attempts and influence operations to protect users from digital attacks, this includes hunting for these types of vulnerabilities because they can be particularly dangerous when exploited and have a high rate of success.


In this blog, we’re sharing details about four in-the-wild 0-day campaigns targeting four separate vulnerabilities we’ve discovered so far this year: 


The four exploits were used as a part of three different campaigns. As is our policy, after discovering these 0-days, we quickly reported to the vendor and patches were released to users to protect them from these attacks. We assess three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors. Google has also published root cause analyses (RCAs) on each of the 0-days.


In addition to the technical details, we’ll also provide our take on the large uptick of in-the-wild 0-day attacks the industry is seeing this year. Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020. While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.

Graph depicting number of 0-days found each year starting from 2014 - 2021

Chrome: CVE-2021-21166 and CVE-2021-30551

Over the past several months, we have discovered two Chrome renderer remote code execution 0-day exploits, CVE-2021-21166 and ​​CVE-2021-30551, which we believe to be used by the same actor. CVE-2021-21166 was discovered in February 2021 while running Chrome 88.0.4323.182 and CVE-2021-30551 was discovered in June 2021 while running Chrome 91.0.4472.77.


Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target. Using appropriate configurations, we were able to recover two 0-day exploits (CVE-2021-21166 & CVE-2021-30551), which were targeting the latest versions of Chrome on Windows at the time of delivery.


After the renderer is compromised, an intermediary stage is executed to gather more information about the infected device including OS build version, CPU, firmware and BIOS information. This is likely collected in an attempt to detect virtual machines and deliver a tailored sandbox escape to the target. In our environment, we did not receive any payloads past this stage.


While analyzing CVE-2021-21166 we realized the vulnerability was also in code shared with WebKit and therefore Safari was also vulnerable. Apple fixed the issue as CVE-2021-1844. We do not have any evidence that this vulnerability was used to target Safari users.

Related IOCs


  • lragir[.]org

  • armradio[.]org

  • asbares[.]com

  • armtimes[.]net

  • armlur[.]org

  • armenpress[.]org

  • hraparak[.]org

  • armtimes[.]org

  • hetq[.]org

Internet Explorer: CVE-2021-33742

Despite Microsoft announcing the retirement of Internet Explorer 11, planned for June 2022, attackers continue to develop creative ways to load malicious content inside Internet Explorer engines to exploit vulnerabilities. For example, earlier this year, North Korean attackers distributed MHT files embedding an exploit for CVE-2021-26411. These files are automatically opened in Internet Explorer when they are double clicked by the user.


In April 2021, TAG discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within Internet Explorer. This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page. At the time, we were unable to recover the next stage payload, but successfully recovered the exploit after an early June campaign from the same actors. After a fingerprinting phase, similar to the one used with the Chrome exploit above, users were served an Internet Explorer 0-day. This vulnerability was assigned CVE-2021-33742 and fixed by Microsoft in June 2021.


The exploit loaded an intermediary stage similar to the one used in the Chrome exploits. We did not recover additional payloads in our environment.


During our investigation we discovered several documents uploaded to VirusTotal.


Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world. On July 15, 2021 Citizen Lab published a report tying the activity to spyware vendor Candiru. 

Related IOCs


Examples of related Office documents uploaded to VirusTotal:

  • https://www.virustotal.com/gui/file/656d19186795280a068fcb97e7ef821b55ad3d620771d42ed98d22ee3c635e67/detection

  • https://www.virustotal.com/gui/file/851bf4ab807fc9b29c9f6468c8c89a82b8f94e40474c6669f105bce91f278fdb/detection


Unique URLs serving ​​CVE-2021-33742 Internet Explorer exploit:

  • http://lioiamcount[.]com/IsnoMLgankYg6/EjlYIy7cdFZFeyFqE4IURS1

  • http://db-control-uplink[.]com/eFe1J00hISDe9Zw/gzHvIOlHpIXB

  • http://kidone[.]xyz/VvE0yYArmvhyTl/GzV


Word documents with the following classid:

  • {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}


Related infrastructure:

  • workaj[.]com

  • wordzmncount[.]com

WebKit (Safari): CVE-​2021-1879

Not all attacks require chaining multiple 0-day exploits to be successful. A recent example is CVE-​2021-1879 that was discovered by TAG on March 19, 2021, and used by a likely Russian government-backed actor. (NOTE: This exploit is not connected to the other three we’ve discussed above.)


In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike, one of which was previously described by Volexity.


After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-​2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, are mitigated in browsers with Site Isolation enabled such as Chrome or Firefox. 

Related IOCs

  • supportcdn.web[.]app

  • vegmobile[.]com

  • 111.90.146[.]198

Why So Many 0-days?

There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that’s how they’re most useful. 


Based on this, there are multiple factors that could be contributing to the uptick in the number of 0-days that are disclosed as in-the-wild:

Increase in detection & disclosure

This year, Apple began annotating vulnerabilities in their security bulletins to include notes if there is reason to believe that a vulnerability may be exploited in-the-wild and Google added these annotations to their Android bulletins. When vendors don’t include these annotations, the only way the public can learn of the in-the-wild exploitation is if the researcher or group who knows of the exploitation publishes the information themselves. 


In addition to beginning to disclose when 0-days are believed to be exploited in-the-wild, it wouldn’t be surprising if there are more 0-day detection efforts, and successes, occurring as a result. It’s also possible that more people are focusing on discovering 0-days in-the-wild and/or reporting the 0-days that they found in the wild.

Increased Utilization

There is also the possibility that attackers are using more 0-day exploits. There are a few reasons why this is likely:

  • The increase and maturation of security technologies and features mean that the same capability requires more 0-day vulnerabilities for the functional chains. For example, as the Android application sandbox has been further locked down by limiting what syscalls an application can call, an additional 0-day is necessary to escape the sandbox. 
  • The growth of mobile platforms has resulted in an increase in the number of products that actors want capabilities for. 
  • There are more commercial vendors selling access to 0-days than in the early 2010s.
  • Maturing of security postures increases the need for attackers to use 0-day exploits rather than other less sophisticated means, such as convincing people to install malware. Due to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals. 

Conclusion

Over the last decade, we believe there has been an increase in attackers using 0-day exploits. Attackers needing more 0-day exploits to maintain their capabilities is a good thing — and it  reflects increased cost to the attackers from security measures that close known vulnerabilities. However, the increasing demand for these capabilities and the ecosystem that supplies them is more of a challenge. 0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use. In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.


Meanwhile, improvements in detection and a growing culture of disclosure likely contribute to the significant uptick in 0-days detected in 2021 compared to 2020, but reflect more positive trends. Those of us working on protecting users from 0-day attacks have long suspected that overall, the industry detects only a small percentage of the 0-days actually being used. Increasing our detection of 0-day exploits is a good thing — it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it.


We’d be remiss if we did not acknowledge the quick response and patching of these vulnerabilities by the Apple, Google, and Microsoft teams. 

TAG Bulletin: Q2 2021

26 May 2021 at 20:00

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 2021. It was last updated on July 29, 2021.

April

  • We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to El Salvador. This campaign uploaded content in Spanish focusing on a mayoral race in the Santa Tecla municipality. Our findings are similar to findings reported by Facebook.


  • We terminated 43 YouTube channels as part of our investigation into coordinated influence operations linked to Albania. This campaign uploaded content in Farsi that was critical of Iran’s government and supportive of Mojahedin-e Khalq. Our findings are similar to findings reported by Facebook.


  • We terminated 728 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about protests in Hong Kong and criticism of the U.S. response to the COVID-19 pandemic. These findings are consistent with our previous reports.

May

  • We terminated 57 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was supportive of Russia’s government.


  • We terminated 11 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine and of U.S. narratives related to Russian troop build up on the Ukrainian border.


  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of protests in Belarus. We received leads from FireEye that supported us in this investigation.


  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Iran. This campaign uploaded content in Bahasa Indonesia that was critical of Israel and Saudi Arabia.


  • We blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a number of local mayoral and gubernatorial candidates. Our findings are similar to findings reported by Facebook.


  • We terminated 1,015 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

June

  • We terminated 33 YouTube channels as part of our investigation into coordinated influence operations linked to Azerbaijan. This campaign uploaded content in Azerbaijani and Armenian that was critical of Armenia and supportive of the Azerbaijani military. Our findings are similar to findings reported by Facebook.


  • We terminated 17 YouTube channels and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian that amplified several media platforms posing as news outlets and promoting a select number of local politicians. Our findings are similar to findings reported by Facebook.


  • We terminated 3 YouTube channels, 1 Play developer, and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in English, Russian, German, Italian, French, and Spanish that was supportive of Russia’s positions on the military conflicts in Ukraine, the Middle East, and Central Asia.


  • We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Ethiopia. This campaign uploaded content in Amahric that was supportive of Prime Minister Abiy Ahmed and was critical of his opposition. Our findings are similar to findings reported by Facebook.


  • We terminated 36 YouTube channels, 1 ads account and 1 blog as part of our investigation into coordinated influence operations linked to Pakistan. This campaign uploaded content in English and Urdu that was critical of India’s government in its treatment of Muslims, particularly in the region of Kashmir. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.


  • We terminated 123 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of the protests supporting Alexei Navalny.


  • We terminated 9 YouTube channels as part of our investigation into coordinated influence operations linked to China. This campaign uploaded content in Mandarin Chinese that was positive in sentiment about life in Xinjiang, China and was critical of Western allegations of abuses. We received leads from Graphika that supported us in this investigation.


  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Moldova. This campaign uploaded content in Russian that contained a variety of sensational political narratives, including one about an imminent threat to Russia from Ukraine and the U.S.


  • We terminated 989 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports. We received leads from FireEye and Graphika that supported us in this investigation.

TAG Bulletin: Q1 2021

20 April 2021 at 19:00

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2021. It was last updated on April 20, 2021.

January

  • We terminated 4 YouTube channels and 1 advertising account as part of our ongoing investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Russian pertaining to current events in Kazakhstan and critical of European Union policies toward Moldova.

  • We terminated 5 blogs as part of our investigation into coordinated influence operations linked to Morocco. This campaign uploaded content in Arabic that was critical of the Algerian government. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 5 YouTube channels as part of our investigation into coordinated influence operations linked to Brazil. This campaign was linked to a PR firm named AP Exata Intelligence and uploaded content in Portuguese expressing support for several mayoral candidates in Brazil. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Kyrgyzstan. The campaign uploaded content in Kyrgyz critical of the former President Almazbek Atambayev and the opposition leader Adakhan Madumarov. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 3 advertising accounts as part of our investigation into coordinated influence operations linked to Egypt. This campaign was linked to a PR firm named Mubashier and uploaded content in Arabic supportive of the Russian government across several countries in the Middle East.

  • We terminated 1 YouTube channel as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on current events in Ukraine.

  • We terminated 1 YouTube channel, 2 advertising accounts and 1 mobile developer account as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the U.S. election and the poisoning of Alexei Navalny.

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the annexation of Crimea and the Syrian civil war.

  • We terminated 2 YouTube channels and 1 advertising account as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on historical events in Afghanistan, Armenia and Ukraine.

  • We terminated 2 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the U.S. current events and Alexei Navalny political rallies.

  • We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. This campaign uploaded content in English and was amplifying narratives on regional topics such as Israel, the Nagorno Karabakh conflict, and the war in Yemen. We received leads from FireEye that supported us in this investigation.

  • We terminated 2,946 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about the U.S. response to COVID-19 and growing U.S. political divisions. We received leads from Graphika that supported us in this investigation. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

February

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. This campaign uploaded content in English, Farsi, and Bahasa Indonesian on several topics including criticism of Israel and the U.S. election. This campaign was consistent with similar findings reported by Twitter.

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian specific to narratives around the Russian military. This campaign was consistent with similar findings reported by Twitter.
  • We terminated 938 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about the U.S. COVID-19 vaccine rollout and current events. We received leads from FireEye and Graphika that supported us in this investigation. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

March

  • We terminated 13 YouTube channels as part of our investigation into coordinated influence operations linked to Morocco. This campaign uploaded content in Arabic that was supportive of Morocco’s government and discussed issues related to regional intelligence agencies as well as Moroccan ownership of the Western Sahara region. This campaign was consistent with similar findings reported by Facebook.
  • We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian, French, German, English and Spanish about the conflict in Syria, historical footage of the war in Afghanistan, and the civil war in Eastern Ukraine.
  • We terminated 34 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of the protests in support of Alexei Navalny.

  • We terminated 33 YouTube channels and 2 advertising accounts as part of our ongoing investigation into coordinated influence operations linked to Myanmar. This campaign uploaded content in Burmese about the military coup in Myanmar.

  • We terminated 682 YouTube channels and 2 advertising accounts as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

❌
❌